All;
I opened up bug 50332 to attach/document these patches. The patch
causes mod_ssl to create a note on the conn_req which is checked by
mod_proxy_http when it attempts to pass the request. The intent is for
mod_proxy_http to realize that an SSL handshake error has occurred and
mark the worker out of service.
This is a huge step forward in that mod_proxy will not be oblivious
to the failed SSL connection and can take a worker out of service,
however... it's not all roses. I don't know what it would take (or if
it's even possible since mod_ssl and mod_proxy run in very separate
filters), but it would be really great if mod_proxy in general were
aware of handshake failures before it ever attempts to submit a request
to the backend. I would envision this enlightenment to come at "/* Step
Two: Make the Connection */" in modules/proxy/mod_proxy_http.c.
Thoughts?
If the great minds of this mail list deem these patches acceptable, here
is the proposed patch to 2.2 STATUS:
Index: httpd-2.2.x/STATUS
===================================================================
--- httpd-2.2.x/STATUS (revision 1037345)
+++ httpd-2.2.x/STATUS (working copy)
@@ -184,6 +184,14 @@
enabling/disabling the basic capability is not split out into
mod_unixd 2.2.x.
+1: trawick
+ * mod_proxy_http: Become aware of ssl handshake failures when attempting
+ to pass request. Makes it so workers are put in error state when a
+ handshake failure is encountered.
+ PR50332
+ Trunk patch:
https://issues.apache.org/bugzilla/attachment.cgi?id=26339
+ 2.2.x patch:
https://issues.apache.org/bugzilla/attachment.cgi?id=26338
+ druggeri: Need doc update?
+
PATCHES/ISSUES THAT ARE STALLED
* core: Support wildcards in both the directory and file components of
A tag in CHANGES would be appreciated:
*) Proxy: Detect SSL handshake failures during proxy pass attempts
and place backend in error state. PR 50332. [Daniel Ruggeri <DRuggeri
primary.net>]
--
--
Daniel Ruggeri
Index: httpd-trunk/modules/proxy/mod_proxy_http.c
===================================================================
--- httpd-trunk/modules/proxy/mod_proxy_http.c (revision 1037345)
+++ httpd-trunk/modules/proxy/mod_proxy_http.c (working copy)
@@ -1468,6 +1468,10 @@
return ap_proxyerror(r, HTTP_SERVICE_UNAVAILABLE, "Timeout
on 100-Continue");
}
}
+ else if(strcmp(apr_table_get(backend->connection->notes,
"SSL_connect_rv"), "err") == 0) {
+ backend->worker->s->status |= PROXY_WORKER_IN_ERROR;
+ backend->worker->s->error_time = apr_time_now();
+ }
/*
* If we are a reverse proxy request shutdown the connection
* WITHOUT ANY response to trigger a retry by the client
Index: httpd-trunk/modules/ssl/ssl_engine_io.c
===================================================================
--- httpd-trunk/modules/ssl/ssl_engine_io.c (revision 1037345)
+++ httpd-trunk/modules/ssl/ssl_engine_io.c (working copy)
@@ -1091,6 +1091,7 @@
ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return MODSSL_ERROR_BAD_GATEWAY;
}
@@ -1108,6 +1109,7 @@
}
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
X509_free(cert);
@@ -1127,10 +1129,12 @@
hostname, hostname_note);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
}
+ apr_table_set(c->notes, "SSL_connect_rv", "ok");
return APR_SUCCESS;
}
Index: httpd-2.2.x/modules/proxy/mod_proxy_http.c
===================================================================
--- httpd-2.2.x/modules/proxy/mod_proxy_http.c (revision 1037345)
+++ httpd-2.2.x/modules/proxy/mod_proxy_http.c (working copy)
@@ -272,6 +272,10 @@
"proxy: pass request body failed to %pI (%s)",
conn->addr, conn->hostname);
if (origin->aborted) {
+ if(strcmp(apr_table_get(origin->notes, "SSL_connect_rv"), "err")
== 0){
+ conn->worker->s->status |= PROXY_WORKER_IN_ERROR;
+ conn->worker->s->error_time = apr_time_now();
+ }
return APR_STATUS_IS_TIMEUP(status) ? HTTP_GATEWAY_TIME_OUT :
HTTP_BAD_GATEWAY;
}
else {
Index: httpd-2.2.x/modules/ssl/ssl_engine_io.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_io.c (revision 1037345)
+++ httpd-2.2.x/modules/ssl/ssl_engine_io.c (working copy)
@@ -1065,6 +1065,7 @@
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
@@ -1082,6 +1083,7 @@
}
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
X509_free(cert);
@@ -1101,10 +1103,12 @@
hostname, hostname_note);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
}
+ apr_table_set(c->notes, "SSL_connect_rv", "ok");
return APR_SUCCESS;
}
