Hence you should return a 500 as this signals the mod_proxy code that the
backend is broken and should be put in error state.
A 502 does not put the backend in error state (as you found out).
Regards
Rüdiger
I didn't realize this was the case - marking it in error inside
ap_proxy_http_process_response would definitely be redundant! Thank you
very much for catching it (and explaining this to me). I have updated
the patches and bug report and attached the updates for reference.
--
Daniel Ruggeri
Index: httpd-2.2.x/STATUS
===================================================================
--- httpd-2.2.x/STATUS (revision 1037345)
+++ httpd-2.2.x/STATUS (working copy)
@@ -184,6 +184,14 @@
enabling/disabling the basic capability is not split out into mod_unixd
2.2.x.
+1: trawick
+ * mod_proxy_http: Become aware of ssl handshake failures when attempting
+ to pass request. Makes it so workers are put in error state when a
+ handshake failure is encountered.
+ PR50332
+ Trunk patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26346
+ 2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26345
+ druggeri: Need doc update?
+
PATCHES/ISSUES THAT ARE STALLED
* core: Support wildcards in both the directory and file components of
Index: httpd-2.2.x/STATUS
===================================================================
--- httpd-2.2.x/STATUS (revision 1037345)
+++ httpd-2.2.x/STATUS (working copy)
@@ -184,6 +184,14 @@
enabling/disabling the basic capability is not split out into mod_unixd
2.2.x.
+1: trawick
+ * mod_proxy_http: Become aware of ssl handshake failures when attempting
+ to pass request. Makes it so workers are put in error state when a
+ handshake failure is encountered.
+ PR50332
+ Trunk patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26339
+ 2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26338
+ druggeri: Need doc update?
+
PATCHES/ISSUES THAT ARE STALLED
* core: Support wildcards in both the directory and file components of
Index: httpd-2.2.x/modules/proxy/mod_proxy_http.c
===================================================================
--- httpd-2.2.x/modules/proxy/mod_proxy_http.c (revision 1037345)
+++ httpd-2.2.x/modules/proxy/mod_proxy_http.c (working copy)
@@ -272,6 +272,12 @@
"proxy: pass request body failed to %pI (%s)",
conn->addr, conn->hostname);
if (origin->aborted) {
+ if(strcmp(apr_table_get(origin->notes, "SSL_connect_rv"), "err")
== 0){
+ return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR,
+ "Error during SSL Handshake with remote
server");
+ }
return APR_STATUS_IS_TIMEUP(status) ? HTTP_GATEWAY_TIME_OUT :
HTTP_BAD_GATEWAY;
}
else {
Index: httpd-2.2.x/modules/ssl/ssl_engine_io.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_io.c (revision 1037345)
+++ httpd-2.2.x/modules/ssl/ssl_engine_io.c (working copy)
@@ -1065,6 +1065,7 @@
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
@@ -1082,6 +1083,7 @@
}
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
X509_free(cert);
@@ -1101,10 +1103,12 @@
hostname, hostname_note);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
}
+ apr_table_set(c->notes, "SSL_connect_rv", "ok");
return APR_SUCCESS;
}
Index: httpd-trunk/modules/proxy/mod_proxy_http.c
===================================================================
--- httpd-trunk/modules/proxy/mod_proxy_http.c (revision 1037345)
+++ httpd-trunk/modules/proxy/mod_proxy_http.c (working copy)
@@ -1468,6 +1468,12 @@
return ap_proxyerror(r, HTTP_SERVICE_UNAVAILABLE, "Timeout
on 100-Continue");
}
}
+ else if(strcmp(apr_table_get(backend->connection->notes,
"SSL_connect_rv"), "err") == 0) {
+ return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR,
+ "Error during SSL Handshake with remote
server");
+ }
/*
* If we are a reverse proxy request shutdown the connection
* WITHOUT ANY response to trigger a retry by the client
Index: httpd-trunk/modules/ssl/ssl_engine_io.c
===================================================================
--- httpd-trunk/modules/ssl/ssl_engine_io.c (revision 1037345)
+++ httpd-trunk/modules/ssl/ssl_engine_io.c (working copy)
@@ -1091,6 +1091,7 @@
ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return MODSSL_ERROR_BAD_GATEWAY;
}
@@ -1108,6 +1109,7 @@
}
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
X509_free(cert);
@@ -1127,10 +1129,12 @@
hostname, hostname_note);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
}
+ apr_table_set(c->notes, "SSL_connect_rv", "ok");
return APR_SUCCESS;
}
