On Sat, Mar 12, 2016 at 4:46 PM, Graham Leggett <[email protected]> wrote: > > The following patch provides support for TCP proxying to httpd. > > It consists of the following three parts: > > - mod_tcp: Allows the frontend to receive pure TCP connections
It looks like this module is only needed to remove HTTP filters from the chain. Is the goal to have this core module instead of mod_http and make the latter dynamic? > - mod_proxy_tcp: Allows the proxy to make pure tcp or tls connections to a > backend Thanks, this will be very useful. > - mod_ssl_tcp: Allows the proxy to route incoming connections based on the > SNI header (tlsext) Hmm, isn't mod_ssl (underlying-)protocol agnostic? Why couldn't it be used as-is (or adapted), and avoid code duplication? > > In the following example config, incoming TCP connections are routed based on > their SNI (the tlsext protocol) to given backend servers, which then complete > the SSL connections as raw tunnels. > > This allows you to use client certificates through the httpd proxy balancer > all the way to the backend server without the proxy terminating any SSL along > the way. > > <VirtualHost localhost:9000> > Protocol tlsext Maybe "tcps"? I agree that SNI extension is needed, but "tlsext" looks confusing. I'll look at the patch in more details, I may have missed things... Regards, Yann.
