Graham, thanks for the reply. See comments below. Jeffrey Burgoyne
Chief Technology Architect KCSI Keenuh Consulting Services Inc [EMAIL PROTECTED] On Wed, 13 Oct 2004, Graham Leggett wrote: > Jeffrey Burgoyne wrote: > > > 1) SSL proxying. Due to security policies, we have a number of back end > > app servers that require SSL from the client to the server. Therefore SSL > > based proxying is a requirement. I have never seen a definitive statement > > as to whether SSL proxying is supported, but I've seen indications it is > > not, and confirmed in my tests that it did not work. Is there any plans to > > implement this feature? > > If it doesn't work now, it is definitely desirable to make it work. > > The v2.0 mod_proxy talks to the backend servers using the standard > filter stack, so making it talk SSL to the backend should be as > straightforward as adding the right filters to the stack at the right > time under the right circumstances. > > If you're willing to submit code for this, I will definitely support > getting this into v2.0 (not only v2.2). I may try to do this, but unfortunately due to time constraints I cannot commit to working on this as a priority. From your explanation it does look easier than I would have imagined, so I will try to take a cursory look. > > > 2) Timeout Directive. I tried using this with the test suite that I used > > for my mod_proxy changes, and did not get the intended results. For > > example, I wrote a cgi that wais 30 seconds before passing back a > > response, and set the timeout to 10 seconds. On my version the proxy would > > give up after 10 seconds of no data transfer. This did not happen with the > > 2.X timeout. Can someone give a better explanation of what this timeout > > handles and whether I possibly made a configuration mistake. > > As I recall, the timeout directive handles the timeout after a > connection has been established - this definitely would need to be > looked at if it's not working properly. Perhaps I configured it wrong. I have : ProxyPass /cgi-bin/ http://strategis.ic.gc.ca/cgi-bin/ ProxyTimeout 10 When accessing /cgi-bin/timeoutin35seconds.cgi I immediately get the connection as expected. The CGI though will not do anythign for 35 seconds before sending back an HTML page. This did not timeout. Was I missing something? > > > 3) Monitoring. My proxy changes wrote out a customize log entry upon > > failure. I then wrote a program which analyzed this log in real time and > > sent out warnings on configurable intervals when configurable thresholds > > were breached. Assuming I can get 1 and 2 sorted out, I'd be willing to > > work on this third item as an enhancement to mod_proxy. > > This is also something really useful - please submit the patch :) > I looked at this and will pretty much have to start from scratch. The way did the proxy timeout in 1.3.26 is too different change to make my change work. I did it by creating my own timeout function which took a the seconds for a timeout followed by the URL being accessed. I then stored the back end server socket in a global and used the callback and alarm. Something like this : (In http_main.c) static void proxy_timeout(int sig) { strat_cancel_proxy_connection((request_rec *) timeout_req); timeout(sig); } API_EXPORT(void) ap_config_timeout(int timeout_period, char *name, request_rec *r) { #ifdef NETWARE get_tsd #endif timeout_req = r; timeout_name = name; if (timeout_period < 1) { timeout_period = r->server->timeout; } ap_set_callback_and_alarm(proxy_timeout, timeout_period); } And in mod_proxy.c void strat_cancel_proxy_connection(request_rec *the_request) { extern int proxy_server_socket; strat_log_proxy_failure(the_request->unparsed_uri); if (proxy_server_socket != 0) { close(proxy_server_socket); } the_request->status = HTTP_BAD_GATEWAY; ap_proxyerror(the_request, HTTP_BAD_GATEWAY, "Upstream Server Unavailable."); ap_send_error_response(the_request, 0); return; } Teh changes made for the 2.0 were using the socket timeout I believe, which is a more generic timeout function with its own function called upon timeout. So I will take a look at the logging, but for the most part will not be able to reuse what I have done. I willbe able to reuse the monitroing program though, as it is totally outside of Apache. Thanks again. Jeff > Regards, > Graham > -- >
