This patch[1] adds two new directives, SSLServerName and SSLServerPort. The
idea behind these two directives is to associate a SSL-aware Apache server,
with a non SSL-aware Apache server. For example:
One could have in httpd.conf:
Listen 80
Listen 443
SSLServerName ssl.foobar.org
SSLServerPort 443
<VirtualHost ssl.foobar.org:443>
SSLEngine On
[...other directives...]
</VirtualHost>
<VirtualHost www.xyzzy.com:80>
SSLServerName ssl.xyzzy.com
SSLServerPort 443
[...other directives...]
</VirtualHost>
<VirtualHost ssl.xyzzy.com:443>
SSLEngine On
[...other directives...]
</VirtualHost>
Then you could write a module[2] that could, when necessary, redirect to an
appropriate SSL-aware server whenever SSL is required. No, this will not
work with name-based virtual hosts.
If this patch is accepted, I'd be happy to follow up with documentation.
Thanks,
Tom
[1]
Index: mod_ssl.c
===================================================================
RCS file: /usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.c,v
retrieving revision 1.55
diff -u -3 -r1.55 mod_ssl.c
--- mod_ssl.c 1999/05/06 09:56:35 1.55
+++ mod_ssl.c 1999/05/20 02:55:11
@@ -150,6 +150,10 @@
AP_SRV_CMD(Protocol, RAW_ARGS,
"Enable or disable various SSL protocols"
"(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
+ AP_SRV_CMD(ServerName, TAKE1,
+ "The canonical SSL hostname")
+ AP_SRV_CMD(ServerPort, TAKE1,
+ "The canonical SSL TCP port number")
/*
* Per-directory context configuration directives
Index: mod_ssl.h
===================================================================
RCS file: /usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v
retrieving revision 1.93
diff -u -3 -r1.93 mod_ssl.h
--- mod_ssl.h 1999/05/06 09:56:36 1.93
+++ mod_ssl.h 1999/05/20 02:55:11
@@ -491,6 +491,8 @@
char *szCARevocationPath;
char *szCARevocationFile;
X509_STORE *pRevocationStore;
+ char *pServerName;
+ unsigned short nServerPort;
#ifdef SSL_VENDOR
ap_ctx *ctx;
#endif
@@ -555,6 +557,8 @@
const char *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char *);
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *);
const char *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *);
+const char *ssl_cmd_SSLServerName(cmd_parms *, void *, char *);
+const char *ssl_cmd_SSLServerPort(cmd_parms *, void *, char *);
/* module initialization */
void ssl_init_Module(server_rec *, pool *);
Index: ssl_engine_config.c
===================================================================
RCS file:
/usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.53
diff -u -3 -r1.53 ssl_engine_config.c
--- ssl_engine_config.c 1999/05/06 09:56:36 1.53
+++ ssl_engine_config.c 1999/05/20 02:55:11
@@ -204,6 +204,8 @@
sc->szCARevocationPath = NULL;
sc->szCARevocationFile = NULL;
sc->pRevocationStore = NULL;
+ sc->pServerName = NULL;
+ sc->nServerPort = DEFAULT_HTTPS_PORT;
#ifdef SSL_VENDOR
sc->ctx = ap_ctx_new(p);
@@ -245,6 +247,8 @@
cfgMerge(szCARevocationPath, NULL);
cfgMerge(szCARevocationFile, NULL);
cfgMerge(pRevocationStore, NULL);
+ cfgMergeString(pServerName);
+ cfgMerge(nServerPort, DEFAULT_HTTPS_PORT);
#ifdef SSL_VENDOR
cfgMergeCtx(ctx);
@@ -801,3 +805,25 @@
return NULL;
}
+const char *ssl_cmd_SSLServerName(cmd_parms *cmd, void *dummy, char *word1)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->pServerName = word1;
+ return NULL;
+}
+
+const char *ssl_cmd_SSLServerPort(cmd_parms *cmd, void *dummy, char *word1)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ int port;
+
+ port = atoi(word1);
+ if (port <= 0 || port >= 65536) { /* 65536 == 1<<16 */
+ return ap_pstrcat(cmd->temp_pool, "The SSL port number \"", word1,
+ "\" is outside the appropriate range "
+ "(i.e., 1..65535).", NULL);
+ }
+ sc->nServerPort = port;
+ return NULL;
+}
Index: ssl_engine_kernel.c
===================================================================
RCS file:
/usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.85
diff -u -3 -r1.85 ssl_engine_kernel.c
--- ssl_engine_kernel.c 1999/05/14 15:37:50 1.85
+++ ssl_engine_kernel.c 1999/05/20 02:55:11
@@ -1041,6 +1041,8 @@
"SSL_SERVER_I_DN_Email",
"SSL_SERVER_A_KEY",
"SSL_SERVER_A_SIG",
+ "SSL_SERVER_NAME",
+ "SSL_SERVER_PORT",
NULL
};
Index: ssl_engine_vars.c
===================================================================
RCS file:
/usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_vars.c,v
retrieving revision 1.34
diff -u -3 -r1.34 ssl_engine_vars.c
--- ssl_engine_vars.c 1999/05/18 09:14:59 1.34
+++ ssl_engine_vars.c 1999/05/20 02:55:11
@@ -304,6 +304,14 @@
if ((xs = SSL_get_peer_certificate(ssl)) != NULL)
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
}
+ else if (strcEQ(var, "SERVER_NAME")) {
+ SSLSrvConfigRec *sc = mySrvConfig(c->server);
+ return sc->pServerName;
+ }
+ else if (strcEQ(var, "SERVER_PORT")) {
+ SSLSrvConfigRec *sc = mySrvConfig(c->server);
+ return ap_psprintf(p, "%u", sc->nServerPort);
+ }
else if (strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) {
ssl = ap_ctx_get(c->client->ctx, "ssl");
if ((xs = SSL_get_certificate(ssl)) != NULL)
[2]
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
#include "http_log.h"
#include "http_main.h"
#include "http_protocol.h"
module MODULE_VAR_EXPORT ssltest_module;
static int
ssltest_handler(request_rec *r)
{
const char *ssl_server_name, *ssl_server_port, *location;
ap_hook_call("ap::mod_ssl::var_lookup", &ssl_server_name,
r->pool, r->server, r->connection, r, "SSL_SERVER_NAME");
ap_hook_call("ap::mod_ssl::var_lookup", &ssl_server_port,
r->pool, r->server, r->connection, r, "SSL_SERVER_PORT");
if (ssl_server_name == NULL || *ssl_server_name == '\0')
ssl_server_name = ap_get_server_name(r);
location = ap_psprintf(r->pool, "https://%s:%s%s",
ssl_server_name, ssl_server_port,
r->unparsed_uri);
ap_table_setn(r->headers_out, "Location", location);
return REDIRECT;
}
static const handler_rec
ssltest_handlers[] = {
{ "ssltest-handler", ssltest_handler },
{ NULL }
};
static int
ssltest_post_read(request_rec *r)
{
char *ssl_session_id;
ap_hook_call("ap::mod_ssl::var_lookup", &ssl_session_id,
r->pool, r->server, r->connection, r, "SSL_SESSION_ID");
if (ssl_session_id == NULL || *ssl_session_id == '\0')
/*
** I wonder what would happen if I were to redirect right here...
*/
r->handler = "ssltest-handler";
return DECLINED;
}
module MODULE_VAR_EXPORT ssltest_module = {
STANDARD_MODULE_STUFF,
NULL, /* module initializer */
NULL, /* create per-dir config structures */
NULL, /* merge per-dir config structures */
NULL, /* create per-server config structures */
NULL, /* merge per-server config structures */
NULL, /* table of config file commands */
ssltest_handlers, /* [#8] MIME-typed-dispatched handlers */
NULL, /* [#1] URI to filename translation */
NULL, /* [#4] validate user id from request */
NULL, /* [#5] check if the user is ok _here_ */
NULL, /* [#3] check access by host address */
NULL, /* [#6] determine MIME type */
NULL, /* [#7] pre-run fixups */
NULL, /* [#9] log a transaction */
NULL, /* [#2] header parser */
NULL, /* child_init */
NULL, /* child_exit */
ssltest_post_read /* [#0] post read-request */
};
--
Tom Vaughan <tvaughan at aventail dot com>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
