Re: How to create ssl backend connections in a module?

2017-06-29 Thread Sorin Manolache 

On 2017-06-29 19:36, Christoph Rabel wrote:

Hi,

I have written an apache module that sometimes connects to a backend
server. Currently it does that through http, open a socket, send a get
request, get a response, process it. Nothing special.

Now we need to support https too and I am wondering, how that could be
accomplished.
Should I use openssl directly? Does that work? Are there any helper
functions I could use?

I tried to find examples, but it is quite difficult since most of the
examples cover configuration of ssl, not implementation of a ssl socket.

I was also looking at mod_proxy but I don't understand how that stuff with
the worker works. It's a lot of code and in the end I just need to open an
ssl socket and I guess I can do the rest the same way as before.

Any hints are appreciated.
I should support Apache 2.2, but I might be able to weaken that to support
only Apache 2.4, if that makes a huge difference.


How do you do it now, in plain http? I see two or three ways in which 
you do it: using apache subrequests (ap_sub_req_method_uri), using 
mod_proxy (no code, just conf, like ProxyPass), using a 3rd-party 
library, such as libcurl or libneon for example.


Or do you do it "manually", i.e. using the syscalls 
socket/connect/write, you write to the socket and implement the http 
protocol?


The good news about the first three options is that they work with ssl 
without code modification. You just configure the URL of the backend and 
it recognizes https and performs the SSL handshake and communication.


In my opinion (but it depends on your use case), the best option is 
mod_proxy. Check this generic way of configuring it:




RewriteEngine On

RewriteCond  some_condition
RewriteRule  .*  https://remote.host/path/to/remote/resource?args [P]


https://remote.host/path/to/remote/resource>
ProxyPass https://remote.host/path/to/remote/resource keepalive=On timeout=5


Your module processes requests to /your_url. If it has to make the 
request to the backend, then it sets some apache note or environment 
variable. The value of this variable is then checked in the RewriteCond. 
If the condition is satisfied then the request to /your_url is proxied 
to the remote.host backend. The response of the backend is then sent to 
your client.


If you want to modify the response of the backend, or to send a 
completely different response to the client (and then you just use some 
data from the backend's response) then you write a filter and you 
activate it with the SetOutputFilter conf directive.


This setup works with http and https. You just put the right scheme in 
the URLs in the conf.


Hope this helps,
Sorin



Tia,

Christoph

Re: svn commit: r1782209 - /httpd/httpd/branches/2.4.x/STATUS

2017-06-29 Thread Jacob Champion 

On 06/27/2017 04:59 PM, Eric Covener wrote:

I would just as well pull this block out entirely rather than taking
the "fpm||" half of the test out.  It seems like if you go out of your
way to run a script with PATH_INFO set as some parameter that we
shouldn't negate that.  And like the non path_info case, nobody has
ever asked us for this.


Checked in as r1800306 and proposed for backport.

--Jacob

How to create ssl backend connections in a module?

2017-06-29 Thread Christoph Rabel 
Hi,

I have written an apache module that sometimes connects to a backend
server. Currently it does that through http, open a socket, send a get
request, get a response, process it. Nothing special.

Now we need to support https too and I am wondering, how that could be
accomplished.
Should I use openssl directly? Does that work? Are there any helper
functions I could use?

I tried to find examples, but it is quite difficult since most of the
examples cover configuration of ssl, not implementation of a ssl socket.

I was also looking at mod_proxy but I don't understand how that stuff with
the worker works. It's a lot of code and in the end I just need to open an
ssl socket and I guess I can do the rest the same way as before.

Any hints are appreciated.
I should support Apache 2.2, but I might be able to weaken that to support
only Apache 2.4, if that makes a huge difference.

Tia,

Christoph

Re: svn commit: r1800162 - in /httpd/test/framework/trunk/t: conf/extra.conf.in modules/proxy.t

2017-06-29 Thread William A Rowe Jr 
On Wed, Jun 28, 2017 at 8:08 AM,   wrote:
> Author: jim
> Date: Wed Jun 28 13:08:41 2017
> New Revision: 1800162
>
> --- httpd/test/framework/trunk/t/modules/proxy.t (original)
> +++ httpd/test/framework/trunk/t/modules/proxy.t Wed Jun 28 13:08:41 2017
> @@ -7,7 +7,7 @@ use Apache::TestUtil;
>  use Apache::TestConfig ();
>  use Misc;
>
> -my $num_tests = 20;
> +my $num_tests = 21;
>  if (have_min_apache_version('2.4.7')) {
>  $num_tests++;
>  }
> @@ -119,8 +119,8 @@ sub uds_script
>  if (accept(my $new_sock, $server)) {
>  my $data = <$new_sock>;
>  print $new_sock "HTTP/1.0 200 OK\r\n";
> -print $new_sock "Content-Type: text/html\r\n\r\n";
> -print $new_sock "Hello 
> World$data\n";
> +print $new_sock "Content-Type: text/plain\r\n\r\n";
> +print $new_sock "hello world\n";
>  close $new_sock;
>  }
>  unlink($socket_path);
> @@ -145,5 +145,9 @@ if (have_min_apache_version('2.4.7')) {
>  }
>  $r = GET("/uds/");
>  ok t_cmp($r->code, 200, "ProxyPass UDS path");
> +my $c = $r->content;
> +chomp $c;
> +ok t_cmp($c, "hello world", "UDS content OK");
> +
>  }
>
>

That's problematic, your counting was skewed;

t/modules/proxy.t ... Failed 1/21 subtests
(less 3 skipped subtests: 17 okay)

I expect you wanted to tickle the count += 2 in place of ++ in the line below?

t/modules/proxy_fcgi.t .. Can't exec "php-fpm": No such
file or directory at t/modules/proxy_fcgi.t line 11.
t/modules/proxy_fcgi.t .. skipped: cannot find module
'mod_proxy_fcgi'

This one is odd, shouldn't we skip all proxy_fcgi.t the moment
mod_proxy_fcgi is absent, rather that hunting for the php-fpm
component?