Re: How to create ssl backend connections in a module?
On 2017-06-29 19:36, Christoph Rabel wrote: Hi, I have written an apache module that sometimes connects to a backend server. Currently it does that through http, open a socket, send a get request, get a response, process it. Nothing special. Now we need to support https too and I am wondering, how that could be accomplished. Should I use openssl directly? Does that work? Are there any helper functions I could use? I tried to find examples, but it is quite difficult since most of the examples cover configuration of ssl, not implementation of a ssl socket. I was also looking at mod_proxy but I don't understand how that stuff with the worker works. It's a lot of code and in the end I just need to open an ssl socket and I guess I can do the rest the same way as before. Any hints are appreciated. I should support Apache 2.2, but I might be able to weaken that to support only Apache 2.4, if that makes a huge difference. How do you do it now, in plain http? I see two or three ways in which you do it: using apache subrequests (ap_sub_req_method_uri), using mod_proxy (no code, just conf, like ProxyPass), using a 3rd-party library, such as libcurl or libneon for example. Or do you do it "manually", i.e. using the syscalls socket/connect/write, you write to the socket and implement the http protocol? The good news about the first three options is that they work with ssl without code modification. You just configure the URL of the backend and it recognizes https and performs the SSL handshake and communication. In my opinion (but it depends on your use case), the best option is mod_proxy. Check this generic way of configuring it: RewriteEngine On RewriteCond some_condition RewriteRule .* https://remote.host/path/to/remote/resource?args [P] https://remote.host/path/to/remote/resource> ProxyPass https://remote.host/path/to/remote/resource keepalive=On timeout=5 Your module processes requests to /your_url. If it has to make the request to the backend, then it sets some apache note or environment variable. The value of this variable is then checked in the RewriteCond. If the condition is satisfied then the request to /your_url is proxied to the remote.host backend. The response of the backend is then sent to your client. If you want to modify the response of the backend, or to send a completely different response to the client (and then you just use some data from the backend's response) then you write a filter and you activate it with the SetOutputFilter conf directive. This setup works with http and https. You just put the right scheme in the URLs in the conf. Hope this helps, Sorin Tia, Christoph
Re: svn commit: r1782209 - /httpd/httpd/branches/2.4.x/STATUS
On 06/27/2017 04:59 PM, Eric Covener wrote: I would just as well pull this block out entirely rather than taking the "fpm||" half of the test out. It seems like if you go out of your way to run a script with PATH_INFO set as some parameter that we shouldn't negate that. And like the non path_info case, nobody has ever asked us for this. Checked in as r1800306 and proposed for backport. --Jacob
How to create ssl backend connections in a module?
Hi, I have written an apache module that sometimes connects to a backend server. Currently it does that through http, open a socket, send a get request, get a response, process it. Nothing special. Now we need to support https too and I am wondering, how that could be accomplished. Should I use openssl directly? Does that work? Are there any helper functions I could use? I tried to find examples, but it is quite difficult since most of the examples cover configuration of ssl, not implementation of a ssl socket. I was also looking at mod_proxy but I don't understand how that stuff with the worker works. It's a lot of code and in the end I just need to open an ssl socket and I guess I can do the rest the same way as before. Any hints are appreciated. I should support Apache 2.2, but I might be able to weaken that to support only Apache 2.4, if that makes a huge difference. Tia, Christoph
Re: svn commit: r1800162 - in /httpd/test/framework/trunk/t: conf/extra.conf.in modules/proxy.t
On Wed, Jun 28, 2017 at 8:08 AM,wrote: > Author: jim > Date: Wed Jun 28 13:08:41 2017 > New Revision: 1800162 > > --- httpd/test/framework/trunk/t/modules/proxy.t (original) > +++ httpd/test/framework/trunk/t/modules/proxy.t Wed Jun 28 13:08:41 2017 > @@ -7,7 +7,7 @@ use Apache::TestUtil; > use Apache::TestConfig (); > use Misc; > > -my $num_tests = 20; > +my $num_tests = 21; > if (have_min_apache_version('2.4.7')) { > $num_tests++; > } > @@ -119,8 +119,8 @@ sub uds_script > if (accept(my $new_sock, $server)) { > my $data = <$new_sock>; > print $new_sock "HTTP/1.0 200 OK\r\n"; > -print $new_sock "Content-Type: text/html\r\n\r\n"; > -print $new_sock "Hello > World$data\n"; > +print $new_sock "Content-Type: text/plain\r\n\r\n"; > +print $new_sock "hello world\n"; > close $new_sock; > } > unlink($socket_path); > @@ -145,5 +145,9 @@ if (have_min_apache_version('2.4.7')) { > } > $r = GET("/uds/"); > ok t_cmp($r->code, 200, "ProxyPass UDS path"); > +my $c = $r->content; > +chomp $c; > +ok t_cmp($c, "hello world", "UDS content OK"); > + > } > > That's problematic, your counting was skewed; t/modules/proxy.t ... Failed 1/21 subtests (less 3 skipped subtests: 17 okay) I expect you wanted to tickle the count += 2 in place of ++ in the line below? t/modules/proxy_fcgi.t .. Can't exec "php-fpm": No such file or directory at t/modules/proxy_fcgi.t line 11. t/modules/proxy_fcgi.t .. skipped: cannot find module 'mod_proxy_fcgi' This one is odd, shouldn't we skip all proxy_fcgi.t the moment mod_proxy_fcgi is absent, rather that hunting for the php-fpm component?