Rasmus Lerdorf wrote:
Ya, I got messed up in my other email too.
SO_ACCEPTFILTER is in 2.0.xx.
TCP_DEFER_ACCEPT is in 2.1.xx.
-Paul
By the way Paul, I have been meaning ask, are you falling back from
httpready to dataready on SSL requests in 2.x? I don't see it in
server/listen.c, but I am not really up on the 2.x code. We can't use
httpready on an SSL request for obvious reasons.
Nope, it always tries to use accf_http.
In real life, I don't believe this is detrimental, since if the
accf_http filter sees data it doesn't understand, it acts just like
accf_data -- and mod_ssl reads the data just like normal.
There was a thread discussing refactoring of how accept filters and
TCP_DEFER_ACCEPT should be applied, but the root problem is that we do
not know that a socket is SSL, until after we have accept()'ed that
socket. This thread was started when I committed support for
TCP_DEFER_ACCEPT:
http://marc.theaimsgroup.com/?t=11027589512r=1w=2
A proposed solution is a 'mod_acceptfilter':
http://marc.theaimsgroup.com/?l=apache-httpd-devm=110297187029584w=2
Unfortunately, no one followed up with Rici's ideas on it. I think the
longterm solution is to remove things like 'SSLEngine On', and fix HTTPD
to associate a single protocol with a single listening socket.
An alternative that was also proposed at the same time was Listen Blocks:
http://marc.theaimsgroup.com/?l=apache-httpd-devm=110297188417604w=2
This would allow something like:
Listen 1.2.3.4:443
# would imply the accf_data filter on FreeBSD...
Protocol https
VirtualHost
/VirtualHost
/Listen
Either way, we need a better method to know which protocol will at least
initially be ran on a socket. Currently it is all runtime, but it must
be changed to be done at startup, to properly apply the accept filters.
In the real world, it is not a big issue, since most people are running
HTTP or HTTPS Servers with apache, but maybe someday httpd will fully
support SMTP, IMAP, and FTP :)
-Paul