On Sat, Sep 30, 2023 at 7:19 PM Ruediger Pluem wrote:
>
> On 9/21/23 3:15 PM, yla...@apache.org wrote:
>
> > --- httpd/httpd/trunk/modules/proxy/proxy_util.c (original)
> > +++ httpd/httpd/trunk/modules/proxy/proxy_util.c Thu Sep 21 13:15:35 2023
>
> > @@ -2683,56 +3116,83 @@ ap_proxy_determine_connection(apr_pool_t
> > +
> > +if (proxyname) {
> > +forward_info *forward;
> > +
> > +hostname = proxyname;
> > +hostport = proxyport;
> > +
> > +/* Reset forward info if they changed */
> > +if (conn->is_ssl
> > +&& (!(forward = conn->forward)
> > +|| forward->target_port != uri->port
> > +|| ap_cstr_casecmp(forward->target_host,
> > + uri->hostname) != 0)) {
> > +apr_pool_t *fwd_pool = conn->pool;
> > +if (worker->s->is_address_reusable) {
> > +if (conn->fwd_pool) {
> > +apr_pool_clear(conn->fwd_pool);
> > +}
> > +else {
> > +apr_pool_create(>fwd_pool, conn->pool);
> > +}
>
>
> Don't we need to
>
> fwd_pool = conn->fwd_pool
>
> ??
Sorry I missed your message somehow.
Yes you are right of course!
And with a fresh look at this new forward_info reuse mechanism I think
we also need to check whether the ->proxy_auth has changed too.
Something like the attached (which also includes your proposed change above)?
Regards;
Yann.
Index: modules/proxy/proxy_util.c
===
--- modules/proxy/proxy_util.c (revision 1913529)
+++ modules/proxy/proxy_util.c (working copy)
@@ -47,7 +47,7 @@ APLOG_USE_MODULE(proxy);
/*
* Opaque structure containing target server info when
* using a forward proxy.
- * Up to now only used in combination with HTTP CONNECT.
+ * Up to now only used in combination with HTTP CONNECT to ProxyRemote
*/
typedef struct {
int use_http_connect; /* Use SSL Tunneling via HTTP CONNECT */
@@ -3154,58 +3154,65 @@ ap_proxy_determine_connection(apr_pool_t *p, reque
const char *hostname = uri->hostname;
apr_port_t hostport = uri->port;
+/* Not a remote CONNECT until further notice */
+conn->forward = NULL;
+
if (proxyname) {
-forward_info *forward;
-
hostname = proxyname;
hostport = proxyport;
-/* Reset forward info if they changed */
-if (conn->is_ssl
-&& (!(forward = conn->forward)
+/*
+ * If we have a remote proxy and the protocol is HTTPS,
+ * then we need to prepend a HTTP CONNECT request before
+ * sending our actual HTTPS requests.
+ */
+if (conn->is_ssl) {
+forward_info *forward;
+const char *proxy_auth;
+
+/* Do we want to pass Proxy-Authorization along?
+ * If we haven't used it, then YES
+ * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
+ * So let's make it configurable by env.
+ * The logic here is the same used in mod_proxy_http.
+ */
+proxy_auth = apr_table_get(r->notes, "proxy-basic-creds");
+if (proxy_auth == NULL
+&& (r->user == NULL /* we haven't yet authenticated */
+|| apr_table_get(r->subprocess_env, "Proxy-Chain-Auth"))) {
+proxy_auth = apr_table_get(r->headers_in, "Proxy-Authorization");
+}
+if (proxy_auth != NULL && proxy_auth[0] == '\0') {
+proxy_auth = NULL;
+}
+
+/* Reset forward info if they changed */
+if (!(forward = conn->forward)
|| forward->target_port != uri->port
-|| ap_cstr_casecmp(forward->target_host,
- uri->hostname) != 0)) {
-apr_pool_t *fwd_pool = conn->pool;
-if (worker->s->is_address_reusable) {
-if (conn->fwd_pool) {
-apr_pool_clear(conn->fwd_pool);
+|| ap_cstr_casecmp(forward->target_host, uri->hostname) != 0
+|| (forward->proxy_auth != NULL) != (proxy_auth != NULL)
+|| (forward->proxy_auth != NULL && proxy_auth != NULL &&
+strcmp(forward->proxy_auth, proxy_auth) != 0)) {
+apr_pool_t *fwd_pool = conn->pool;
+if (worker->s->is_address_reusable) {
+if (conn->fwd_pool) {
+apr_pool_clear(conn->fwd_pool);
+}
+else {
+apr_pool_create(>fwd_pool,