ASF Bugzilla – Attachment 11552 Details for
Bug 19188
ProxyPass'ing to HTTPS server via proxy does not work
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
This patch has been developped and tested in a reverse proxy configuration. Some tests have been made with Apache and IIS web servers.
19188.patch (text/plain), 8.01 KB, created by
Philippe Dutrueux
on 2004-05-14 16:01:39 UTC
(
hide
)
Description:
This patch has been developped and tested in a reverse proxy configuration. Some tests have been made with Apache and IIS web servers.
Filename:
MIME Type:
Creator:
Philippe Dutrueux
Created:
2004-05-14 16:01:39 UTC
Size:
8.01 KB
patch
obsolete
>diff -ru httpd-2.0.49.ref/modules/proxy/mod_proxy.h httpd-2.0.49/modules/proxy/mod_proxy.h >--- httpd-2.0.49.ref/modules/proxy/mod_proxy.h 2004-02-09 21:53:19.000000000 +0100 >+++ httpd-2.0.49/modules/proxy/mod_proxy.h 2004-05-14 17:56:47.000000000 +0200 >@@ -172,6 +172,15 @@ > char *hostname; > apr_port_t port; > int is_ssl; >+ /* Does use the HTTP connect method to connect to the web server ? */ >+ int does_use_http_connect ; >+ /* >+ * When connecting to a HTTPS web server via a forward proxy, the previous >+ * host name and port are for forward proxy >+ * The following fields are for web server >+ */ >+ char *web_server_host_name ; >+ apr_port_t web_server_port ; > } proxy_conn_rec; > > typedef struct { >diff -ru httpd-2.0.49.ref/modules/proxy/proxy_http.c httpd-2.0.49/modules/proxy/proxy_http.c >--- httpd-2.0.49.ref/modules/proxy/proxy_http.c 2004-02-09 21:53:19.000000000 +0100 >+++ httpd-2.0.49/modules/proxy/proxy_http.c 2004-05-14 17:57:08.000000000 +0200 >@@ -30,6 +30,7 @@ > apr_sockaddr_t *addr; > apr_socket_t *sock; > int close; >+ int does_use_http_connect ; > } proxy_http_conn_t; > > static apr_status_t ap_proxy_http_cleanup(request_rec *r, >@@ -194,10 +195,20 @@ > /* see memory note above */ > err = apr_sockaddr_info_get(&p_conn->addr, p_conn->name, APR_UNSPEC, > p_conn->port, 0, c->pool); >+ if (strcasecmp(uri->scheme, "https") == 0) { >+ /* >+ * Connection to a HTTPS web server via a proxy, so use the >+ * HTTP connect method >+ */ >+ p_conn->does_use_http_connect = 1 ; >+ } > } else { > p_conn->name = apr_pstrdup(c->pool, uri->hostname); > p_conn->port = uri->port; > p_conn->addr = uri_addr; >+ } >+ >+ if (proxyname == NULL || p_conn->does_use_http_connect) { > *url = apr_pstrcat(p, uri->path, uri->query ? "?" : "", > uri->query ? uri->query : "", > uri->fragment ? "#" : "", >@@ -230,14 +241,81 @@ > } > > static >+apr_status_t send_http_connect(apr_pool_t *p, request_rec *r, >+ proxy_http_conn_t *p_conn, >+ proxy_conn_rec *backend) >+{ >+ int status ; >+ apr_size_t nbytes ; >+ char buffer[HUGE_STRING_LEN]; >+ int len = 0 ; >+ >+ /* >+ * Use the HTTP connect method >+ */ >+ /* FIXME: Error checking ignored. >+ */ >+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, >+ "proxy: CONNECT: sending the CONNECT request to the remote proxy"); >+ nbytes = apr_snprintf(buffer, sizeof(buffer), >+ "CONNECT %s:%d HTTP/1.0" CRLF, >+ backend->web_server_host_name, backend->web_server_port); >+ apr_send(p_conn->sock, buffer, &nbytes); >+ >+ nbytes = apr_snprintf(buffer, sizeof(buffer), >+ "Proxy-agent: %s" CRLF CRLF, ap_get_server_version()); >+ apr_send(p_conn->sock, buffer, &nbytes); >+ >+ nbytes = sizeof(buffer) - 1 ; >+ status = apr_recv(p_conn->sock, buffer, &nbytes) ; >+ while (status == APR_SUCCESS) { >+ len += nbytes ; >+ buffer[len] = '\0' ; >+ if (strstr(buffer, "\r\n\r\n") != NULL) { >+ break ; >+ } >+ nbytes = sizeof(buffer) - 1 - len ; >+ status = apr_recv(p_conn->sock, buffer + len, &nbytes) ; >+ } >+ >+ if (status == APR_SUCCESS) { >+ int major, minor; >+ char codeStr[10] ; >+ >+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, >+ "send_http_connect: response from the forward proxy: %s", >+ buffer) ; >+ >+ /* Extract the returned code */ >+ if (sscanf(buffer, "HTTP/%u.%u %s", &major, &minor, codeStr) == 3) { >+ status = atoi(codeStr) ; >+ if (status == HTTP_OK) { >+ status = OK ; >+ } >+ } >+ else { >+ status = HTTP_BAD_GATEWAY ; >+ } >+ } >+ else { >+ status = HTTP_BAD_GATEWAY ; >+ } >+ >+ return(status) ; >+} >+ >+ >+static > apr_status_t ap_proxy_http_create_connection(apr_pool_t *p, request_rec *r, > proxy_http_conn_t *p_conn, > conn_rec *c, conn_rec **origin, > proxy_conn_rec *backend, > proxy_server_conf *conf, >- const char *proxyname) { >+ const char *proxyname, >+ apr_uri_t *uri) { > int failed=0, new=0; > apr_socket_t *client_socket = NULL; >+ int status = OK ; > > /* We have determined who to connect to. Now make the connection, supporting > * a KeepAlive connection. >@@ -252,11 +330,29 @@ > */ > /* see memory note above */ > if (backend->connection) { >+ int keepAlive = 0 ; >+ > client_socket = ap_get_module_config(backend->connection->conn_config, &core_module); > if ((backend->connection->id == c->id) && > (backend->port == p_conn->port) && > (backend->hostname) && >- (!apr_strnatcasecmp(backend->hostname, p_conn->name))) { >+ (!apr_strnatcasecmp(backend->hostname, p_conn->name)) && >+ (backend->does_use_http_connect == p_conn->does_use_http_connect)) { >+ /* >+ * When the HTTP connect method is used, the connection to the >+ * forward proxy can be used only if this is the same web server >+ */ >+ if (backend->does_use_http_connect == 0) { >+ keepAlive = 1 ; >+ } >+ else if (apr_strnatcasecmp(backend->web_server_host_name, >+ uri->hostname) == 0 >+ && backend->web_server_port == uri->port) { >+ keepAlive = 1 ; >+ } >+ } >+ >+ if (keepAlive) { > ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, > "proxy: keepalive address match (keep original socket)"); > } else { >@@ -311,7 +407,8 @@ > * For now we do nothing, ie we get DNS round robin. > * XXX FIXME > */ >- failed = ap_proxy_connect_to_backend(&p_conn->sock, "HTTP", >+ failed = ap_proxy_connect_to_backend(&p_conn->sock, >+ (p_conn->does_use_http_connect ? "CONNECT" : "HTTP"), > p_conn->addr, p_conn->name, > conf, r->server, c->pool); > >@@ -345,27 +442,36 @@ > backend->connection = *origin; > backend->hostname = apr_pstrdup(c->pool, p_conn->name); > backend->port = p_conn->port; >- >- if (backend->is_ssl) { >- if (!ap_proxy_ssl_enable(backend->connection)) { >- ap_log_error(APLOG_MARK, APLOG_ERR, 0, >- r->server, "proxy: failed to enable ssl support " >- "for %pI (%s)", p_conn->addr, p_conn->name); >- return HTTP_INTERNAL_SERVER_ERROR; >- } >- } >- else { >- ap_proxy_ssl_disable(backend->connection); >+ backend->does_use_http_connect = p_conn->does_use_http_connect ; >+ if (backend->does_use_http_connect) { >+ backend->web_server_host_name = apr_pstrdup(c->pool, uri->hostname) ; >+ backend->web_server_port = uri->port ; >+ } >+ >+ if (p_conn->does_use_http_connect) { >+ status = send_http_connect(p, r, p_conn, backend) ; >+ } >+ >+ if (backend->is_ssl) { >+ if (!ap_proxy_ssl_enable(backend->connection)) { >+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, >+ r->server, "proxy: failed to enable ssl support " >+ "for %pI (%s)", p_conn->addr, p_conn->name); >+ return HTTP_INTERNAL_SERVER_ERROR; >+ } >+ } >+ else { >+ ap_proxy_ssl_disable(backend->connection); > } > > ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, > "proxy: connection complete to %pI (%s)", > p_conn->addr, p_conn->name); > >- /* set up the connection filters */ >- ap_run_pre_connection(*origin, p_conn->sock); >+ /* set up the connection filters */ >+ ap_run_pre_connection(*origin, p_conn->sock); > } >- return OK; >+ return(status) ; > } > > static >@@ -1074,7 +1180,7 @@ > > /* Step Two: Make the Connection */ > status = ap_proxy_http_create_connection(p, r, p_conn, c, &origin, backend, >- conf, proxyname); >+ conf, proxyname, uri) ; > if ( status != OK ) { > return status; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11552">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 19188
: 11552 |
21410
|
24975