diff options
| author | standa <standa@linux-1y8e.site> | 2015-09-30 21:45:38 +0200 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2015-10-02 16:51:57 -0400 |
| commit | aadb6021c55671a302920e4241c7619993af8a14 (patch) | |
| tree | 208ca7ef575c347ed031fde2bf1c19cd2ce54ed1 | |
| parent | b2be2cab9b0801d01dd6fe870341535bef4a704e (diff) | |
| download | mod_nss-aadb6021c55671a302920e4241c7619993af8a14.tar.gz mod_nss-aadb6021c55671a302920e4241c7619993af8a14.tar.xz mod_nss-aadb6021c55671a302920e4241c7619993af8a14.zip | |
Send SNI extension mod_nss acts as a reverse proxy
| -rw-r--r-- | nss_engine_io.c | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/nss_engine_io.c b/nss_engine_io.c index 1360748..b851b31 100644 --- a/nss_engine_io.c +++ b/nss_engine_io.c @@ -673,6 +673,37 @@ static apr_status_t nss_io_filter_cleanup(void *data) return APR_SUCCESS; } +static apr_status_t nss_io_filter_handshake(ap_filter_t *f) +{ + conn_rec *c = f->c; + SSLConnRec *sslconn = myConnConfig(c); + + /* + * Enable SNI for backend requests. Make sure we don't do it for + * pure SSLv3 connections + */ + if (sslconn->is_proxy) { + const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); + if (hostname_note) { + if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server, + "Error setting SNI extension for SSL Proxy request: %d", + PR_GetError()); + } else { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, + "SNI extension for SSL Proxy request set to '%s'", + hostname_note); + } + } + else { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, c, + "Can't set SNI extension: no hostname available"; + } + } + + return APR_SUCCESS; +} + static apr_status_t nss_io_filter_input(ap_filter_t *f, apr_bucket_brigade *bb, ap_input_mode_t mode, @@ -708,6 +739,10 @@ static apr_status_t nss_io_filter_input(ap_filter_t *f, inctx->mode = mode; inctx->block = block; + if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { + return nss_io_filter_error(f, bb, status); + } + if (is_init) { /* protocol module needs to handshake before sending * data to client (e.g. NNTP or FTP) @@ -829,6 +864,10 @@ static apr_status_t nss_io_filter_output(ap_filter_t *f, inctx->mode = AP_MODE_READBYTES; inctx->block = APR_BLOCK_READ; + if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) { + return nss_io_filter_error(f, bb, status); + } + while (!APR_BRIGADE_EMPTY(bb)) { apr_bucket *bucket = APR_BRIGADE_FIRST(bb); |