From 935fcaceb70646cf9aaef3b96883dffa3d6d6d37 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Mon, 16 Apr 2018 08:44:11 +0100 Subject: [PATCH] Apply sslmultiproxy patch. --- httpd-2.4.33-sslmultiproxy.patch | 254 +++++++++++++++---------------- 1 file changed, 120 insertions(+), 134 deletions(-) diff --git a/httpd-2.4.33-sslmultiproxy.patch b/httpd-2.4.33-sslmultiproxy.patch index 5879134..679f229 100644 --- a/httpd-2.4.33-sslmultiproxy.patch +++ b/httpd-2.4.33-sslmultiproxy.patch @@ -1,140 +1,126 @@ -From 11f3375333ca795939d90e14a761f2f288034704 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 13 Apr 2018 11:14:57 -0400 -Subject: [PATCH] Update sslmultiproxy patch to work with 2.4.33 +From ce2d1d7d4b2bebe34cf37fdeb30d35050092c5b5 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 12 Apr 2018 14:36:28 -0400 +Subject: [PATCH] httpd-2.4.18-sslmultiproxy.patch --- - httpd-2.4.18-sslmultiproxy.patch | 85 +++++++++++++++++++++++++++------------- - 1 file changed, 58 insertions(+), 27 deletions(-) + modules/ssl/mod_ssl.c | 24 ++++++++++++++++++++++-- + modules/ssl/ssl_engine_vars.c | 18 +++++++++++++++++- + 2 files changed, 39 insertions(+), 3 deletions(-) -diff --git a/httpd-2.4.18-sslmultiproxy.patch b/httpd-2.4.18-sslmultiproxy.patch -index 3f00f3f..9e311ea 100644 ---- a/httpd-2.4.18-sslmultiproxy.patch -+++ b/httpd-2.4.18-sslmultiproxy.patch -@@ -1,53 +1,81 @@ -+From ce2d1d7d4b2bebe34cf37fdeb30d35050092c5b5 Mon Sep 17 00:00:00 2001 -+From: Rob Crittenden -+Date: Thu, 12 Apr 2018 14:36:28 -0400 -+Subject: [PATCH] httpd-2.4.18-sslmultiproxy.patch +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c +index 48d64cb..42e85a3 100644 +diff -uap httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy httpd-2.4.33/modules/ssl/mod_ssl.c +--- httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy ++++ httpd-2.4.33/modules/ssl/mod_ssl.c +@@ -444,12 +444,19 @@ + return OK; + } + ++static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable; ++static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *othermod_engine_set; + -+--- -+ modules/ssl/mod_ssl.c | 24 ++++++++++++++++++++++-- -+ modules/ssl/ssl_engine_vars.c | 18 +++++++++++++++++- -+ 2 files changed, 39 insertions(+), 3 deletions(-) + static SSLConnRec *ssl_init_connection_ctx(conn_rec *c, + ap_conf_vector_t *per_dir_config) + { + SSLConnRec *sslconn = myConnConfig(c); + SSLSrvConfigRec *sc; + ++ if (othermod_engine_disable) { ++ othermod_engine_disable(c); ++ } + - diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c --index 717a694..a3ce718 100644 -+index 48d64cb..42e85a3 100644 - --- a/modules/ssl/mod_ssl.c - +++ b/modules/ssl/mod_ssl.c --@@ -395,6 +395,9 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c) -- return sslconn; -+@@ -444,12 +444,19 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, -+ return OK; - } - --+static typeof(ssl_proxy_enable) *othermod_proxy_enable; - +static typeof(ssl_engine_disable) *othermod_engine_disable; -++static typeof(ssl_engine_set) *othermod_engine_set; - + -- int ssl_proxy_enable(conn_rec *c) -+ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c, -+ ap_conf_vector_t *per_dir_config) - { -- SSLSrvConfigRec *sc; --@@ -403,6 +406,12 @@ int ssl_proxy_enable(conn_rec *c) -- sc = mySrvConfig(sslconn->server); -- -- if (!sc->proxy_enabled) { --+ if (othermod_proxy_enable) { --+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, --+ "mod_ssl proxy not configured, passing through to other module."); --+ return othermod_proxy_enable(c); --+ } --+ -- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961) -- "SSL Proxy requested for %s but not enabled " -- "[Hint: SSLProxyEngine]", sc->vhost_id); --@@ -422,6 +431,10 @@ int ssl_engine_disable(conn_rec *c) -- - SSLConnRec *sslconn = myConnConfig(c); -+ SSLSrvConfigRec *sc; - - + if (othermod_engine_disable) { - + othermod_engine_disable(c); - + } - + - if (sslconn) { -- sc = mySrvConfig(sslconn->server); -+ return sslconn; - } --@@ -621,6 +634,9 @@ static void ssl_register_hooks(apr_pool_t *p) -- ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE); -+@@ -508,6 +515,10 @@ static int ssl_engine_set(conn_rec *c, -+ { -+ SSLConnRec *sslconn; -+ int status; -++ -++ if (othermod_engine_set) { -++ return othermod_engine_set(c, per_dir_config, proxy, enable); -++ } -+ -+ if (proxy) { -+ sslconn = ssl_init_connection_ctx(c, per_dir_config); -+@@ -537,12 +548,18 @@ static int ssl_engine_set(conn_rec *c, -+ -+ static int ssl_proxy_enable(conn_rec *c) -+ { -+- return ssl_engine_set(c, NULL, 1, 1); -++ if (othermod_engine_set) -++ return othermod_engine_set(c, NULL, 1, 1); -++ else -++ return ssl_engine_set(c, NULL, 1, 1); -+ } -+ -+ static int ssl_engine_disable(conn_rec *c) -+ { -+- return ssl_engine_set(c, NULL, 0, 0); -++ if (othermod_engine_set) -++ return othermod_engine_set(c, NULL, 0, 0); -++ else -++ return ssl_engine_set(c, NULL, 0, 0); -+ } -+ -+ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) -+@@ -730,6 +747,9 @@ static void ssl_register_hooks(apr_pool_t *p) -+ APR_HOOK_MIDDLE); - - ssl_var_register(p); - + --+ othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable); - + othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); -++ othermod_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set); - - APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); - APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); - diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c --index a6b0d0d..24fd8c7 100644 -+index a28d4dd..caf7131 100644 - --- a/modules/ssl/ssl_engine_vars.c - +++ b/modules/ssl/ssl_engine_vars.c - @@ -54,6 +54,8 @@ static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char -@@ -80,7 +108,7 @@ index a6b0d0d..24fd8c7 100644 - APR_REGISTER_OPTIONAL_FN(ssl_is_https); - APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); - APR_REGISTER_OPTIONAL_FN(ssl_ext_list); --@@ -272,6 +279,15 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, -+@@ -271,6 +278,15 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, - */ - if (result == NULL && c != NULL) { - SSLConnRec *sslconn = ssl_get_effective_config(c); -@@ -96,3 +124,6 @@ index a6b0d0d..24fd8c7 100644 - if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) - && sslconn && sslconn->ssl) - result = ssl_var_lookup_ssl(p, sslconn, r, var+4); -+-- -+2.14.3 + if (sslconn) { + return sslconn; + } +@@ -508,6 +515,10 @@ + { + SSLConnRec *sslconn; + int status; + --- -2.13.6 - ++ if (othermod_engine_set) { ++ return othermod_engine_set(c, per_dir_config, proxy, enable); ++ } + + if (proxy) { + sslconn = ssl_init_connection_ctx(c, per_dir_config); +@@ -537,12 +548,18 @@ + + static int ssl_proxy_enable(conn_rec *c) + { +- return ssl_engine_set(c, NULL, 1, 1); ++ if (othermod_engine_set) ++ return othermod_engine_set(c, NULL, 1, 1); ++ else ++ return ssl_engine_set(c, NULL, 1, 1); + } + + static int ssl_engine_disable(conn_rec *c) + { +- return ssl_engine_set(c, NULL, 0, 0); ++ if (othermod_engine_set) ++ return othermod_engine_set(c, NULL, 0, 0); ++ else ++ return ssl_engine_set(c, NULL, 0, 0); + } + + int ssl_init_ssl_connection(conn_rec *c, request_rec *r) +@@ -730,6 +747,9 @@ + APR_HOOK_MIDDLE); + + ssl_var_register(p); ++ ++ othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable); ++ othermod_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set); + + APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); + APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); +diff -uap httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy httpd-2.4.33/modules/ssl/ssl_engine_vars.c +--- httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy ++++ httpd-2.4.33/modules/ssl/ssl_engine_vars.c +@@ -54,6 +54,8 @@ + static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); + static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); + static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); ++static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https; ++static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup; + + static SSLConnRec *ssl_get_effective_config(conn_rec *c) + { +@@ -68,7 +70,9 @@ + static int ssl_is_https(conn_rec *c) + { + SSLConnRec *sslconn = ssl_get_effective_config(c); +- return sslconn && sslconn->ssl; ++ ++ return (sslconn && sslconn->ssl) ++ || (othermod_is_https && othermod_is_https(c)); + } + + static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION; +@@ -137,6 +141,9 @@ + { + char *cp, *cp2; + ++ othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https); ++ othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); ++ + APR_REGISTER_OPTIONAL_FN(ssl_is_https); + APR_REGISTER_OPTIONAL_FN(ssl_var_lookup); + APR_REGISTER_OPTIONAL_FN(ssl_ext_list); +@@ -271,6 +278,15 @@ + */ + if (result == NULL && c != NULL) { + SSLConnRec *sslconn = ssl_get_effective_config(c); ++ ++ if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) ++ && (!sslconn || !sslconn->ssl) && othermod_var_lookup) { ++ /* For an SSL_* variable, if mod_ssl is not enabled for ++ * this connection and another SSL module is present, pass ++ * through to that module. */ ++ return othermod_var_lookup(p, s, c, r, var); ++ } ++ + if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) + && sslconn && sslconn->ssl) + result = ssl_var_lookup_ssl(p, sslconn, r, var+4);