Apply sslmultiproxy patch.

2018-04-16 08:44:11 +01:00 · 2018-04-16 08:44:11 +01:00 · 935fcaceb7
commit 935fcaceb7
parent 480519c1a7
1 changed files with 120 additions and 134 deletions
--- a/httpd-2.4.33-sslmultiproxy.patch
+++ b/httpd-2.4.33-sslmultiproxy.patch
@ -1,140 +1,126 @@
-From 11f3375333ca795939d90e14a761f2f288034704 Mon Sep 17 00:00:00 2001
+From ce2d1d7d4b2bebe34cf37fdeb30d35050092c5b5 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
+From: Rob Crittenden <rcrit@cow.greyoak.com>
-Date: Fri, 13 Apr 2018 11:14:57 -0400
+Date: Thu, 12 Apr 2018 14:36:28 -0400
-Subject: [PATCH] Update sslmultiproxy patch to work with 2.4.33
+Subject: [PATCH] httpd-2.4.18-sslmultiproxy.patch
 ---
- httpd-2.4.18-sslmultiproxy.patch | 85 +++++++++++++++++++++++++++-------------
+ modules/ssl/mod_ssl.c         | 24 ++++++++++++++++++++++--
- 1 file changed, 58 insertions(+), 27 deletions(-)
+ modules/ssl/ssl_engine_vars.c | 18 +++++++++++++++++-
 2 files changed, 39 insertions(+), 3 deletions(-)
-diff --git a/httpd-2.4.18-sslmultiproxy.patch b/httpd-2.4.18-sslmultiproxy.patch
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
-index 3f00f3f..9e311ea 100644
+index 48d64cb..42e85a3 100644
--- a/httpd-2.4.18-sslmultiproxy.patch
+diff -uap httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy httpd-2.4.33/modules/ssl/mod_ssl.c
-+++ b/httpd-2.4.18-sslmultiproxy.patch
+--- httpd-2.4.33/modules/ssl/mod_ssl.c.sslmultiproxy
-@@ -1,53 +1,81 @@
+++ httpd-2.4.33/modules/ssl/mod_ssl.c
-+From ce2d1d7d4b2bebe34cf37fdeb30d35050092c5b5 Mon Sep 17 00:00:00 2001
+@@ -444,12 +444,19 @@
-+From: Rob Crittenden <rcrit@cow.greyoak.com>
+     return OK;
-+Date: Thu, 12 Apr 2018 14:36:28 -0400
+ }
-+Subject: [PATCH] httpd-2.4.18-sslmultiproxy.patch
+ 
 +static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
 +static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *othermod_engine_set;
 +
-+---
+ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
-+ modules/ssl/mod_ssl.c         | 24 ++++++++++++++++++++++--
+                                            ap_conf_vector_t *per_dir_config)
-+ modules/ssl/ssl_engine_vars.c | 18 +++++++++++++++++-
+ {
-+ 2 files changed, 39 insertions(+), 3 deletions(-)
+     SSLConnRec *sslconn = myConnConfig(c);
     SSLSrvConfigRec *sc;
 +    if (othermod_engine_disable) {
 +        othermod_engine_disable(c);
 +    }
 +
- diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+     if (sslconn) {
-index 717a694..a3ce718 100644
+         return sslconn;
-+index 48d64cb..42e85a3 100644
+     }
- --- a/modules/ssl/mod_ssl.c
+@@ -508,6 +515,10 @@
- +++ b/modules/ssl/mod_ssl.c
+ {
-@@ -395,6 +395,9 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c)
+     SSLConnRec *sslconn;
-     return sslconn;
+     int status;
 +@@ -444,12 +444,19 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
 +     return OK;
  }
 -+static typeof(ssl_proxy_enable) *othermod_proxy_enable;
 +static typeof(ssl_engine_disable) *othermod_engine_disable;
 ++static typeof(ssl_engine_set) *othermod_engine_set;
 +
 - int ssl_proxy_enable(conn_rec *c)
 + static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
 +                                            ap_conf_vector_t *per_dir_config)
  {
 -     SSLSrvConfigRec *sc;
 -@@ -403,6 +406,12 @@ int ssl_proxy_enable(conn_rec *c)
 -     sc = mySrvConfig(sslconn->server);
 - 
 -     if (!sc->proxy_enabled) {
 -+        if (othermod_proxy_enable) {
 -+            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
 -+                          "mod_ssl proxy not configured, passing through to other module.");
 -+            return othermod_proxy_enable(c);
 -+        }
 -+
 -         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
 -                       "SSL Proxy requested for %s but not enabled "
 -                       "[Hint: SSLProxyEngine]", sc->vhost_id);
 -@@ -422,6 +431,10 @@ int ssl_engine_disable(conn_rec *c)
 - 
      SSLConnRec *sslconn = myConnConfig(c);
 +     SSLSrvConfigRec *sc;
 +    if (othermod_engine_disable) {
 +        othermod_engine_disable(c);
 +    }
 +
      if (sslconn) {
 -         sc = mySrvConfig(sslconn->server);
 +         return sslconn;
      }
 -@@ -621,6 +634,9 @@ static void ssl_register_hooks(apr_pool_t *p)
 -     ap_hook_post_read_request(ssl_hook_ReadReq, pre_prr,NULL, APR_HOOK_MIDDLE);
 +@@ -508,6 +515,10 @@ static int ssl_engine_set(conn_rec *c,
 + {
 +     SSLConnRec *sslconn;
 +     int status;
 ++
 ++    if (othermod_engine_set) {
 ++        return othermod_engine_set(c, per_dir_config, proxy, enable);
 ++    }
 +     
 +     if (proxy) {
 +         sslconn = ssl_init_connection_ctx(c, per_dir_config);
 +@@ -537,12 +548,18 @@ static int ssl_engine_set(conn_rec *c,
 + 
 + static int ssl_proxy_enable(conn_rec *c)
 + {
 +-    return ssl_engine_set(c, NULL, 1, 1);
 ++    if (othermod_engine_set)
 ++        return othermod_engine_set(c, NULL, 1, 1);
 ++    else
 ++        return ssl_engine_set(c, NULL, 1, 1);
 + }
 + 
 + static int ssl_engine_disable(conn_rec *c)
 + {
 +-    return ssl_engine_set(c, NULL, 0, 0);
 ++    if (othermod_engine_set)
 ++        return othermod_engine_set(c, NULL, 0, 0);
 ++    else
 ++        return ssl_engine_set(c, NULL, 0, 0);
 + }
 + 
 + int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
 +@@ -730,6 +747,9 @@ static void ssl_register_hooks(apr_pool_t *p)
 +                       APR_HOOK_MIDDLE);
      ssl_var_register(p);
 +    
 -+    othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
 +    othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
 ++    othermod_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set);
      APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
      APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
 diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
 -index a6b0d0d..24fd8c7 100644
 +index a28d4dd..caf7131 100644
 --- a/modules/ssl/ssl_engine_vars.c
 +++ b/modules/ssl/ssl_engine_vars.c
 @@ -54,6 +54,8 @@ static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char
@@ -80,7 +108,7 @@ index a6b0d0d..24fd8c7 100644
      APR_REGISTER_OPTIONAL_FN(ssl_is_https);
      APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
      APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
 -@@ -272,6 +279,15 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
 +@@ -271,6 +278,15 @@ char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r,
       */
      if (result == NULL && c != NULL) {
          SSLConnRec *sslconn = ssl_get_effective_config(c);
@@ -96,3 +124,6 @@ index a6b0d0d..24fd8c7 100644
          if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
              && sslconn && sslconn->ssl)
              result = ssl_var_lookup_ssl(p, sslconn, r, var+4);
 +-- 
 +2.14.3
 +
-- 
+    if (othermod_engine_set) {
-2.13.6
+        return othermod_engine_set(c, per_dir_config, proxy, enable);
-
+    }
     if (proxy) {
         sslconn = ssl_init_connection_ctx(c, per_dir_config);
@@ -537,12 +548,18 @@
 static int ssl_proxy_enable(conn_rec *c)
 {
 -    return ssl_engine_set(c, NULL, 1, 1);
 +    if (othermod_engine_set)
 +        return othermod_engine_set(c, NULL, 1, 1);
 +    else
 +        return ssl_engine_set(c, NULL, 1, 1);
 }
 static int ssl_engine_disable(conn_rec *c)
 {
 -    return ssl_engine_set(c, NULL, 0, 0);
 +    if (othermod_engine_set)
 +        return othermod_engine_set(c, NULL, 0, 0);
 +    else
 +        return ssl_engine_set(c, NULL, 0, 0);
 }
 int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
@@ -730,6 +747,9 @@
                       APR_HOOK_MIDDLE);
     ssl_var_register(p);
 +    
 +    othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
 +    othermod_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set);
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
 diff -uap httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy httpd-2.4.33/modules/ssl/ssl_engine_vars.c
 --- httpd-2.4.33/modules/ssl/ssl_engine_vars.c.sslmultiproxy
 +++ httpd-2.4.33/modules/ssl/ssl_engine_vars.c
@@ -54,6 +54,8 @@
 static void  ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize);
 static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var);
 static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl);
 +static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
 +static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
 static SSLConnRec *ssl_get_effective_config(conn_rec *c)
 {
@@ -68,7 +70,9 @@
 static int ssl_is_https(conn_rec *c)
 {
     SSLConnRec *sslconn = ssl_get_effective_config(c);
 -    return sslconn && sslconn->ssl;
 +
 +    return (sslconn && sslconn->ssl)
 +        || (othermod_is_https && othermod_is_https(c));
 }
 static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
@@ -137,6 +141,9 @@
 {
     char *cp, *cp2;
 +    othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
 +    othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
 +
     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
     APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
@@ -271,6 +278,15 @@
      */
     if (result == NULL && c != NULL) {
         SSLConnRec *sslconn = ssl_get_effective_config(c);
 +
 +        if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
 +            && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
 +            /* For an SSL_* variable, if mod_ssl is not enabled for
 +             * this connection and another SSL module is present, pass
 +             * through to that module. */
 +            return othermod_var_lookup(p, s, c, r, var);
 +        }
 +
         if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
             && sslconn && sslconn->ssl)
             result = ssl_var_lookup_ssl(p, sslconn, r, var+4);