let proxy handler forward ALPN protocol strings for ssl proxy connections

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729208 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2016-02-08 16:50:07 +00:00
parent 49e969e57b
commit a5511fe280
2 changed files with 39 additions and 1 deletions
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -2717,6 +2717,8 @@ PROXY_DECLARE(int) ap_proxy_connect_backend(const char *proxy_function,

    if (conn->sock) {
        if (!(connected = ap_proxy_is_socket_connected(conn->sock))) {
+            /* FIXME: this loses conn->ssl_hostname and it will not be
+             * restablished before the SSL connection is made -> no SNI! */
            socket_cleanup(conn);
            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00951)
                         "%s: backend socket is disconnected.",
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1146,12 +1146,48 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
 #endif
        const char *hostname_note = apr_table_get(c->notes,
                                                  "proxy-request-hostname");
+        const char *alpn_note;
        BOOL proxy_ssl_check_peer_ok = TRUE;
        int post_handshake_rc = OK;

        sc = mySrvConfig(server);

 #ifdef HAVE_TLSEXT
+#ifdef HAVE_TLS_ALPN
+        alpn_note = apr_table_get(c->notes, "proxy-request-alpn-protos");
+        if (alpn_note) {
+            char *protos, *s, *p, *last;
+            apr_size_t len;
+            
+            s = protos = apr_pcalloc(c->pool, strlen(alpn_note)+1);
+            p = apr_pstrdup(c->pool, alpn_note);
+            while ((p = apr_strtok(p, ", ", &last))) {
+                len = last - p - (*last? 1 : 0); 
+                if (len > 255) {
+                    ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO()
+                                  "ALPN proxy protocol identifier too long: %s",
+                                  p);
+                    ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
+                    return APR_EGENERAL;
+                }
+                *s++ = (unsigned char)len;
+                while (len--) {
+                    *s++ = *p++;
+                }
+                p = last;
+            }
+            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, 
+                          "setting alpn protos from '%s', protolen=%d", 
+                          alpn_note, (int)(s - protos));
+            if (protos != s && SSL_set_alpn_protos(filter_ctx->pssl, 
+                                                   (unsigned char *)protos, 
+                                                   s - protos)) {
+                ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO()
+                              "error setting alpn protos from '%s'", alpn_note);
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
+            }
+        }
+#endif /* defined HAVE_TLS_ALPN */
        /*
         * Enable SNI for backend requests. Make sure we don't do it for
         * pure SSLv3 connections, and also prevent IP addresses
@@ -1176,7 +1212,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
                ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
            }
        }
-#endif
+#endif /* defined HAVE_TLSEXT */

        if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02003)