httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 29744] CONNECT does not work over existing SSL connection
Date Sun, 13 Sep 2009 23:08:23 GMT

--- Comment #94 from Brad Boyer <> 2009-09-13 16:08:08 PDT ---
(In reply to comment #93)
> The old code uses direct socket communication to the client *and* to the
> backend.
> In order to get the connection to the client encrypted the communication to the
> client needed to be changed to go through the httpd connection filter stack
> which
> brings mod_ssl and its features in the game. I don't argue with this.
> My point is the communication to the backend: There is *no* SSL encryption from
> httpd side here, on the contrary it is explicitly turned off by calling
> ap_proxy_ssl_disable(backconn). So where is the point of shoving all the data
> through the filter stack when we do *not* want the filters to touch the data?

As the author of the first version of the patch, I'd like to add some
justification. There were two reasons I considered for wanting the full
connection and filter stack on the back connection.

The original reason is that I liked the symmetry of it. That's not a great
justification, but it really is why I did it that way initially.

After some thought, I realized it should be possible to allow SSL on the
backconn as well. However, I didn't really have the time to spend doing that
properly. It would have needed some extra care to make sure that the backconn
was only SSL when that was desired. I was too lazy to do the more complete set
of work that would have allowed that, but I didn't want to make it harder for
someone in the future.

The original usage I had was one where the httpd setup was effectively being
used as a poor man's VPN. Because of this, the link from the real client to the
proxy in httpd was untrusted, but everything behind it was trusted. Other
people might want to use it as a proxy with untrusted networks on both sides.
I'm sure that's a relatively obscure usage by comparison, but it should be
possible with a few more changes.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message