httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <>
Subject Making mod_proxy_http more aware of SSL
Date Thu, 25 Nov 2010 05:03:33 GMT
    I opened up bug 50332 to attach/document these patches. The patch 
causes mod_ssl to create a note on the conn_req which is checked by 
mod_proxy_http when it attempts to pass the request. The intent is for 
mod_proxy_http to realize that an SSL handshake error has occurred and 
mark the worker out of service.

    This is a huge step forward in that mod_proxy will not be oblivious 
to the failed SSL connection and can take a worker out of service, 
however... it's not all roses. I don't know what it would take (or if 
it's even possible since mod_ssl and mod_proxy run in very separate 
filters), but it would be really great if mod_proxy in general were 
aware of handshake failures before it ever attempts to submit a request 
to the backend. I would envision this enlightenment to come at "/* Step 
Two: Make the Connection */" in modules/proxy/mod_proxy_http.c.


If the great minds of this mail list deem these patches acceptable, here 
is the proposed patch to 2.2 STATUS:
Index: httpd-2.2.x/STATUS
--- httpd-2.2.x/STATUS  (revision 1037345)
+++ httpd-2.2.x/STATUS  (working copy)
@@ -184,6 +184,14 @@
       enabling/disabling the basic capability is not split out into 
mod_unixd 2.2.x.
       +1: trawick

+   * mod_proxy_http: Become aware of ssl handshake failures when attempting
+     to pass request. Makes it so workers are put in error state when a
+     handshake failure is encountered.
+     PR50332
+     Trunk patch:
+     2.2.x patch:
+     druggeri: Need doc update?

    * core: Support wildcards in both the directory and file components of

A tag in CHANGES would be appreciated:
   *) Proxy: Detect SSL handshake failures during proxy pass attempts 
and place backend in error state. PR 50332.  [Daniel Ruggeri <DRuggeri>]

Daniel Ruggeri

View raw message