httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <tevans...@googlemail.com>
Subject Re: mod_ssl dynamic configuration project
Date Wed, 27 Mar 2013 17:19:11 GMT
On Tue, Mar 26, 2013 at 8:25 PM, Tim Traver <tt-list@simplenet.com> wrote:
> Hi all,
>
> ok, I just wanted to start here, because this seems like the place.
>
> I know this is going to meet a lot of resistance, but here is my crazy idea.
>
> I'd like to figure out a way to dynamically retrieve the SSL keys for
> particular IP connections from the filesystem without having to have a
> configuration directive for each one.
>
> So, something like this kind of flow :
>
> 1) Request comes in to open an SSL connection on a particular IP
> 2) mod_ssl first looks in its memory table to see if it already has the
> public and private key configs
> 3) If not, it uses the IP as a location on disk to retrieve the keys into
> memory (like /private/keys/205.34.56.78/host.key and host.crt)
> 4) mod_ssl then uses that and goes along its merry way encrypting
>
> I know there are some issues to solve
>
> 1) Security of the keys. Normally they are owned by a more privileged user
> than the web server is running as and get read in before apache changes its
> ownership. I may be able to get around this by having a wrapper to retrieve
> the key as the privileged owner, or have them located in a database on
> another machine...
> 2) It would have to be smart enough of a chunk of code to determine if there
> is a CA cert as well.
>
> The benefits :
>
> 1) No need for config files to specify certs for each of the IP's !
> 2) Very fast startup
> 3) Scales very easily
>
> The downsides :
>
> 1) Delay going to disk the first time to get the keys when request comes in.
> 2) Security issues on safety of key locations and or retrieval.
>
> I think the benefits outweigh the downsides in this case, which is why I am
> pursuing it.
>
> Any comments? Concerns? Ideas on perhaps a way to write a module separate
> from changing mod_ssl that had hooks in the right places?
>
> Does anyone know if there are hooks to get in front of the SSL connection?
>
> I'd rather write a fresh module than be changing the mod_ssl stuff...
>
> Thanks,
>
> Tim
>

Have a look at mod_vhost_alias, which does things like this, except
not in combination with SSL. Eg:

VirtualDocumentRootIP /var/www/%0/htdocs

You could potentially extend this to also set up mod_ssl as well.

Cheers

Tom

Mime
View raw message