Return-Path: 
 <modules-dev-return-4272-apmail-httpd-modules-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-modules-dev-archive@minotaur.apache.org
Delivered-To: apmail-httpd-modules-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id AC371F25B
	for <apmail-httpd-modules-dev-archive@minotaur.apache.org>;
 Wed, 27 Mar 2013 17:19:38 +0000 (UTC)
Received: (qmail 57046 invoked by uid 500); 27 Mar 2013 17:19:38 -0000
Delivered-To: apmail-httpd-modules-dev-archive@httpd.apache.org
Received: (qmail 56865 invoked by uid 500); 27 Mar 2013 17:19:37 -0000
Mailing-List: contact modules-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:modules-dev-help@httpd.apache.org>
List-Unsubscribe: <mailto:modules-dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:modules-dev@httpd.apache.org>
List-Id: <modules-dev.httpd.apache.org>
Reply-To: modules-dev@httpd.apache.org
Delivered-To: mailing list modules-dev@httpd.apache.org
Received: (qmail 56853 invoked by uid 99); 27 Mar 2013 17:19:37 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Mar 2013 17:19:37 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of tevans.uk@googlemail.com
 designates 209.85.215.49 as permitted sender)
Received: from [209.85.215.49] (HELO mail-la0-f49.google.com) (209.85.215.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Mar 2013 17:19:33 +0000
Received: by mail-la0-f49.google.com with SMTP id fs13so16113710lab.36
        for <modules-dev@httpd.apache.org>;
 Wed, 27 Mar 2013 10:19:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20120113;
        h=mime-version:x-received:in-reply-to:references:date:message-id
         :subject:from:to:content-type;
        bh=lfI5jSLU7sDMjcjU5809yzAQP0shnSBHrU0ip1i6V5c=;
        b=gWTC1XIiaee+sqkUObEL63raVaCvOW9bYzWPsqvYGCBjLb9K/JqsWoMG/VutI8lXC/
         tYzaxZ2Kt9GCUgmpR7DwC8oFI6CgziwW0w1IX+nOks6Labq6ho8wD0kSluWUYRfujyB6
         wD5FUOmK1eKa5YBSQOyk3J9OoCsy6hoSGwe/IjTtI3zhrB6/I3gRf2iAsiq5KGnB42Pw
         cLXJkKFf+y0M+N5jC/vX0z9a1lwCqzAJTXHnlwCeKE6ap+M3tmVGWe7QMC9+/chb/SN+
         cvjnq0iI4RMVUOAleP8AuXbz8BkYg9jW9WsDA7BpReIt/ApC43oBqTG/EfCtNgxZX3uc
         HvuA==
MIME-Version: 1.0
X-Received: by 10.112.137.162 with SMTP id qj2mr7691222lbb.26.1364404752071;
 Wed, 27 Mar 2013 10:19:12 -0700 (PDT)
Received: by 10.112.26.135 with HTTP; Wed, 27 Mar 2013 10:19:11 -0700 (PDT)
In-Reply-To: <51520450.7070405@simplenet.com>
References: <51520450.7070405@simplenet.com>
Date: Wed, 27 Mar 2013 17:19:11 +0000
Message-ID: 
 <CAFHbX1J7to9CzsFw=rq9r++08d_JhQjqYdxydaKb=4zbRibpFw@mail.gmail.com>
Subject: Re: mod_ssl dynamic configuration project
From: Tom Evans <tevans.uk@googlemail.com>
To: modules-dev@httpd.apache.org
Content-Type: text/plain; charset=UTF-8
X-Virus-Checked: Checked by ClamAV on apache.org

On Tue, Mar 26, 2013 at 8:25 PM, Tim Traver <tt-list@simplenet.com> wrote:
> Hi all,
>
> ok, I just wanted to start here, because this seems like the place.
>
> I know this is going to meet a lot of resistance, but here is my crazy idea.
>
> I'd like to figure out a way to dynamically retrieve the SSL keys for
> particular IP connections from the filesystem without having to have a
> configuration directive for each one.
>
> So, something like this kind of flow :
>
> 1) Request comes in to open an SSL connection on a particular IP
> 2) mod_ssl first looks in its memory table to see if it already has the
> public and private key configs
> 3) If not, it uses the IP as a location on disk to retrieve the keys into
> memory (like /private/keys/205.34.56.78/host.key and host.crt)
> 4) mod_ssl then uses that and goes along its merry way encrypting
>
> I know there are some issues to solve
>
> 1) Security of the keys. Normally they are owned by a more privileged user
> than the web server is running as and get read in before apache changes its
> ownership. I may be able to get around this by having a wrapper to retrieve
> the key as the privileged owner, or have them located in a database on
> another machine...
> 2) It would have to be smart enough of a chunk of code to determine if there
> is a CA cert as well.
>
> The benefits :
>
> 1) No need for config files to specify certs for each of the IP's !
> 2) Very fast startup
> 3) Scales very easily
>
> The downsides :
>
> 1) Delay going to disk the first time to get the keys when request comes in.
> 2) Security issues on safety of key locations and or retrieval.
>
> I think the benefits outweigh the downsides in this case, which is why I am
> pursuing it.
>
> Any comments? Concerns? Ideas on perhaps a way to write a module separate
> from changing mod_ssl that had hooks in the right places?
>
> Does anyone know if there are hooks to get in front of the SSL connection?
>
> I'd rather write a fresh module than be changing the mod_ssl stuff...
>
> Thanks,
>
> Tim
>

Have a look at mod_vhost_alias, which does things like this, except
not in combination with SSL. Eg:

VirtualDocumentRootIP /var/www/%0/htdocs

You could potentially extend this to also set up mod_ssl as well.

Cheers

Tom