httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sorin Manolache <sor...@gmail.com>
Subject Re: How to create ssl backend connections in a module?
Date Thu, 29 Jun 2017 21:17:27 GMT
On 2017-06-29 19:36, Christoph Rabel wrote:
> Hi,
> 
> I have written an apache module that sometimes connects to a backend
> server. Currently it does that through http, open a socket, send a get
> request, get a response, process it. Nothing special.
> 
> Now we need to support https too and I am wondering, how that could be
> accomplished.
> Should I use openssl directly? Does that work? Are there any helper
> functions I could use?
> 
> I tried to find examples, but it is quite difficult since most of the
> examples cover configuration of ssl, not implementation of a ssl socket.
> 
> I was also looking at mod_proxy but I don't understand how that stuff with
> the worker works. It's a lot of code and in the end I just need to open an
> ssl socket and I guess I can do the rest the same way as before.
> 
> Any hints are appreciated.
> I should support Apache 2.2, but I might be able to weaken that to support
> only Apache 2.4, if that makes a huge difference.

How do you do it now, in plain http? I see two or three ways in which 
you do it: using apache subrequests (ap_sub_req_method_uri), using 
mod_proxy (no code, just conf, like ProxyPass), using a 3rd-party 
library, such as libcurl or libneon for example.

Or do you do it "manually", i.e. using the syscalls 
socket/connect/write, you write to the socket and implement the http 
protocol?

The good news about the first three options is that they work with ssl 
without code modification. You just configure the URL of the backend and 
it recognizes https and performs the SSL handshake and communication.

In my opinion (but it depends on your use case), the best option is 
mod_proxy. Check this generic way of configuring it:

<Location /your_url>

RewriteEngine On

RewriteCond  some_condition
RewriteRule  .*      https://remote.host/path/to/remote/resource?args [P]
</Location>

<Proxy https://remote.host/path/to/remote/resource>
ProxyPass https://remote.host/path/to/remote/resource keepalive=On timeout=5
</Proxy>

Your module processes requests to /your_url. If it has to make the 
request to the backend, then it sets some apache note or environment 
variable. The value of this variable is then checked in the RewriteCond. 
If the condition is satisfied then the request to /your_url is proxied 
to the remote.host backend. The response of the backend is then sent to 
your client.

If you want to modify the response of the backend, or to send a 
completely different response to the client (and then you just use some 
data from the backend's response) then you write a filter and you 
activate it with the SetOutputFilter conf directive.

This setup works with http and https. You just put the right scheme in 
the URLs in the conf.

Hope this helps,
Sorin

> 
> Tia,
> 
> Christoph
> 


Mime
View raw message