From 7d272e2628b4ae05f68cdc74b070707250896a34 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Fri, 24 May 2019 07:54:42 +0000 Subject: [PATCH] Merge r1818726 from trunk: mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules. PR 61857. Proposed by: Markus Gausling Reviewed by: ylavic, rjung, rpluem git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1859844 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/http2/mod_proxy_http2.c | 8 -------- modules/proxy/mod_proxy_http.c | 10 ---------- modules/proxy/proxy_util.c | 7 +++++++ 4 files changed, 10 insertions(+), 18 deletions(-) diff --git a/CHANGES b/CHANGES index 5f7521eebba..3a691729eda 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.40 + *) mod_proxy: allow SSLProxyCheckPeer* usage for all proxy modules. + PR 61857. [Markus Gausling , Yann Ylavic] + *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39. PR 63325. [Yann Ylavic] diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c index 95336f75769..6da47312071 100644 --- a/modules/http2/mod_proxy_http2.c +++ b/modules/http2/mod_proxy_http2.c @@ -404,14 +404,6 @@ run_connect: */ apr_table_setn(ctx->p_conn->connection->notes, "proxy-request-alpn-protos", "h2"); - if (ctx->p_conn->ssl_hostname) { - ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctx->owner, - "set SNI to %s for (%s)", - ctx->p_conn->ssl_hostname, - ctx->p_conn->hostname); - apr_table_setn(ctx->p_conn->connection->notes, - "proxy-request-hostname", ctx->p_conn->ssl_hostname); - } } } diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index 56af9a83313..2f2cef56008 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -1976,16 +1976,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker, if ((status = ap_proxy_connection_create_ex(proxy_function, backend, r)) != OK) break; - /* - * On SSL connections set a note on the connection what CN is - * requested, such that mod_ssl can check if it is requested to do - * so. - */ - if (backend->ssl_hostname) { - apr_table_setn(backend->connection->notes, - "proxy-request-hostname", - backend->ssl_hostname); - } } /* Step Four: Send the Request diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c index b131ec07f6b..77880de622c 100644 --- a/modules/proxy/proxy_util.c +++ b/modules/proxy/proxy_util.c @@ -3220,6 +3220,13 @@ static int proxy_connection_create(const char *proxy_function, backend_addr, conn->hostname); return HTTP_INTERNAL_SERVER_ERROR; } + if (conn->ssl_hostname) { + /* Set a note on the connection about what CN is requested, + * such that mod_ssl can check if it is requested to do so. + */ + apr_table_setn(conn->connection->notes, "proxy-request-hostname", + conn->ssl_hostname); + } } else { /* TODO: See if this will break FTP */ -- 2.47.3