httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Rabel <>
Subject Re: How to create ssl backend connections in a module?
Date Sat, 01 Jul 2017 20:19:33 GMT
2017-06-29 23:17 GMT+02:00 Sorin Manolache <>:

> On 2017-06-29 19:36, Christoph Rabel wrote:
>> Hi,
>> I have written an apache module that sometimes connects to a backend
>> server. Currently it does that through http, open a socket, send a get
>> request, get a response, process it. Nothing special.
>> Now we need to support https too and I am wondering, how that could be
>> accomplished.
>> Should I use openssl directly? Does that work? Are there any helper
>> functions I could use?
>> I tried to find examples, but it is quite difficult since most of the
>> examples cover configuration of ssl, not implementation of a ssl socket.
>> I was also looking at mod_proxy but I don't understand how that stuff with
>> the worker works. It's a lot of code and in the end I just need to open an
>> ssl socket and I guess I can do the rest the same way as before.
>> Any hints are appreciated.
>> I should support Apache 2.2, but I might be able to weaken that to support
>> only Apache 2.4, if that makes a huge difference.
> How do you do it now, in plain http? I see two or three ways in which you
> do it: using apache subrequests (ap_sub_req_method_uri), using mod_proxy
> (no code, just conf, like ProxyPass), using a 3rd-party library, such as
> libcurl or libneon for example.
> Or do you do it "manually", i.e. using the syscalls socket/connect/write,
> you write to the socket and implement the http protocol?

I am currently doing it manually. I open socket with apr_socket_connect and
then I sent a short request. Not sure if it makes a difference, but the
response data is pretty small, just a few kb tops. I read the content with
a bucketbrigade and process the answer. Then I add a few headers to the
original request and it proceeds to the backend.

I am very interested in ap_sub_req_method_uri. I took a quick look at the
method, but I don't understand how to use it.
So, I write:
rec = ap_sub_req_method_uri ("GET", url, rec, null)

I don't run it, because that would not work without specifying a filter.

But it sends the request and I get the result? I guess, I can read the
response body then from the request to process it?
Documentation is a bit unclear here, could I add headers to the subrequest?
I currently add some auth headers to the get request. It is quite simple
when you create the http request manually, but I have no idea how i would
do that here. I could probably use post instead of headers + get too.

Afterwards I call ap_destroy_sub_req, I guess.

The good news about the first three options is that they work with ssl
> without code modification. You just configure the URL of the backend and it
> recognizes https and performs the SSL handshake and communication.
> In my opinion (but it depends on your use case), the best option is
> mod_proxy. Check this generic way of configuring it:

I am actually doing that currently. I send the get request to
localhost:8888 and proxy it to the backend. It has the added benefit, that
it allows me to loadbalance the backend connection. :-)

Alas, the requirement is to do it by code.

 Thanks, Christoph

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message