Changeset d827d0c in mod_gnutls


Ignore:
Timestamp:
May 30, 2020, 4:40:53 PM (4 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master
Children:
411d286
Parents:
b14f6ae
Message:

Create cache keys for proxy session tickets

The key is based on the vhost name, backend server hostname (from SNI)
or IP, and its port. The vhost name is included because different
vhosts may have different settings for the same backend server. Post
handshake auth is not supported for proxy connections, so we do not
need to consider auth IDs.

Location:
src
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    rb14f6ae rd827d0c  
    11681168                  __func__, dump.size);
    11691169    gnutls_free(dump.data);
     1170    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     1171                  "%s: cache key for the session ticket is %s",
     1172                  __func__, mgs_proxy_ticket_id(ctxt, NULL));
    11701173    return GNUTLS_E_SUCCESS;
    11711174}
  • src/gnutls_proxy.c

    rb14f6ae rd827d0c  
    11/*
    2  *  Copyright 2015-2019 Fiona Klute
     2 *  Copyright 2015-2020 Fiona Klute
    33 *
    44 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    294294
    295295
    296 static void proxy_conn_set_sni(mgs_handle_t *ctxt)
     296/**
     297 * Returns either a valid hostname for use with SNI, or NULL.
     298 */
     299static const char *get_proxy_sni_name(mgs_handle_t *ctxt)
    297300{
    298301    /* Get peer hostname from note left by mod_proxy */
    299302    const char *peer_hostname =
    300303        apr_table_get(ctxt->c->notes, PROXY_SNI_NOTE);
     304
    301305    /* Used only as target for apr_ipsubnet_create() */
    302306    apr_ipsubnet_t *probe;
    303     /* Check if the note is present (!= NULL) and NOT an IP
    304      * address */
    305     if ((peer_hostname) != NULL
     307    /* If the note is present (!= NULL) check that the value is NOT an
     308     * IP address, which wouldn't be valid for SNI. */
     309    if ((peer_hostname != NULL)
    306310        && (apr_ipsubnet_create(&probe, peer_hostname, NULL, ctxt->c->pool)
    307             != APR_SUCCESS))
     311            == APR_SUCCESS))
     312        return NULL;
     313
     314    return peer_hostname;
     315}
     316
     317
     318
     319static void proxy_conn_set_sni(mgs_handle_t *ctxt)
     320{
     321    const char *peer_hostname = get_proxy_sni_name(ctxt);
     322    if (peer_hostname != NULL)
    308323    {
    309324        int ret = gnutls_server_name_set(ctxt->session, GNUTLS_NAME_DNS,
     
    381396
    382397
     398char *mgs_proxy_ticket_id(mgs_handle_t *ctxt, apr_pool_t *pool)
     399{
     400    apr_pool_t *tmp;
     401    if (pool)
     402        tmp = pool;
     403    else
     404        tmp = ctxt->c->pool;
     405
     406    /* c->client_addr->port and c->client_ip actually contain
     407     * information on the remote server for outgoing proxy
     408     * connections, prefer SNI hostname over IP.
     409     *
     410     * The server_hostname is used to tie the cache entry to a
     411     * specific vhost, because different vhosts may have different
     412     * settings for the same backend server.
     413     */
     414    const char *peer_hostname = get_proxy_sni_name(ctxt);
     415    return apr_psprintf(
     416        tmp, "proxy:%s:%s:%d",
     417        ctxt->c->base_server->server_hostname,
     418        peer_hostname ? peer_hostname : ctxt->c->client_ip,
     419        ctxt->c->client_addr->port);
     420}
     421
     422
     423
    383424void mgs_set_proxy_handshake_ext(mgs_handle_t *ctxt)
    384425{
  • src/gnutls_proxy.h

    rb14f6ae rd827d0c  
    11/*
    2  *  Copyright 2015-2018 Fiona Klute
     2 *  Copyright 2015-2020 Fiona Klute
    33 *
    44 *  Licensed under the Apache License, Version 2.0 (the "License");
     
    4242void mgs_set_proxy_handshake_ext(mgs_handle_t * ctxt);
    4343
     44/**
     45 * Create a cache key for a session ticket of a proxy connection.
     46 *
     47 * @param ctxt The proxy connection handle (mod_gnutls is client)
     48 *
     49 * @param pool Pool to allocate the string from, if `NULL` the
     50 * connection pool is used
     51 *
     52 * @return string to be used as cache key
     53 */
     54char *mgs_proxy_ticket_id(mgs_handle_t *ctxt, apr_pool_t *pool);
     55
    4456#endif /* __MOD_GNUTLS_PROXY_H__ */
Note: See TracChangeset for help on using the changeset viewer.