Changeset f674424 in mod_gnutls

Timestamp:

Dec 12, 2018, 4:57:14 PM (4 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, debian/master, main, master, proxy-ticket

Children:

0fcba60

Parents:

2038b76

Message:

First prototype of proxy ALPN support

The current code assumes that the "proxy-request-alpn-protos"
connection note will always contain exactly one protocol if present,
which is what mod_proxy_http2 does.

Files:

• src/gnutls_io.c (modified) (2 diffs)
• test/Makefile.am (modified) (1 diff)
• test/test-34_TLS_reverse_proxy_h2.bash (added)
• test/tests/34_TLS_reverse_proxy_h2/apache.conf (added)
• test/tests/34_TLS_reverse_proxy_h2/backend.conf (added)
• test/tests/34_TLS_reverse_proxy_h2/gnutls-cli.args (added)
• test/tests/34_TLS_reverse_proxy_h2/input (added)
• test/tests/34_TLS_reverse_proxy_h2/output (added)
• test/tests/Makefile.am (modified) (1 diff)

src/gnutls_io.c

@@ -19 +19 @@
 
 #include "mod_gnutls.h"
+#include <apr_strings.h>
 
 #ifdef APLOG_USE_MODULE
@@ -405 +406 @@
                               peer_hostname, gnutls_strerror(ret), ret);
         }
+
+        const char *proxy_alpn =
+            apr_table_get(ctxt->c->notes, "proxy-request-alpn-protos");
+        if (proxy_alpn != NULL)
+        {
+            // TODO: mod_ssl ssl_engine_io.c does some tokenization of
+            // the input string, so it looks like the API allows
+            // multiple protocols.
+            gnutls_datum_t alpn_proto = {
+                .data = (unsigned char *) apr_pstrdup(ctxt->c->pool, proxy_alpn),
+                .size = strlen(proxy_alpn)
+            };
+            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                          "%s: proxy module requests ALPN proto '%s', "
+                          "length %" APR_SIZE_T_FMT ".",
+                          __func__, proxy_alpn, strlen(proxy_alpn));
+            ret = gnutls_alpn_set_protocols(ctxt->session,
+                                            &alpn_proto,
+                                            1 /* number of proposals */,
+                                            0 /* flags */);
+            if (ret != GNUTLS_E_SUCCESS)
+                ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, ctxt->c,
+                              "Could not set ALPN proposal '%s' for proxy "
+                              "connection: %s (%d)",
+                              proxy_alpn, gnutls_strerror(ret), ret);
+        }
     }
 

test/Makefile.am

@@ -36 +36 @@
         test-31_vhost_SNI_serveralias_match.bash \
         test-32_vhost_SNI_serveralias_mismatch.bash \
-        test-33_vhost_SNI_serveralias_missinghost.bash
+        test-33_vhost_SNI_serveralias_missinghost.bash \
+        test-34_TLS_reverse_proxy_h2.bash
 
 TEST_EXTENSIONS = .bash

test/tests/Makefile.am

@@ -33 +33 @@
         31_vhost_SNI_serveralias_match/gnutls-cli.args 31_vhost_SNI_serveralias_match/input 31_vhost_SNI_serveralias_match/apache.conf 31_vhost_SNI_serveralias_match/output \
         32_vhost_SNI_serveralias_mismatch/gnutls-cli.args 32_vhost_SNI_serveralias_mismatch/input 32_vhost_SNI_serveralias_mismatch/apache.conf 32_vhost_SNI_serveralias_mismatch/output \
-        33_vhost_SNI_serveralias_missinghost/gnutls-cli.args 33_vhost_SNI_serveralias_missinghost/input 33_vhost_SNI_serveralias_missinghost/apache.conf 33_vhost_SNI_serveralias_missinghost/output
+        33_vhost_SNI_serveralias_missinghost/gnutls-cli.args 33_vhost_SNI_serveralias_missinghost/input 33_vhost_SNI_serveralias_missinghost/apache.conf 33_vhost_SNI_serveralias_missinghost/output \
+        34_TLS_reverse_proxy_h2/apache.conf 34_TLS_reverse_proxy_h2/backend.conf 34_TLS_reverse_proxy_h2/gnutls-cli.args 34_TLS_reverse_proxy_h2/input 34_TLS_reverse_proxy_h2/output