apache2-mod_nss/mod_nss-sslmultiproxy.patch

Index: mod_nss-1.0.8/mod_nss.c
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.c
+++ mod_nss-1.0.8/mod_nss.c
@@ -192,6 +192,9 @@ static SSLConnRec *nss_init_connection_c
     return sslconn;
 }
 
+static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *othermod_proxy_enable;
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *othermod_engine_disable;
+
 int nss_proxy_enable(conn_rec *c)
 {
     SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
@@ -199,6 +202,12 @@ int nss_proxy_enable(conn_rec *c)
     SSLConnRec *sslconn = nss_init_connection_ctx(c);
 
     if (!sc->proxy_enabled) {
+        if (othermod_proxy_enable) {
+            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+                          "mod_nss proxy not configured, passing through to mod_ssl module");
+            return othermod_proxy_enable(c);
+        }
+
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, c->base_server,
                      "SSL Proxy requested for %s but not enabled "
                      "[Hint: NSSProxyEngine]", sc->vhost_id);
@@ -212,7 +221,7 @@ int nss_proxy_enable(conn_rec *c)
     return 1;
 }
 
-int ssl_proxy_enable(conn_rec *c) {
+static int ssl_proxy_enable(conn_rec *c) {
     return nss_proxy_enable(c);
 }
 
@@ -222,6 +231,10 @@ int nss_engine_disable(conn_rec *c)
 
     SSLConnRec *sslconn;
 
+    if (othermod_engine_disable) {
+        othermod_engine_disable(c);
+    }
+
     if (sc->enabled == FALSE) {
         return 0;
     }
@@ -233,7 +246,7 @@ int nss_engine_disable(conn_rec *c)
     return 1;
 }
 
-int ssl_engine_disable(conn_rec *c) {
+static int ssl_engine_disable(conn_rec *c) {
     return nss_engine_disable(c);
 }
 
@@ -455,14 +468,17 @@ static void nss_register_hooks(apr_pool_
 
     nss_var_register();
 
+    /* Always register these mod_nss optional functions */
     APR_REGISTER_OPTIONAL_FN(nss_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(nss_engine_disable);
 
-    /* If mod_ssl is not loaded then mod_nss can work with mod_proxy */
-    if (APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable) == NULL)
-        APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
-    if (APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable) == NULL)
-        APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+    /* Save the state of any previously registered mod_ssl functions */
+    othermod_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+    othermod_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+
+    /* Always register these local mod_ssl optional functions */
+    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
 }
 
 module AP_MODULE_DECLARE_DATA nss_module = {
Index: mod_nss-1.0.8/mod_nss.h
===================================================================
--- mod_nss-1.0.8.orig/mod_nss.h
+++ mod_nss-1.0.8/mod_nss.h
@@ -13,8 +13,8 @@
  * limitations under the License.
  */
 
-#ifndef __MOD_SSL_H__
-#define __MOD_SSL_H__
+#ifndef __MOD_NSS_H__
+#define __MOD_NSS_H__
 
 /* Apache headers */
 #include "httpd.h"
@@ -25,6 +25,7 @@
 #include "http_connection.h"
 #include "http_request.h"
 #include "http_protocol.h"
+#include "mod_ssl.h"
 #include "util_script.h"
 #include "util_filter.h"
 #include "mpm.h"
@@ -438,34 +439,24 @@ int nss_hook_ReadReq(request_rec *r);
 /*  Variables  */
 void         nss_var_register(void);
 char        *nss_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
-char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
 void         nss_var_log_config_register(apr_pool_t *p);
 
 APR_DECLARE_OPTIONAL_FN(char *, nss_var_lookup,
                         (apr_pool_t *, server_rec *,
                          conn_rec *, request_rec *, 
                          char *));
-APR_DECLARE_OPTIONAL_FN(char *, ssl_var_lookup,
-                        (apr_pool_t *, server_rec *,
-                         conn_rec *, request_rec *, 
-                         char *));
 
 /* An optional function which returns non-zero if the given connection
  * is using SSL/TLS. */
 APR_DECLARE_OPTIONAL_FN(int, nss_is_https, (conn_rec *));
-APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
 
 /* Proxy Support */
 int nss_proxy_enable(conn_rec *c);
 int nss_engine_disable(conn_rec *c);
-int ssl_proxy_enable(conn_rec *c);
-int ssl_engine_disable(conn_rec *c);
 
 APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
-APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
 
 APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
-APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
 
 /* I/O */
 PRFileDesc * nss_io_new_fd();
@@ -495,4 +486,4 @@ void nss_die(void);
 
 /* NSS callback */
 SECStatus nss_AuthCertificate(void *arg, PRFileDesc *socket, PRBool checksig, PRBool isServer);
-#endif /* __MOD_SSL_H__ */
+#endif /* __MOD_NSS_H__ */
Index: mod_nss-1.0.8/nss_engine_vars.c
===================================================================
--- mod_nss-1.0.8.orig/nss_engine_vars.c
+++ mod_nss-1.0.8/nss_engine_vars.c
@@ -39,11 +39,17 @@ static char *nss_var_lookup_nss_cert_ver
 static char *nss_var_lookup_nss_cipher(apr_pool_t *p, conn_rec *c, char *var);
 static char *nss_var_lookup_nss_version(apr_pool_t *p, char *var);
 static char *nss_var_lookup_protocol_version(apr_pool_t *p, conn_rec *c);
+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var);
+
+static APR_OPTIONAL_FN_TYPE(ssl_is_https) *othermod_is_https;
+static APR_OPTIONAL_FN_TYPE(ssl_var_lookup) *othermod_var_lookup;
 
 static int nss_is_https(conn_rec *c)
 {
     SSLConnRec *sslconn = myConnConfig(c);
-    return sslconn && sslconn->ssl;
+
+    return (sslconn && sslconn->ssl)
+        || (othermod_is_https && othermod_is_https(c));
 }
 
 static int ssl_is_https(conn_rec *c) {
@@ -52,14 +58,17 @@ static int ssl_is_https(conn_rec *c) {
 
 void nss_var_register(void)
 {
+    /* Always register these mod_nss optional functions */
     APR_REGISTER_OPTIONAL_FN(nss_is_https);
     APR_REGISTER_OPTIONAL_FN(nss_var_lookup);
 
-    /* These can only be registered if mod_ssl is not loaded */
-    if (APR_RETRIEVE_OPTIONAL_FN(ssl_is_https) == NULL)
-        APR_REGISTER_OPTIONAL_FN(ssl_is_https);
-    if (APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup) == NULL)
-        APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+    /* Save the state of any previously registered mod_ssl functions */
+    othermod_is_https = APR_RETRIEVE_OPTIONAL_FN(ssl_is_https);
+    othermod_var_lookup = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup);
+
+    /* Always register these local mod_ssl optional functions */
+    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+    APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
 
     return;
 }
@@ -174,6 +183,15 @@ char *nss_var_lookup(apr_pool_t *p, serv
      */
     if (result == NULL && c != NULL) {
         SSLConnRec *sslconn = myConnConfig(c);
+
+        if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
+            && (!sslconn || !sslconn->ssl) && othermod_var_lookup) {
+            /* If mod_ssl is registered for this connection,
+             * pass any SSL_* variable through to the mod_ssl module
+             */
+            return othermod_var_lookup(p, s, c, r, var);
+        }
+
         if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) 
                  && sslconn && sslconn->ssl)
             result = nss_var_lookup_ssl(p, c, var+4);
@@ -252,7 +270,7 @@ char *nss_var_lookup(apr_pool_t *p, serv
     return result;
 }
 
-char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
+static char *ssl_var_lookup(apr_pool_t *p, server_rec *s, conn_rec *c, request_rec *r, char *var) {
     return nss_var_lookup(p, s, c, r, var);
 }