httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominik Stillhard <Dominik.Stillh...@united-security-providers.ch>
Subject SNI extension for healthchecks
Date Fri, 19 Oct 2018 08:52:23 GMT
I asked this on the users mailing list and didn’t get any feedback so far, so i’ll forward
it here. Maybe someone here has an idea…
bugreport: https://bz.apache.org/bugzilla/show_bug.cgi?id=62837


Von: Stillhard, Dominik
Gesendet: Dienstag, 16. Oktober 2018 12:44
An: users@httpd.apache.org
Betreff: [users@httpd] SNI extension for healthchecks [signed OK]

Hello all

I face the problem, that the sni extension is not set on healthcheck-requests to a backend
using tls. Because healthchecks are negative, this leads to ordinary requests also beeing
denied.

on the backend server i have the following error:
AH02033: No hostname was provided via SNI for a name based virtual host
I’ve also investigated it with wireshark, the extionsion is defenitely not set.

My config looks as follows:
---------------------------------------------------------------------------------
Listen 127.0.0.1:443
ServerName www.localhost.com<http://www.localhost.com>

<VirtualHost 127.0.0.1:443>
    ServerName www.localhost.com<http://www.localhost.com>
    ServerAlias localhost.com
    SSLCertificateFile /etc/httpd/ssl/ca.crt
    SSLCertificateKeyFile /etc/httpd/ssl/ca.key
    SSLEngine on
    SSLProxyEngine on

    ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/}
    ProxyHCTemplate template hcinterval=5 hcexpr=isok hcmethod=get hcuri=/healthcheck.php

  <Proxy balancer://mycluster lbmethod=byrequests>
    BalancerMember https://127.0.0.1:8443
    BalancerMember https://127.0.0.1:8444
    ProxyPreserveHost On
    SSLProxyProtocol  TLSv1
  </Proxy>
  <Location />
    ProxyPass  balancer://mycluster/
    ProxyPassReverse  balancer://mycluster/
  </Location>
</VirtualHost>
---------------------------------------------------------------------------------
I’ve read that ProxyPreserveHost should be «on», but this doesn’t solve the problem
..
Am I missing something, or is this eventually a bug in mod_proxy_hcheck?
Thanks in advance for help/ideas on this!

Cheers
Dominik

Mime
View raw message