httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject [users@httpd] ProxyPreserveHost doesn't work with SSL
Date Fri, 01 Jul 2016 16:26:14 GMT
Dear all,

I'm reverse proxying requests on Apache/2.4.18 (stock version on Ubuntu 
16.04) via SSL to an application running on IIS 7.0. Somehow, despite 
ProxyPreserveHost, IIS app manages to sniff IP-address 10.1.2.3 
specified in ProxyPass (see below) and breaks. If I replace 10.1.2.3 
with myapp.com and put "10.1.2.3 myapp.com" in /etc/hosts everything 
works (but I don't like the solution).

Because of SSL the problem is somewhat hard to debug, can't just packet 
trace. I tried to replace IIS application with CGI script on different 
Apache, without SSL, and found that ProxyPreserveHost is not ignored 
(environment variable SERVER_NAME set correctly to myapp.com). I guess 
for SSL the ProxyPreserveHost is implemented partially, i.e. for Host 
header but not for SNI. Any ideas on how to investigate?

Here's the complete virtualhost configuration:
---
<VirtualHost *:443>
     ServerName myapp.com

     SSLEngine on
     SSLCertificateFile  /etc/ssl/certs/myapp.pem
     SSLCertificateKeyFile /etc/ssl/private/myapp.key

     SSLProxyEngine on
     SSLProxyProtocol all
     SSLProxyCipherSuite ALL
     SSLProxyVerify none
     SSLProxyCheckPeerCN off
     SSLProxyCheckPeerName off
     SSLProxyCheckPeerExpire off

     <Location />
         ProxyPreserveHost on
         ProxyPass https://10.1.2.3/ connectiontimeout=300 timeout=300
         ProxyPassReverse /
         ProxyPassReverseCookieDomain myapp.com 10.1.2.3
     </Location>
</VirtualHost>
---

--

With Best Regards,
Marat Khalili

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message