You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Santiago Garcia Mantinan <ma...@manty.net> on 2015/11/06 15:44:12 UTC

[users@httpd] apache 2.4 behaviour change (SSLProxy error during ssl handshake)

Hi!

While trying to migrate a config that was working on a 2.2 server to a 2.4
server I have found a behaviour change that breaks my setup.

The problem seems to be that when you setup a reverse proxy to a https url
and you set ProxyPreserveHost to On what apache 2.4 tries to access is the
host that we have preserved and not the one on the https url we are proxying
to, at least as far as SSL is concerned: Let me explain with an example:

We have https://website.com that we want to reverse proxy to
https://internal.website.com using a RewriteRule with proxy or a ProxyPass,
something like:

ProxyPreserveHost On
SSLProxyEngine on
SSLProxyCACertificateFile /etc/ssl/certs/ca-certificates.crt
SSLProxyCheckPeerCN on
SSLProxyCheckPeerName on
SSLProxyCheckPeerExpire on
SSLProxyVerify require
SSlProxyVerifyDepth 2
ProxyPass / https://internal.website.com/

On apache 2.2 this would mean that we are connecting to internal.website.com
and we expect to see a certificate for internal.website.com, which gets
verified by apache and works ok.

On apache 2.4 for what I see, the access is done to the IP of
internal.website.com but the SSL negociation is done like if we were
accessing https://website.com (due to the ProxyPreserveHost directive), so
we see that the SSL hello (SNI) is sent asking for website.com and as the
internal server replies with an internal.website.com certificate which is
then rejected by apache (it expects to see a cert from website.com).

So the old setup is now broken on version 2.4.

I've googled a bit and saw
people solving this by setting the SSLProxyCheckPeerCN and
SSLProxyCheckPeerName to off, but this is not what I'd want.

The other way I have found to solve this is by setting ProxyPreserveHost to
Off, this way apache asks for https://internal.website.com/ and expects a
cert from internal.website.com which gets verified and works, but I'd like
to have ProxyPreserveHost to On

What I want is apache to verify the cert, but I don't want the backend
(internal) machine to have the frontend cert, which would bypass the
problem, but to have their own cert, and also I'd like the backend to get
the Host header for website.com, so that their replies (which unfortunately
include full urls with the hostname) work ok from the outside.

Is there any directive that can change the way that 2.4 behaves so that this
example works again?

Thanks in advance.

Regards.
-- 
Manty/BestiaTester -> http://manty.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org