You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/10/19 07:34:28 UTC
[Bug 62837] New: SNI extension not set in healthcheck requests
https://bz.apache.org/bugzilla/show_bug.cgi?id=62837
Bug ID: 62837
Summary: SNI extension not set in healthcheck requests
Product: Apache httpd-2
Version: 2.4.35
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy_hcheck
Assignee: bugs@httpd.apache.org
Reporter: dominik.stillhard@united-security-providers.ch
Target Milestone: ---
The SNI extension is not set on health check requests to a backend using TLS
encryption. Because health checks are negative, this leads to ordinary requests
also being denied.
on the backend server i have the following error:
AH02033: No hostname was provided via SNI for a name based virtual host
I’ve also investigated it with wireshark, the extionsion is defenitely not set.
My config looks as follows:
Listen 127.0.0.1:443
ServerName www.localhost.com
<VirtualHost 127.0.0.1:443>
ServerName www.localhost.com
ServerAlias localhost.com
SSLCertificateFile /etc/httpd/ssl/ca.crt
SSLCertificateKeyFile /etc/httpd/ssl/ca.key
SSLEngine on
SSLProxyEngine on
ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/}
ProxyHCTemplate template hcinterval=5 hcexpr=isok hcmethod=get
hcuri=/healthcheck.php
<Proxy balancer://mycluster lbmethod=byrequests>
BalancerMember https://127.0.0.1:8443
BalancerMember https://127.0.0.1:8444
ProxyPreserveHost On
SSLProxyProtocol TLSv1
</Proxy>
<Location />
ProxyPass balancer://mycluster/
ProxyPassReverse balancer://mycluster/
</Location>
</VirtualHost>
I’ve read that ProxyPreserveHost should be «on», but this doesn’t solve the
problem.
I think it could be related to this comment in hc_determine_connection:
/*
* normally, this is done in ap_proxy_determine_connection().
* TODO: Look at using ap_proxy_determine_connection() with a
* fake request_rec
*/
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62837] SNI extension not set in healthcheck requests
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62837
--- Comment #1 from Dominik Stillhard <do...@united-security-providers.ch> ---
Created attachment 36213
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36213&action=edit
patch that fixes problem
thanks to Yann !!
patch includes the follwing commit:
http://svn.apache.org/r1818726
plus a fix for mod_proxy_hcheck
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org