git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [users@httpd] SNI extension for healthchecks


Oh thanks i will try this!

> -----Ursprüngliche Nachricht-----
> Von: Yann Ylavic <ylavic.dev@xxxxxxxxx>
> Gesendet: Freitag, 19. Oktober 2018 15:28
> An: users@xxxxxxxxxxxxxxxx
> Betreff: Re: [users@httpd] SNI extension for healthchecks
> 
> Hi Dominik,
> 
> sorry for the late response.
> 
> On Tue, Oct 16, 2018 at 12:44 PM Dominik Stillhard <Dominik.Stillhard@united-
> security-providers.ch> wrote:
> >
> > I face the problem, that the sni extension is not set on healthcheck-requests to a
> backend using tls. Because healthchecks are negative, this leads to ordinary requests
> also beeing denied.
> >
> > on the backend server i have the following error:
> >
> > AH02033: No hostname was provided via SNI for a name based virtual
> > host
> >
> > I’ve also investigated it with wireshark, the extionsion is defenitely not set.
> 
> It should not, see below.
> 
> >
> > My config looks as follows:
> []
> >
> >   <Proxy balancer://mycluster lbmethod=byrequests>
> >     BalancerMember https://127.0.0.1:8443
> >     BalancerMember https://127.0.0.1:8444
> 
> https://tools.ietf.org/html/rfc6066#section-3 :
>     ...
>     Literal IPv4 and IPv6 addresses are not permitted in "HostName".
> 
> So httpd won't set the SNI in your case, I guess "localhost" instead of 127.0.0.1 would
> work...
> 
> >
> >     ProxyPreserveHost On
> 
> While this is meaningful for forwarded client requests (their "Host:"
> header can be preserved on the backend side, instead of using the one from the
> ProxyPass/BalancerMember directive), it does not apply to healthcheck where
> connections/requests are created on the httpd proxy and there is nothing to preserve,
> so the only hostname/SNI to use in the one from ProxyPass/BalancerMember here.
> 
> So for healthcheck requests to be accepted by your backend (name based virtual
> host), you need to set real hostnames in BalancerMember(s) above, or use "localhost"
> provided that "ServerAlias localhost" is configured on the backend for the relevant
> vhost.
> 
> 
> Regards,
> Yann.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Attachment: smime.p7s
Description: S/MIME cryptographic signature