When doing a reverse proxy the proxy client connection remote_host field isn't populated. Since this is already available as a result of the ProxyPassReverse entry it makes sense to pass this on. Otherwise a client that may want this hostname value has no access to it until the request is being processed and in the case of an input filter that does something like SSL may be too late. SSL connections should compare the requested hostname value with the certificate subject returned by remote server. This is the only protection against man-in-the-middle attacks. Once mod_proxy populates this field then SSL connections can do this comparison.
Created attachment 16280 [details] copy the hostname into the client connection structure
Rob, is this still applicable to 2.2?
Yes, it is still a problem in 2.2.4.
Do you fancy updating the patch for 2.2? I'm guessing you have a backend that looks for the header, so you'll be better-equipped to try it than I am.
Created attachment 25428 [details] copy the hostname into the client connection structure this patch applies to 2.2.15 and has been tested to fix the bug
i added a patch from rob
This is fixed upstream (circa 2.2.12). mod_proxy sets the "proxy-request-hostname" note in r->connection->notes with the hostname ofthe backend. I'm working on changing mod_nss to use this instead (bug https://bugzilla.redhat.com/show_bug.cgi?id=591224)