Bug 53134 - SNI with Host header preservation through reverse proxy
Summary: SNI with Host header preservation through reverse proxy
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_http (show other bugs)
Version: 2.4-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Reported: 2012-04-23 14:30 UTC by Michael Weiser
Modified: 2012-10-21 16:49 UTC (History)
0 users

use Host header for SNI data if ProxyPreserveHost is on (2.30 KB, patch)
2012-04-23 14:33 UTC, Michael Weiser
Details | Diff
Slightly different approach (1.12 KB, patch)
2012-04-30 13:18 UTC, Ruediger Pluem
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Weiser 2012-04-23 14:30:37 UTC
As discussed on httpd-users (http://mail-archives.apache.org/mod_mbox/httpd-users/201204.mbox/%3C20120406121150.GC22138@dinsnail.net%3E) and httpd-dev (http://mail-archives.apache.org/mod_mbox/httpd-dev/201204.mbox/%3C4F7F6F8C.5020409@primary.net%3E), httpd-2.4 and later reverse proxies use SNI towards the backend server. If ProxyPreserveHost is turned On, a mismatch between Host header and SNI data can occur which may cause the backend server to deny the request. This could be fixed by extracting the Host header from the request and putting its hostname into the SNI data.
Comment 1 Michael Weiser 2012-04-23 14:33:21 UTC
Created attachment 28658 [details]
use Host header for SNI data if ProxyPreserveHost is on

This patch parses the Host header, extracts the hostname and uses it for the CN check and SNI data if ProxyPreserveHost is On. This fixes the issue for me.
Comment 2 Michael Weiser 2012-04-23 14:52:09 UTC
I forgot: The patch is against httpd-trunk as of 2012-04-22. But it also applies against httpd-2.4 HEAD as of the same date.
Comment 3 Ruediger Pluem 2012-04-30 13:18:14 UTC
Created attachment 28697 [details]
Slightly different approach

I think it is better to use r->hostname instead of reparsing the host header again. Can you please check if this patch works for you as well?
Comment 4 Michael Weiser 2012-05-03 18:08:02 UTC
(In reply to comment #3)
> Can you please check if this patch works for you as well?

Yes, your patch works fine.
Comment 5 Ruediger Pluem 2012-05-04 14:07:00 UTC
Committed to trunk as r1333969. Thanks for testing.
Comment 6 Michael Weiser 2012-05-15 08:20:25 UTC
Will this automaticlly show up in a 2.4.x release or do I need to do something more to make it happen?
Comment 7 Ruediger Pluem 2012-05-15 12:05:09 UTC
Proposed for backport to 2.4.x as r1338662.
Comment 8 Stefan Fritsch 2012-07-03 19:45:52 UTC
Will be in 2.4.3: r1356881
Comment 9 Rainer Jung 2012-08-21 16:31:11 UTC
Released with 2.4.3.
Proposed for 2.2.x.
Comment 10 Michael Weiser 2012-08-26 12:41:03 UTC
When I checked (April 2012), 2.2 couldn't do SNI when reverse proxying. A backport (of just the fix) is mute then...
Comment 11 Michael Weiser 2012-10-21 16:49:05 UTC
I can confirm that the problem is fixed in 2.4.3. As far as I am concerned, the bug can be closed. Thank you for all your help.

BTW: I'm now facing a follow-up problem with subjectAltNames for which I've opened another bug #54030 with patches for 2.4.2 and trunk.