Bug 62837 - SNI extension not set in healthcheck requests
Summary: SNI extension not set in healthcheck requests
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_hcheck (show other bugs)
Version: 2.4.35
Hardware: PC Linux
: P2 normal with 1 vote (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-19 07:34 UTC by Dominik Stillhard
Modified: 2018-10-24 09:04 UTC (History)
0 users



Attachments
patch that fixes problem (4.25 KB, patch)
2018-10-24 09:04 UTC, Dominik Stillhard
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Dominik Stillhard 2018-10-19 07:34:28 UTC
The SNI extension is not set on health check requests to a backend using TLS encryption. Because health checks are negative, this leads to ordinary requests also being denied.

on the backend server i have the following error:

    AH02033: No hostname was provided via SNI for a name based virtual host

I’ve also investigated it with wireshark, the extionsion is defenitely not set.

My config looks as follows:

Listen 127.0.0.1:443
ServerName www.localhost.com

<VirtualHost 127.0.0.1:443>
    ServerName www.localhost.com
    ServerAlias localhost.com
    SSLCertificateFile /etc/httpd/ssl/ca.crt
    SSLCertificateKeyFile /etc/httpd/ssl/ca.key
    SSLEngine on
    SSLProxyEngine on

    ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/}
    ProxyHCTemplate template hcinterval=5 hcexpr=isok hcmethod=get hcuri=/healthcheck.php

  <Proxy balancer://mycluster lbmethod=byrequests>
    BalancerMember https://127.0.0.1:8443
    BalancerMember https://127.0.0.1:8444
    ProxyPreserveHost On
    SSLProxyProtocol  TLSv1
  </Proxy>

  <Location />
    ProxyPass  balancer://mycluster/
    ProxyPassReverse  balancer://mycluster/
  </Location>
</VirtualHost>

I’ve read that ProxyPreserveHost should be «on», but this doesn’t solve the problem.
I think it could be related to this comment in hc_determine_connection:

    /*
     * normally, this is done in ap_proxy_determine_connection().
     * TODO: Look at using ap_proxy_determine_connection() with a
     * fake request_rec
     */
Comment 1 Dominik Stillhard 2018-10-24 09:04:36 UTC
Created attachment 36213 [details]
patch that fixes problem

thanks to Yann !!
patch includes the follwing commit:
http://svn.apache.org/r1818726
plus a fix for mod_proxy_hcheck