The SNI extension is not set on health check requests to a backend using TLS encryption. Because health checks are negative, this leads to ordinary requests also being denied. on the backend server i have the following error: AH02033: No hostname was provided via SNI for a name based virtual host I’ve also investigated it with wireshark, the extionsion is defenitely not set. My config looks as follows: Listen 127.0.0.1:443 ServerName www.localhost.com <VirtualHost 127.0.0.1:443> ServerName www.localhost.com ServerAlias localhost.com SSLCertificateFile /etc/httpd/ssl/ca.crt SSLCertificateKeyFile /etc/httpd/ssl/ca.key SSLEngine on SSLProxyEngine on ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/} ProxyHCTemplate template hcinterval=5 hcexpr=isok hcmethod=get hcuri=/healthcheck.php <Proxy balancer://mycluster lbmethod=byrequests> BalancerMember https://127.0.0.1:8443 BalancerMember https://127.0.0.1:8444 ProxyPreserveHost On SSLProxyProtocol TLSv1 </Proxy> <Location /> ProxyPass balancer://mycluster/ ProxyPassReverse balancer://mycluster/ </Location> </VirtualHost> I’ve read that ProxyPreserveHost should be «on», but this doesn’t solve the problem. I think it could be related to this comment in hc_determine_connection: /* * normally, this is done in ap_proxy_determine_connection(). * TODO: Look at using ap_proxy_determine_connection() with a * fake request_rec */
Created attachment 36213 [details] patch that fixes problem thanks to Yann !! patch includes the follwing commit: http://svn.apache.org/r1818726 plus a fix for mod_proxy_hcheck