osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62837] New: SNI extension not set in healthcheck requests


https://bz.apache.org/bugzilla/show_bug.cgi?id=62837

            Bug ID: 62837
           Summary: SNI extension not set in healthcheck requests
           Product: Apache httpd-2
           Version: 2.4.35
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy_hcheck
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: dominik.stillhard@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Target Milestone: ---

The SNI extension is not set on health check requests to a backend using TLS
encryption. Because health checks are negative, this leads to ordinary requests
also being denied.

on the backend server i have the following error:

    AH02033: No hostname was provided via SNI for a name based virtual host

I’ve also investigated it with wireshark, the extionsion is defenitely not set.

My config looks as follows:

Listen 127.0.0.1:443
ServerName www.localhost.com

<VirtualHost 127.0.0.1:443>
    ServerName www.localhost.com
    ServerAlias localhost.com
    SSLCertificateFile /etc/httpd/ssl/ca.crt
    SSLCertificateKeyFile /etc/httpd/ssl/ca.key
    SSLEngine on
    SSLProxyEngine on

    ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/}
    ProxyHCTemplate template hcinterval=5 hcexpr=isok hcmethod=get
hcuri=/healthcheck.php

  <Proxy balancer://mycluster lbmethod=byrequests>
    BalancerMember https://127.0.0.1:8443
    BalancerMember https://127.0.0.1:8444
    ProxyPreserveHost On
    SSLProxyProtocol  TLSv1
  </Proxy>

  <Location />
    ProxyPass  balancer://mycluster/
    ProxyPassReverse  balancer://mycluster/
  </Location>
</VirtualHost>

I’ve read that ProxyPreserveHost should be «on», but this doesn’t solve the
problem.
I think it could be related to this comment in hc_determine_connection:

    /*
     * normally, this is done in ap_proxy_determine_connection().
     * TODO: Look at using ap_proxy_determine_connection() with a
     * fake request_rec
     */

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx