osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] SNI extension for healthchecks


Hi Dominik,

sorry for the late response.

On Tue, Oct 16, 2018 at 12:44 PM Dominik Stillhard
<Dominik.Stillhard@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> I face the problem, that the sni extension is not set on healthcheck-requests to a backend using tls. Because healthchecks are negative, this leads to ordinary requests also beeing denied.
>
> on the backend server i have the following error:
>
> AH02033: No hostname was provided via SNI for a name based virtual host
>
> I’ve also investigated it with wireshark, the extionsion is defenitely not set.

It should not, see below.

>
> My config looks as follows:
[]
>
>   <Proxy balancer://mycluster lbmethod=byrequests>
>     BalancerMember https://127.0.0.1:8443
>     BalancerMember https://127.0.0.1:8444

https://tools.ietf.org/html/rfc6066#section-3 :
    ...
    Literal IPv4 and IPv6 addresses are not permitted in "HostName".

So httpd won't set the SNI in your case, I guess "localhost" instead
of 127.0.0.1 would work...

>
>     ProxyPreserveHost On

While this is meaningful for forwarded client requests (their "Host:"
header can be preserved on the backend side, instead of using the one
from the ProxyPass/BalancerMember directive), it does not apply to
healthcheck where connections/requests are created on the httpd proxy
and there is nothing to preserve, so the only hostname/SNI to use in
the one from ProxyPass/BalancerMember here.

So for healthcheck requests to be accepted by your backend (name based
virtual host), you need to set real hostnames in BalancerMember(s)
above, or use "localhost" provided that "ServerAlias localhost" is
configured on the backend for the relevant vhost.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx