[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [users@httpd] SNI extension for healthchecks

Hi Yann,

I've tested the configuration you proposed. 
Unfortunately the problem is not solved by using hostnames.

I still cannot see an SNI-Extension with wireshark:
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 189
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 185
            Version: TLS 1.2 (0x0303)
            Random: d0d713b41985eb8a78e657e12b9913bb77c97e7a0d1fce85...
            Session ID Length: 0
            Cipher Suites Length: 56
            Cipher Suites (28 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 88
            Extension: ec_point_formats (len=4)
            Extension: supported_groups (len=12)
            Extension: SessionTicket TLS (len=0)
            Extension: encrypt_then_mac (len=0)
            Extension: extended_master_secret (len=0)
            Extension: signature_algorithms (len=48)
My configuration is very simple:
Proxy Config:
LogLevel debug
LogLevel ssl_module:debug
LogLevel proxy_hcheck:debug
ServerName www.localhost.com
SSLSessionCache nonenotnull

    ServerName www.localhost.com
    ServerAlias localhost.com
    SSLCertificateFile /etc/httpd/ssl/ca.crt
    SSLCertificateKeyFile /etc/httpd/ssl/ca.key
    SSLEngine on
    SSLProxyEngine on

    ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/}
    ProxyHCTemplate template hcinterval=4 hcexpr=isok hcmethod=get hcuri=/index.html

  <Proxy balancer://mycluster lbmethod=byrequests >
    BalancerMember https://sesdev.tarsec.com:10030 hctemplate=template
    BalancerMember https://sesdev.tarsec.com:10031 hctemplate=template 
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    SSLProxyProtocol  TLSv1

  <Location />
    ProxyPass  balancer://mycluster/
    ProxyPassReverse  balancer://mycluster/


Backends Configuration:
ServerName            sesdev.tarsec.com
DocumentRoot           ${SERVER_ROOT}/htdocs
ServerRoot             ${SERVER_ROOT}
TypesConfig            ${SERVER_ROOT}/conf/mime.types

LogLevel               debug
ErrorLog               ${SERVER_ROOT}/logs/error_log
TransferLog            ${SERVER_ROOT}/logs/access_log
PidFile                ${SERVER_ROOT}/logs/pid

SSLSessionCache nonenotnull

SSLCertificateFile     ${TEST_ENV}/../testca/CaRoot/certs/sesdev.tarsec.com.cert.pem  
SSLCertificateKeyFile  ${TEST_ENV}/../testca/CaRoot/keys/sesdev.tarsec.com.key.pem
SSLProtocol TLSv1
SSLEngine              on

<VirtualHost sesdev.tarsec.com:10030>
  SSLEngine              on
  ServerName             sesdev.tarsec.com
  ServerAlias            sesdev.tarsec.com
  <Location />

Thanks! Regards Dominik

> -----Ursprüngliche Nachricht-----
> Von: Yann Ylavic <ylavic.dev@xxxxxxxxx>
> Gesendet: Freitag, 19. Oktober 2018 15:28
> An: users@xxxxxxxxxxxxxxxx
> Betreff: Re: [users@httpd] SNI extension for healthchecks
> Hi Dominik,
> sorry for the late response.
> On Tue, Oct 16, 2018 at 12:44 PM Dominik Stillhard <Dominik.Stillhard@united-
> security-providers.ch> wrote:
> >
> > I face the problem, that the sni extension is not set on healthcheck-requests to a
> backend using tls. Because healthchecks are negative, this leads to ordinary requests
> also beeing denied.
> >
> > on the backend server i have the following error:
> >
> > AH02033: No hostname was provided via SNI for a name based virtual
> > host
> >
> > I’ve also investigated it with wireshark, the extionsion is defenitely not set.
> It should not, see below.
> >
> > My config looks as follows:
> []
> >
> >   <Proxy balancer://mycluster lbmethod=byrequests>
> >     BalancerMember
> >     BalancerMember
> https://tools.ietf.org/html/rfc6066#section-3 :
>     ...
>     Literal IPv4 and IPv6 addresses are not permitted in "HostName".
> So httpd won't set the SNI in your case, I guess "localhost" instead of would
> work...
> >
> >     ProxyPreserveHost On
> While this is meaningful for forwarded client requests (their "Host:"
> header can be preserved on the backend side, instead of using the one from the
> ProxyPass/BalancerMember directive), it does not apply to healthcheck where
> connections/requests are created on the httpd proxy and there is nothing to preserve,
> so the only hostname/SNI to use in the one from ProxyPass/BalancerMember here.
> So for healthcheck requests to be accepted by your backend (name based virtual
> host), you need to set real hostnames in BalancerMember(s) above, or use "localhost"
> provided that "ServerAlias localhost" is configured on the backend for the relevant
> vhost.
> Regards,
> Yann.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Attachment: smime.p7s
Description: S/MIME cryptographic signature