Hi Igor, Hi Daniel, On Mon, Apr 09, 2012 at 08:56:12AM -0000, Igor Gali? wrote:
> > Then it looks like mod_proxy_http determines the value for > > "proxy-request-hostname" from the remote URL in ProxyPass, but is > > passing on the Host header from the original request. > That would imply ProxyPreserveHost on -- which is off by default > I also don't see it in Micha's paste. Uh, I am very sorry to have wasted your time, but I actually do have ProxyPreserveHost On in my config. It was inbetween some comments and I must have removed it together with them. I have checked and it seems to be the only statement missing from my mail. I have it in there because wordpress has a feature of automatically using the host name from the request in all links in the HTML it generates. Unfortunately, it insists on creating absolute instead of relative links. This is also why I access wordpress inside the VM via HTTPS at all: This way it automatically (or at least with only a very small patch to it's config.php) generates https:// links in its responses when accessed via HTTPS, making the reverse proxy very simple (apart from the SSL bit) and almost transparent. At first I tried to configure the reverse proxy to plain http:// (SSL termination, so to speak) and rewrite all links using mod_proxy_html for performance and because it seemed the straightforward thing to do. But I had various detail problems within wordpress I couldn't solve (with links to uploaded files for example). So I switched to just passing on the original requests as unchanged as possible. As for the SNI bit: So I tell the reverse proxy to access https://www.example.com:12433/ but pass on the Host header unchanged. The wordpress VM's apache 2.2.14 gets upset with this discrepancy and denies to serve the requests. As I perhaps poorly explained in the second part of my mail, I tried to tell the reverse proxy to access https://<Host-header>:12443/ instead but couldn't make it work. A solution might be something like: ProxyPass / https://www.example.com:12443/ no-sni ProxyPassReverse / https://www.example.com:12443/ no-sni , disabling SNI towards the backend server. Or can I tell the 2.2.14 apache inside the VM to ignore the SNI data it sees in the requests? The best solution I can think of would be some switch like ProxyPass / https://www.example.com:12443/ pass-host-as-sni ProxyPassReverse / https://www.example.com:12443/ pass-host-as-sni that makes mod_ssl put the content of the host header into the sni data structures instead of the hostname from the URL used in the ProxyPass(Reverse) configuration itself. This way even name-based virtual hosts should work behind the reverse proxy. -- Thanks for your patience, Micha
