On Fri, Feb 21, 2014 at 12:52 AM, Yann Ylavic <[email protected]> wrote: > Maybe what you need is a new ProxyPreserveHost on/off/canon option so > that mod_proxy uses the ServerName to fill in the Host header (hence > the SNI and the "proxy-request-hostname" note checked later by mod_ssl > against the CN). > > I may be misguided but I see some relation between UseCanonicalName > and the SNI/CN checks. > How about using ap_get_server_name_for_url() wherever r->hostname is > used by mod_ssl and mod_proxy to check/provide SNI/CN? > By doing this we would allow administrators to configure what is to be > used, following UseCanonicalName rules, without opening Pandora's > door. > > Thoughts? >
Similarly, a new "SSLProxyCheckPeerCN canon" option could be handled so that admins needing "ProxyPreserveHost on" could still forward the client's Host but check the backend's CN against ServerName.
