Dne Pá 21. února 2014 10:08:42, Yann Ylavic napsal(a): > On Fri, Feb 21, 2014 at 12:52 AM, Yann Ylavic <[email protected]> wrote: > > Maybe what you need is a new ProxyPreserveHost on/off/canon option so > > that mod_proxy uses the ServerName to fill in the Host header (hence > > the SNI and the "proxy-request-hostname" note checked later by mod_ssl > > against the CN). > > > > I may be misguided but I see some relation between UseCanonicalName > > and the SNI/CN checks. > > How about using ap_get_server_name_for_url() wherever r->hostname is > > used by mod_ssl and mod_proxy to check/provide SNI/CN? > > By doing this we would allow administrators to configure what is to be > > used, following UseCanonicalName rules, without opening Pandora's > > door. > > > > Thoughts? > > Similarly, a new "SSLProxyCheckPeerCN canon" option could be handled > so that admins needing "ProxyPreserveHost on" could still forward the > client's Host but check the backend's CN against ServerName.
SSLProxyCheckPeerCN has been superseded by SSLProxyCheckPeerName. Should we add "canon" to both then? -- Pavel Matěja
