Dne Pá 21. února 2014 13:55:56, Yann Ylavic napsal(a): > On Thu, Feb 20, 2014 at 7:18 PM, Yann Ylavic <ylavic....@gmail.com> wrote: > > On Thu, Feb 20, 2014 at 6:28 PM, Pavel Matěja <pa...@netsafe.cz> wrote: > >> Currently there are two possible scenarios with SSLCheckProxyPeerName On > >> and numeric Host/URI: > >> 1) you will try to open new connection which will fail the CN check and > >> client gets 502 Bad Gateway > >> 2) you will try to reuse already opened connection which will get you 400 > >> Bad Request because SNI hostname won't match the numeric one. > > > > For 2) the issue is not related to IP addresses, reusing a SNI-ed > > connection without checking the current hostname is a bug IMHO. > > I proposed a fix (trunk) in PR 55782: > https://issues.apache.org/bugzilla/attachment.cgi?id=31342&action=diff
Are you not affraid of performance hit on heavily loaded sites? Concurent hits to https://$USERNAME.example.com will close each others connections in pool. Why should we pick first connection and close it instead of looking for matching one in ap_proxy_get_worker()? -- Pavel Matěja
