Dne Pá 21. února 2014 15:13:25, Pavel MatÄja napsal(a): > Dne Pá 21. února 2014 13:55:56, Yann Ylavic napsal(a): > > On Thu, Feb 20, 2014 at 7:18 PM, Yann Ylavic <ylavic....@gmail.com> wrote: > > > On Thu, Feb 20, 2014 at 6:28 PM, Pavel MatÄja <pa...@netsafe.cz> wrote: > > >> Currently there are two possible scenarios with SSLCheckProxyPeerName > > >> On > > >> and numeric Host/URI: > > >> 1) you will try to open new connection which will fail the CN check and > > >> client gets 502 Bad Gateway > > >> 2) you will try to reuse already opened connection which will get you > > >> 400 > > >> Bad Request because SNI hostname won't match the numeric one. > > > > > > For 2) the issue is not related to IP addresses, reusing a SNI-ed > > > connection without checking the current hostname is a bug IMHO. > > > > I proposed a fix (trunk) in PR 55782: > > https://issues.apache.org/bugzilla/attachment.cgi?id=31342&action=diff > > Are you not affraid of performance hit on heavily loaded sites? > Concurent hits to https://$USERNAME.example.com will close each others > connections in pool. Why should we pick first connection and close it > instead of looking for matching one in ap_proxy_get_worker()?
Sorry, not in ap_proxy_get_worker() but in ap_proxy_acquire_connection(). -- Pavel Matěja
