Re: [users@httpd] ProxyPreserveHost doesn't work with SSL
On Mon, Jul 4, 2016 at 5:36 PM, Yann Ylavic wrote: > On Mon, Jul 4, 2016 at 5:00 PM, Marat Khalili wrote: >> On 04/07/16 17:29, Eric Covener wrote: >>> >>> SNI is in the ClientHello, you'd be able to eliminate/confirm that bit. >> >> >> Yes you're right. But now I cannot reproduce original problem. And SNI is >> correctly transferred from client in packet capture. Either the problem is >> transient or it's gone. Will post again if I see it appear again. > > The issue fixed in 2.4.20 (no outgoing SNI) would only happen if an > idle connection, about to be reused, was closed remotely by the > backend (because of a keepalive timeout expired on its side), which > caused the proxy to create a new connection without SNI. Thus in affected versions (< 2.4.20), it can be avoided/worked-around by using an idle timeout on the proxy side (the ProxyPass' parameter ttl= in mod_proxy) lower than the KeepAliveTimeout configured on the backend. This is anyway an good setting to synchronize a proxy with its backend (and avoid races conditions regarding reused connections) > > Regards, > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPreserveHost doesn't work with SSL
On Mon, Jul 4, 2016 at 5:00 PM, Marat Khalili wrote: > On 04/07/16 17:29, Eric Covener wrote: >> >> SNI is in the ClientHello, you'd be able to eliminate/confirm that bit. > > > Yes you're right. But now I cannot reproduce original problem. And SNI is > correctly transferred from client in packet capture. Either the problem is > transient or it's gone. Will post again if I see it appear again. The issue fixed in 2.4.20 (no outgoing SNI) would only happen if an idle connection, about to be reused, was closed remotely by the backend (because of a keepalive timeout expired on its side), which caused the proxy to create a new connection without SNI. So this may indeed be transient. Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPreserveHost doesn't work with SSL
On 04/07/16 17:29, Eric Covener wrote: SNI is in the ClientHello, you'd be able to eliminate/confirm that bit. Yes you're right. But now I cannot reproduce original problem. And SNI is correctly transferred from client in packet capture. Either the problem is transient or it's gone. Will post again if I see it appear again. -- With Best Regards, Marat Khalili - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPreserveHost doesn't work with SSL
On Mon, Jul 4, 2016 at 10:17 AM, Marat Khalili wrote: > Tried to already. Seems like Wireshark cannot decrypt TLS 1.2 exchange with > Server Key Exchange part present. SNI is in the ClientHello, you'd be able to eliminate/confirm that bit. -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPreserveHost doesn't work with SSL
On 04/07/16 16:19, Eric Covener wrote: packet capture. Tried to already. Seems like Wireshark cannot decrypt TLS 1.2 exchange with Server Key Exchange part present. -- With Best Regards, Marat Khalili - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPreserveHost doesn't work with SSL
On Mon, Jul 4, 2016 at 3:07 AM, Marat Khalili wrote: >> SNI (in the SSL handshake) which is not set when using SSL? > > I don't know how to check what Apache is actually sending to back-end > server. packet capture. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPreserveHost doesn't work with SSL
On 01/07/16 23:19, Yann Ylavic wrote: On Fri, Jul 1, 2016 at 6:26 PM, Marat Khalili wrote: Is the header Host sent by the proxy different from the one sent by the client (with and without using SSL) or are you talking about the SNI (in the SSL handshake) which is not set when using SSL? I don't know how to check what Apache is actually sending to back-end server. I could make another experiment on a fresh Apache installation with many SSL virtual hosts but: (1) it still won't be IIS; (2) I suppose there must be easier way to find out. I have only one IIS and it's being used in production, so I don't want to twiddle it. In the latter case, you may need this fix released in from 2.4.20 (http://svn.apache.org/r1733474). Sounds like it. Will take a look at package update plans. -- With Best Regards, Marat Khalili - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] ProxyPreserveHost doesn't work with SSL
On Fri, Jul 1, 2016 at 6:26 PM, Marat Khalili wrote: > > Because of SSL the problem is somewhat hard to debug, can't just packet > trace. I tried to replace IIS application with CGI script on different > Apache, without SSL, and found that ProxyPreserveHost is not ignored > (environment variable SERVER_NAME set correctly to myapp.com). I guess for > SSL the ProxyPreserveHost is implemented partially, i.e. for Host header but > not for SNI. Any ideas on how to investigate? Is the header Host sent by the proxy different from the one sent by the client (with and without using SSL) or are you talking about the SNI (in the SSL handshake) which is not set when using SSL? In the latter case, you may need this fix released in from 2.4.20 (http://svn.apache.org/r1733474). Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org