Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Yann Ylavic]

On Mon, Jul 4, 2016 at 5:36 PM, Yann Ylavic  wrote:
> On Mon, Jul 4, 2016 at 5:00 PM, Marat Khalili  wrote:
>> On 04/07/16 17:29, Eric Covener wrote:
>>>
>>> SNI is in the ClientHello, you'd be able to eliminate/confirm that bit.
>>
>>
>> Yes you're right. But now I cannot reproduce original problem. And SNI is
>> correctly transferred from client in packet capture. Either the problem is
>> transient or it's gone. Will post again if I see it appear again.
>
> The issue fixed in 2.4.20 (no outgoing SNI) would only happen if an
> idle connection, about to be reused, was closed remotely by the
> backend (because of a keepalive timeout expired on its side), which
> caused the proxy to create a new connection without SNI.

Thus in affected versions (< 2.4.20), it can be avoided/worked-around
by using an idle timeout on the proxy side (the ProxyPass' parameter
ttl= in mod_proxy) lower than the KeepAliveTimeout configured on the
backend.

This is anyway an good setting to synchronize a proxy with its backend
(and avoid races conditions regarding reused connections)

>
> Regards,
> Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Yann Ylavic]

On Mon, Jul 4, 2016 at 5:00 PM, Marat Khalili  wrote:
> On 04/07/16 17:29, Eric Covener wrote:
>>
>> SNI is in the ClientHello, you'd be able to eliminate/confirm that bit.
>
>
> Yes you're right. But now I cannot reproduce original problem. And SNI is
> correctly transferred from client in packet capture. Either the problem is
> transient or it's gone. Will post again if I see it appear again.

The issue fixed in 2.4.20 (no outgoing SNI) would only happen if an
idle connection, about to be reused, was closed remotely by the
backend (because of a keepalive timeout expired on its side), which
caused the proxy to create a new connection without SNI.

So this may indeed be transient.

Regards,
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Marat Khalili]

On 04/07/16 17:29, Eric Covener wrote:

SNI is in the ClientHello, you'd be able to eliminate/confirm that bit.


Yes you're right. But now I cannot reproduce original problem. And SNI 
is correctly transferred from client in packet capture. Either the 
problem is transient or it's gone. Will post again if I see it appear again.


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Eric Covener]

On Mon, Jul 4, 2016 at 10:17 AM, Marat Khalili  wrote:
> Tried to already. Seems like Wireshark cannot decrypt TLS 1.2 exchange with
> Server Key Exchange part present.

SNI is in the ClientHello, you'd be able to eliminate/confirm that bit.

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Marat Khalili]

On 04/07/16 16:19, Eric Covener wrote:

packet capture.
Tried to already. Seems like Wireshark cannot decrypt TLS 1.2 exchange 
with Server Key Exchange part present.


--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Eric Covener]

On Mon, Jul 4, 2016 at 3:07 AM, Marat Khalili  wrote:
>> SNI (in the SSL handshake) which is not set when using SSL?
>
> I don't know how to check what Apache is actually sending to back-end
> server.

packet capture.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Marat Khalili]

On 01/07/16 23:19, Yann Ylavic wrote:

On Fri, Jul 1, 2016 at 6:26 PM, Marat Khalili  wrote:

Is the header Host sent by the proxy different from the one sent by
the client (with and without using SSL) or are you talking about the
SNI (in the SSL handshake) which is not set when using SSL?
I don't know how to check what Apache is actually sending to back-end 
server. I could make another experiment on a fresh Apache installation 
with many SSL virtual hosts but: (1) it still won't be IIS; (2) I 
suppose there must be easier way to find out. I have only one IIS and 
it's being used in production, so I don't want to twiddle it.



In the latter case, you may need this fix released in from 2.4.20
(http://svn.apache.org/r1733474).

Sounds like it. Will take a look at package update plans.

--

With Best Regards,
Marat Khalili

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] ProxyPreserveHost doesn't work with SSL

[Yann Ylavic]

On Fri, Jul 1, 2016 at 6:26 PM, Marat Khalili  wrote:
>
> Because of SSL the problem is somewhat hard to debug, can't just packet
> trace. I tried to replace IIS application with CGI script on different
> Apache, without SSL, and found that ProxyPreserveHost is not ignored
> (environment variable SERVER_NAME set correctly to myapp.com). I guess for
> SSL the ProxyPreserveHost is implemented partially, i.e. for Host header but
> not for SNI. Any ideas on how to investigate?

Is the header Host sent by the proxy different from the one sent by
the client (with and without using SSL) or are you talking about the
SNI (in the SSL handshake) which is not set when using SSL?

In the latter case, you may need this fix released in from 2.4.20
(http://svn.apache.org/r1733474).

Regards,
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org