Hello,
I am using Apache as a "WebSocket Relay" that allows local clients to
connect to local Apache using "ws://" and Apache then maps this to
"wss://" and passes the request on to the actual serving backend.
I have defined a Virtual Host for this:
<VirtualHost 127.0.0.1:8888>
SSLProxyEngine On
ProxyRequests Off
<Proxy "*">
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Proxy>
ProxyPass /websocket/ wss://mywebsocket.org/
</VirtualHost>
So a local request to Apache for ws://127.0.0.1:8888/websocket/would
end up in a request to wss://mywebsocket.org/.
I have also defined the following security option (amongst others):
SSLProxyCheckPeerCN on
SSLProxyCheckPeerName on
SSLProxyCheckPeerExpire on
SSLProxyCACertificateFile "/opt/apache2/mycert.pem"
SSLProxyVerify require
SSLProxyVerifyDepth 1
While Apache properly checks if the server provided certificate is
not expired and also matches mycert.pem it does not validate the
subject name or the subject alternative names.
This means when I map the IP address of mywebsocket.org in /etc/hosts,
to e.g. to myotherwebsocket.org, then Apache establishes a secure connection
to mywebsocket.org however it does not complain about the mismatch
of the hostname in the request ("myotherwebsocket.org") vs. the one in
the certificate provided during TLS session establishment ("mywebsocket.org
").
When I do the similar thing for HTTP (define Reverse Proxy which does
http-to-https mapping) then Apache corectly refuses the connection as
it realizes that name in certificate provided by server and hostname in
request URL do not match.
Is this a known issue/unimplemented feature or am I missing some
specific configuration here?
Regards
Markus
