httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Weiser <>
Subject Re: [users@httpd] SNI with apache 2.4.1 reverse proxy
Date Mon, 16 Apr 2012 14:47:28 GMT
Hi there,

On Mon, Apr 16, 2012 at 01:45:16PM +0200, Peter Sylvester wrote:

> >> that makes mod_ssl put the content of the host header into the sni data
> >> structures instead of the hostname from the URL used in the
> >> ProxyPass(Reverse) configuration itself. This way even name-based
> >> virtual hosts should work behind the reverse proxy.
> > I haven't heard anything back: What's the general opinion on this?
> - If a configuration parameter can be avoided, this divides
>    the possibilities of errors by at least 3.
>    I don't think that a configuration parameter is necessary.

I agree (or at least don't care as long as I get the behaviour I need ;).

> - If something is put into the SNI, it must be identical to
>    what is in the Host:header.

This could be a side-effect of ProxyPreserveHost On since only with
ProxyPreserveHost On does it make any sense anyways. With
ProxyPreserveHost Off, the SNI data should contain the hostname from the
ProxyPassReverse directive.

So implementation-wise this will most likely have two parts of code:

1. Determining the hostname to put into SNI data depending on
ProxyPreserveHost somewhere in the reverse proxy module. 

2. Putting that value into the SNI data in mod_ssl's ssl_engine_io.c.

ssl_engine_io.c already uses an apr_table_get with a name of
proxy-request-hostname which is apr_table_set'd in mod_proxy_http.c. So
point 2 seems to be taken care of already. Host header preservation seems
to be done done in mod_proxy_http.c as well. Now setting
proxy-request-hostname based on that shouldn't be too hard.

Shall I have a go at that?
bye, Michael
Elephants don't play chess!

View raw message