Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D9DD1C196 for ; Sun, 29 Apr 2012 07:59:51 +0000 (UTC) Received: (qmail 76458 invoked by uid 500); 29 Apr 2012 07:59:51 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 76385 invoked by uid 500); 29 Apr 2012 07:59:50 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 76358 invoked by uid 99); 29 Apr 2012 07:59:50 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 29 Apr 2012 07:59:50 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [62.75.148.60] (HELO appendix.velox.ch) (62.75.148.60) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 29 Apr 2012 07:59:44 +0000 Received: from cortex.velox.ch (77-57-164-164.dclient.hispeed.ch [77.57.164.164]) (authenticated bits=0) by appendix.velox.ch (8.14.4/8.14.4/2.1) with ESMTP id q3T7xKTR013983 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Sun, 29 Apr 2012 09:59:21 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f; t=1335686361; bh=258FTjtc4UztWUf3yl+kiu35BIahmnYbLTxoF22RJw8=; h=Date:From:To:Subject:References:In-Reply-To; b=hamEBfca/8MmdyeLMRcZr41HVxteubm41VasPXpLjLr89XesOj8jlJBNr++ECxq5G EX98+QbRL+JTQgQKE9IGa2exaqbGvVELi4saQHYzgnS8jMHT6rejrc4mFhk9hBNZy0 fmQdttDUxdhsQy2W7jI46auVph6B+qLZPYapeg7peQMTUSXPFwJcjAfoPf90GOHDZN vDOq3dGhkKEi7vcoTM95XDxIjcEb4mXlChVfvidC+5GdYOqtEBVWpLKRJP1g8JeorJ T0A/9fEAOFq1C4KFwvXnBuPI/SGc59QeHhuUFldESF+bQWl0R/KVZWS9TZG5GM8dM6 PY2jcylyYq6Sw== Message-ID: <4F9CF4E0.9030109@velox.ch> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58; t=1335686358; bh=258FTjtc4UztWUf3yl+kiu35BIahmnYbLTxoF22RJw8=; h=Date:From:To:Subject:References:In-Reply-To; b=YLs0HwetvWiarLDfig+pa1RRF9yPQzif3cUJpvIpd8bkacWm8K4mRLwx/JVLGlRaM 1FCEX43F6Sjnq4K8z4jKLoBtO0wNcEaXNf5aBu8D4GkNn+J4urjOTXrkKRaCEXAsd2 FQJgcnyRgFkBbY6JHe0n7tkYgo2btR/M1UOcqt5DzHwfhJRfv4dwQDG4mxgHwd69Kw Hy7KkF3yx7viL5OPHtT1N+qod11BUZOoAYszXPQV6K0wV7AnMrt/zgNjioSvPscGK/ fmv2iMqI0DLVBRBx1S2tCDbGOF1+GQ/cexJSzDNpcfs710WFqCNuRHaDoGsgEZopmk /7xMUSlq2lz1w== Date: Sun, 29 Apr 2012 09:59:28 +0200 From: Kaspar Brand MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: [users@httpd] SNI with apache 2.4.1 reverse proxy References: <4F7FDCAC.2070001@velox.ch> <1aa10db6-f933-45af-8b42-17b89f392bb2@iris> <20120410080111.GC28860@weiser.dinsnail.net> <20120416104526.GA22470@weiser.dinsnail.net> <4F8C064C.4010506@edelweb.fr> <20120416144727.GB22470@weiser.dinsnail.net> <4F8E7873.8000004@velox.ch> <20120423151104.GA21338@weiser.dinsnail.net> In-Reply-To: <20120423151104.GA21338@weiser.dinsnail.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 23.04.2012 17:11, Michael Weiser wrote: > I don't think so: I'm not directing the Proxy to connect to a different > host. I just make it send different SNI data to the configured backend > server and accept a different CN in the server's certificate. I guess it boils down to the question of what the semantics of ProxyPass are / should be. Currently, the docs say (for 2.0/2.2./2.4): > This directive allows remote servers to be mapped into the space of > the local server; the local server does not act as a proxy in the > conventional sense, but appears to be a mirror of the remote server. > _path_ is the name of a local virtual path; _url_ is a partial URL for > the remote server and cannot include a query string. With the patch you proposed in PR 53134, the docs about ProxyPass would have to be amended with something like: "If ProxyPreserveHost is turned on, the host component of _url_ is used to determine what host to connect to at the network layer, but is otherwise ignored (only the scheme and path components are taken into account)." Whether that is desired or not probably depends on a judgement of possible use cases. As far as I'm concerned, I'm not convinced that there are really good reasons for "playing the ProxyPreserveHost trick" (neither for https nor for http, actually), but YMMV. Kaspar