httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lam, Eugene" <euge...@amazon.com>
Subject Re: SSLProxyCheckPeerCN / ProxyPreserveHost issue
Date Sat, 09 Mar 2013 01:27:37 GMT
Hi folks,

I came across an old issue that was discussed previously under "SSLProxyCheckPeerCN / ProxyPreserveHost
issue":
http://mail-archives.apache.org/mod_mbox/httpd-dev/201209.mbox/%3C50462600.7010607@kippdata.de%3E

However, I think I have found a legitimate use-case where I do want Apache to behave in the
old way.  I've detailed the use case in this new bugzilla issue:
https://issues.apache.org/bugzilla/show_bug.cgi?id=54656

Assuming that the new behavior since 2.4.3 will be the default going forward, I'm proposing
a new directive [1] which would allow Apache in reverse proxy to use the connection hostname
for SNI and SSLProxyCheckPeerCN instead of the Host: header.  This directive will be added
when ProxyPreserveHost is on.

I'm curious what your thoughts are on the use case and this proposed directive.

Eugene

[1] https://issues.apache.org/bugzilla/attachment.cgi?id=30029 (I forgot to add a text extension,
so please save it before opening)


Mime
View raw message