httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pavel Matěja <pa...@netsafe.cz>
Subject Re: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Fri, 21 Feb 2014 09:48:32 GMT
Dne Pá 21. února 2014 10:08:42, Yann Ylavic napsal(a):
> On Fri, Feb 21, 2014 at 12:52 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> > Maybe what you need is a new ProxyPreserveHost on/off/canon option so
> > that mod_proxy uses the ServerName to fill in the Host header (hence
> > the SNI and the "proxy-request-hostname" note checked later by mod_ssl
> > against the CN).
> > 
> > I may be misguided but I see some relation between UseCanonicalName
> > and the SNI/CN checks.
> > How about using ap_get_server_name_for_url() wherever r->hostname is
> > used by mod_ssl and mod_proxy to check/provide SNI/CN?
> > By doing this we would allow administrators to configure what is to be
> > used, following UseCanonicalName rules, without opening Pandora's
> > door.
> > 
> > Thoughts?
> 
> Similarly, a new "SSLProxyCheckPeerCN canon" option could be handled
> so that admins needing "ProxyPreserveHost on" could still forward the
> client's Host but check the backend's CN against ServerName.

SSLProxyCheckPeerCN has been superseded by SSLProxyCheckPeerName.
Should we add "canon" to both then?
-- 
Pavel Matěja


Mime
View raw message