httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pavel Matěja <pa...@netsafe.cz>
Subject Re: Re: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Fri, 21 Feb 2014 14:59:05 GMT
Dne Pá 21. února 2014 15:13:25, Pavel Matěja napsal(a):
> Dne Pá 21. února 2014 13:55:56, Yann Ylavic napsal(a):
> > On Thu, Feb 20, 2014 at 7:18 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> > > On Thu, Feb 20, 2014 at 6:28 PM, Pavel Matěja <pavel@netsafe.cz> wrote:
> > >> Currently there are two possible scenarios with SSLCheckProxyPeerName
> > >> On
> > >> and numeric Host/URI:
> > >> 1) you will try to open new connection which will fail the CN check and
> > >> client gets 502 Bad Gateway
> > >> 2) you will try to reuse already opened connection which will get you
> > >> 400
> > >> Bad Request because SNI hostname won't match the numeric one.
> > > 
> > > For 2) the issue is not related to IP addresses, reusing a SNI-ed
> > > connection without checking the current hostname is a bug IMHO.
> > 
> > I proposed a fix (trunk) in PR 55782:
> > https://issues.apache.org/bugzilla/attachment.cgi?id=31342&action=diff
> 
> Are you not affraid of performance hit on heavily loaded sites?
> Concurent hits to https://$USERNAME.example.com will close each others
> connections in pool. Why should we pick first connection and close it
> instead of looking for matching one in ap_proxy_get_worker()?

Sorry, not in ap_proxy_get_worker() but in ap_proxy_acquire_connection().
-- 
Pavel Matěja


Mime
View raw message