httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kahn Gillmor <>
Subject Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Tue, 18 Feb 2014 15:16:15 GMT
On 02/18/2014 08:14 AM, Pavel Matěja wrote:

> There is one big risk when someone uses reverse HTTPS proxy with ServerAlias.
> Let say you have on both - backend and proxy servers options:
> ServerName
> ServerAlias
> In old non-SNI days everything was working just fine.
> Now when one client connects to proxy and requires, connection 
> is established to backend server with SNI hostname set to
> Second client connects to proxy and requires Worker is matched 
> because there is just one. Connection is reused but you will get 4xx Bad 
> Request because there is mismatch between old and current SNI hostname.

It seems like an administrator could avoid this risk by doing hostname
canonicalization via external redirect at the proxy itself.  This
probably isn't a currently common practice, but for sites who should
canonicalize their hostnames, i don't see it as particularly onerous.

The main concern would be for non-canonicalized hostnames.  e.g.
*, where each user of a service gets to set up
https://$  A proxy would need to pass this
information through to the origin server -- so in the scenario you
describe, a reverse proxy could run into serious trouble.


View raw message