httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Fri, 21 Feb 2014 09:08:42 GMT
On Fri, Feb 21, 2014 at 12:52 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> Maybe what you need is a new ProxyPreserveHost on/off/canon option so
> that mod_proxy uses the ServerName to fill in the Host header (hence
> the SNI and the "proxy-request-hostname" note checked later by mod_ssl
> against the CN).
>
> I may be misguided but I see some relation between UseCanonicalName
> and the SNI/CN checks.
> How about using ap_get_server_name_for_url() wherever r->hostname is
> used by mod_ssl and mod_proxy to check/provide SNI/CN?
> By doing this we would allow administrators to configure what is to be
> used, following UseCanonicalName rules, without opening Pandora's
> door.
>
> Thoughts?
>

Similarly, a new "SSLProxyCheckPeerCN canon" option could be handled
so that admins needing "ProxyPreserveHost on" could still forward the
client's Host but check the backend's CN against ServerName.

Mime
View raw message