Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0326110ED7 for ; Tue, 18 Feb 2014 13:15:21 +0000 (UTC) Received: (qmail 81481 invoked by uid 500); 18 Feb 2014 13:15:01 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 81125 invoked by uid 500); 18 Feb 2014 13:15:00 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 81116 invoked by uid 99); 18 Feb 2014 13:15:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Feb 2014 13:14:59 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [83.223.49.132] (HELO gate1.netsafe.cz) (83.223.49.132) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Feb 2014 13:14:53 +0000 Received: from nudel.localnet (nudel.netsafe.cz [10.64.1.132]) by webgate.netsafe.cz (Postfix) with ESMTPSA id 66896AC001 for ; Tue, 18 Feb 2014 14:14:32 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=netsafe.cz; s=webgate; t=1392729272; bh=NBggf6W7THF/D4jtj0fEGfoye2jXymSeoT0mdzDMYIc=; h=From:To:Subject:Date:In-Reply-To:References:From; b=cZd4NSAyh3MPqzJmnf3xk2IsoCICtXc4dTCVk73CiUE2gMeCDHtlsQQtbOgxRgsFy ++BTHYMtnfWTU21d/JsmOtTXYAoFTbyNwbZIWRZcggLC4AiH1VfoEeVy+w5Yt+wcji bA3RsUKlfB1iIRimRgwu7ExMJLWa1Sud0yEmt+zI= From: Pavel =?utf-8?B?TWF0xJtqYQ==?= To: dev@httpd.apache.org Subject: Re: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests Date: Tue, 18 Feb 2014 14:14:31 +0100 Message-ID: <5144800.Zjx3nWxCiJ@nudel> Organization: Netsafe Solutions, s.r.o. User-Agent: KMail/4.11.5 (Linux/3.13-trunk-amd64; KDE/4.11.5; x86_64; ; ) In-Reply-To: <52B08B76.6060600@velox.ch> References: <20131125155541.66e19919@hub> <52943239.9080607@velox.ch> <52B08B76.6060600@velox.ch> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on webgate.netsafe.cz X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-102.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,UNPARSEABLE_RELAY,USER_IN_DKIM_WHITELIST autolearn=ham version=3.3.2 Dne =C3=9At 17. prosince 2013 18:35:50, Kaspar Brand napsal(a): > On 26.11.2013 06:31, Kaspar Brand wrote: > > As far as PR 55782 is concerned, the problem might be that > > proxy_util.c:ap_proxy_determine_connection() does not take Host: he= ader > > differences into account when checking if an existing connection ca= n be > > reused (not sure). With SNI this would have the effect that the hos= tname > > from the TLS handshake is causing the mismatch with the Host: heade= r. >=20 > To clear this up: the above guess was a red herring. mod_proxy's curr= ent > behavior is fine in this aspect and does not conflict with any IP res= olution > "coincidence" when reverse proxying SNI-based URLs (I'm aware that th= is > thread is supposed to deal with forward proxying only, but am adding = this > for posterity, in case someone is sifting through archives). >=20 > It's not ap_proxy_determine_connection() which is really relevant, bu= t > proxy_util.c:ap_proxy_get_worker() instead. mod_proxy (only) reuses w= orkers > for reverse proxying based on the target URL; looking at > proxy_util.c:ap_proxy_get_worker() in 2.4 e.g we see: >=20 > /* > * Do a "longest match" on the worker name to find the worker tha= t > * fits best to the URL, but keep in mind that we must have at le= ast > * a minimum matching of length min_match such that > * scheme://hostname[:port] matches between worker and url. > */ >=20 > if (balancer) { > proxy_worker **workers =3D (proxy_worker **)balancer->workers= ->elts; > for (i =3D 0; i < balancer->workers->nelts; i++, workers++) {= > worker =3D *workers; > if ( ((worker_name_length =3D strlen(worker->s->name)) <=3D= > url_length) && (worker_name_length >=3D min_match) > && (worker_name_length > max_match) > && (strncmp(url_copy, worker->s->name, worker_name_le= ngth) > =3D=3D 0) ) { max_worker =3D worker; > max_match =3D worker_name_length; > } >=20 > } > } else { > worker =3D (proxy_worker *)conf->workers->elts; > for (i =3D 0; i < conf->workers->nelts; i++, worker++) { > if ( ((worker_name_length =3D strlen(worker->s->name)) <=3D= > url_length) && (worker_name_length >=3D min_match) > && (worker_name_length > max_match) > && (strncmp(url_copy, worker->s->name, worker_name_le= ngth) > =3D=3D 0) ) { max_worker =3D worker; > max_match =3D worker_name_length; > } > } > } >=20 > I.e., there's no risk of two workers for reverse proxying, say, > https://foo.example.net and https://bar.example.net, ever being reuse= d for > each other, irrespective of whether foo.example.net and bar.example.n= et > resolve to the same IP address. >=20 > Kaspar Hi, sorry for late follow-up but you are wrong. There is one big risk when someone uses reverse HTTPS proxy with Server= Alias. Let say you have on both - backend and proxy servers options: ServerName www.example.com ServerAlias example.com In old non-SNI days everything was working just fine. Now when one client connects to proxy and requires www.example.com, con= nection=20 is established to backend server with SNI hostname set to www.example.c= om. Second client connects to proxy and requires example.com. Worker is mat= ched=20 because there is just one. Connection is reused but you will get 4xx Ba= d=20 Request because there is mismatch between old and current SNI hostname.= It's kind of heisenbug because even tons of request to example.com only= or to=20 www.example.com only are just fine. You have to request both sites at t= he same=20 time to realize what's going on. --=20 Pavel Mateja