httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Santiago Garcia Mantinan <>
Subject [users@httpd] apache 2.4 behaviour change (SSLProxy error during ssl handshake)
Date Fri, 06 Nov 2015 14:44:12 GMT

While trying to migrate a config that was working on a 2.2 server to a 2.4
server I have found a behaviour change that breaks my setup.

The problem seems to be that when you setup a reverse proxy to a https url
and you set ProxyPreserveHost to On what apache 2.4 tries to access is the
host that we have preserved and not the one on the https url we are proxying
to, at least as far as SSL is concerned: Let me explain with an example:

We have that we want to reverse proxy to using a RewriteRule with proxy or a ProxyPass,
something like:

ProxyPreserveHost On
SSLProxyEngine on
SSLProxyCACertificateFile /etc/ssl/certs/ca-certificates.crt
SSLProxyCheckPeerCN on
SSLProxyCheckPeerName on
SSLProxyCheckPeerExpire on
SSLProxyVerify require
SSlProxyVerifyDepth 2
ProxyPass /

On apache 2.2 this would mean that we are connecting to
and we expect to see a certificate for, which gets
verified by apache and works ok.

On apache 2.4 for what I see, the access is done to the IP of but the SSL negociation is done like if we were
accessing (due to the ProxyPreserveHost directive), so
we see that the SSL hello (SNI) is sent asking for and as the
internal server replies with an certificate which is
then rejected by apache (it expects to see a cert from

So the old setup is now broken on version 2.4.

I've googled a bit and saw
people solving this by setting the SSLProxyCheckPeerCN and
SSLProxyCheckPeerName to off, but this is not what I'd want.

The other way I have found to solve this is by setting ProxyPreserveHost to
Off, this way apache asks for and expects a
cert from which gets verified and works, but I'd like
to have ProxyPreserveHost to On

What I want is apache to verify the cert, but I don't want the backend
(internal) machine to have the frontend cert, which would bypass the
problem, but to have their own cert, and also I'd like the backend to get
the Host header for, so that their replies (which unfortunately
include full urls with the hostname) work ok from the outside.

Is there any directive that can change the way that 2.4 behaves so that this
example works again?

Thanks in advance.

Manty/BestiaTester ->

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message