httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [users@httpd] ProxyPreserveHost doesn't work with SSL
Date Mon, 04 Jul 2016 15:53:48 GMT
On Mon, Jul 4, 2016 at 5:36 PM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> On Mon, Jul 4, 2016 at 5:00 PM, Marat Khalili <mkh@rqc.ru> wrote:
>> On 04/07/16 17:29, Eric Covener wrote:
>>>
>>> SNI is in the ClientHello, you'd be able to eliminate/confirm that bit.
>>
>>
>> Yes you're right. But now I cannot reproduce original problem. And SNI is
>> correctly transferred from client in packet capture. Either the problem is
>> transient or it's gone. Will post again if I see it appear again.
>
> The issue fixed in 2.4.20 (no outgoing SNI) would only happen if an
> idle connection, about to be reused, was closed remotely by the
> backend (because of a keepalive timeout expired on its side), which
> caused the proxy to create a new connection without SNI.

Thus in affected versions (< 2.4.20), it can be avoided/worked-around
by using an idle timeout on the proxy side (the ProxyPass' parameter
ttl= in mod_proxy) lower than the KeepAliveTimeout configured on the
backend.

This is anyway an good setting to synchronize a proxy with its backend
(and avoid races conditions regarding reused connections)....

>
> Regards,
> Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message