httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luca Toscano <toscano.l...@gmail.com>
Subject Re: [users@httpd] Vendor Connection via Proxy to SNI Server response 403 Forbidden
Date Mon, 05 Jun 2017 15:30:47 GMT
Hi Reid,

2017-06-03 3:11 GMT+02:00 Reid Watson <reid.watson@auckland.ac.nz>:

> Hi Everyone,
>
> There are few posts going around and I was wondering if any one had some
> advice or experienced a similar issues
>
> Current Apache Version: httpd-2.4.12
>
> Issue
>
> - External Vendor WebServer enables SNI check
> - I currently connect to vendor via proxy (from Http to Https)
> - I disable ssl checks on the certificate
> - Each time we make a connection I’m returned 403, the reason is the
> vendor enables SNI check and within the Client Hello (SSL Handshake) packet
> we set ServerName from vHost “Internal-site.test.com”
>
> Basic config
>
> <VirtualHost *:*>
>
>      ServerName Internal-site.test.com
>
>       SSLProxyCheckPeerName off
>       SSLProxyCheckPeerCN off
>       SSLProxyCheckPeerExpire off
>
>      RewriteCond %{REQUEST_URI} ^/path
>      RewriteRule ^/path/(.*) https://vendor-site.com/$1 [P,L,E=
> vendor-site.com]
>
> </VirtualHost>
>
> Does any one have any advice on the current issue or a trick / workaround
> with mod_ssl / mod_proxy
>
> for example would I attempt to overwrite the environment variable "SetEnv
> SSL_TLS_SNI vendor-site.com” ?
>

My understanding is that you want to have a (reverse) http proxy that
respond to Internal-site.test.com with the content of vendor-site.com,
leaving to httpd the responsibility to set the "right" TLS SNI domain (in
this case the one that you want is vendor-site.com).

Is my understanding correct? Can you please turn loglevel to trace8 (
https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) and show us what
httpd logs during a request that returns 403?

Luca

Mime
View raw message