Hi! While trying to migrate a config that was working on a 2.2 server to a 2.4 server I have found a behaviour change that breaks my setup. The problem seems to be that when you setup a reverse proxy to a https url and you set ProxyPreserveHost to On what apache 2.4 tries to access is the host that we have preserved and not the one on the https url we are proxying to, at least as far as SSL is concerned: Let me explain with an example: We have https://website.com that we want to reverse proxy to https://internal.website.com using a RewriteRule with proxy or a ProxyPass, something like: ProxyPreserveHost On SSLProxyEngine on SSLProxyCACertificateFile /etc/ssl/certs/ca-certificates.crt SSLProxyCheckPeerCN on SSLProxyCheckPeerName on SSLProxyCheckPeerExpire on SSLProxyVerify require SSlProxyVerifyDepth 2 ProxyPass / https://internal.website.com/ On apache 2.2 this would mean that we are connecting to internal.website.com and we expect to see a certificate for internal.website.com, which gets verified by apache and works ok. On apache 2.4 for what I see, the access is done to the IP of internal.website.com but the SSL negociation is done like if we were accessing https://website.com (due to the ProxyPreserveHost directive), so we see that the SSL hello (SNI) is sent asking for website.com and as the internal server replies with an internal.website.com certificate which is then rejected by apache (it expects to see a cert from website.com). So the old setup is now broken on version 2.4. I've googled a bit and saw people solving this by setting the SSLProxyCheckPeerCN and SSLProxyCheckPeerName to off, but this is not what I'd want. The other way I have found to solve this is by setting ProxyPreserveHost to Off, this way apache asks for https://internal.website.com/ and expects a cert from internal.website.com which gets verified and works, but I'd like to have ProxyPreserveHost to On What I want is apache to verify the cert, but I don't want the backend (internal) machine to have the frontend cert, which would bypass the problem, but to have their own cert, and also I'd like the backend to get the Host header for website.com, so that their replies (which unfortunately include full urls with the hostname) work ok from the outside. Is there any directive that can change the way that 2.4 behaves so that this example works again? Thanks in advance. Regards. -- Manty/BestiaTester -> http://manty.net --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|