Re: Vendor Connection via Proxy to SNI Server response 403 Forbidden

[Luca Toscano <toscano.luca@xxxxxxxxx>]

Hi Reid,

2017-06-03 3:11 GMT+02:00 Reid Watson <reid.watson@xxxxxxxxxxxxxx>:

Hi Everyone,

There are few posts going around and I was wondering if any one had some advice or experienced a similar issues

Current Apache Version: httpd-2.4.12

Issue

- External Vendor WebServer enables SNI check
- I currently connect to vendor via proxy (from Http to Https)
- I disable ssl checks on the certificate
- Each time we make a connection I’m returned 403, the reason is the vendor enables SNI check and within the Client Hello (SSL Handshake) packet we set ServerName from vHost “Internal-site.test.com”

Basic config

<VirtualHost *:*>

     ServerName Internal-site.test.com

      SSLProxyCheckPeerName off
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerExpire off

     RewriteCond %{REQUEST_URI} ^/path
     RewriteRule ^/path/(.*) https://vendor-site.com/$1 [P,L,E=vendor-site.com]

</VirtualHost>

Does any one have any advice on the current issue or a trick / workaround with mod_ssl / mod_proxy

for example would I attempt to overwrite the environment variable "SetEnv SSL_TLS_SNI vendor-site.com” ?

My understanding is that you want to have a (reverse) http proxy that respond to Internal-site.test.com with the content of vendor-site.com, leaving to httpd the responsibility to set the "right" TLS SNI domain (in this case the one that you want is vendor-site.com).

Is my understanding correct? Can you please turn loglevel to trace8 (https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) and show us what httpd logs during a request that returns 403?

Luca