Re: Vendor Connection via Proxy to SNI Server response 403 Forbidden (Apache Users)

Re: Vendor Connection via Proxy to SNI Server response 403 Forbidden

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: "users@xxxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxxx>

Subject: Re: Vendor Connection via Proxy to SNI Server response 403 Forbidden

From: Reid Watson <reid.watson@xxxxxxxxxxxxxx>

Date: Tue, 6 Jun 2017 10:17:53 +0000

Accept-language: en-GB, en-NZ, en-US

In-reply-to: <CAFedD43wdOmoqexa_GNvQL=+fSN+fu2zvWfkeY6jTRi9cO27vA@mail.gmail.com>

Reply-to: users@xxxxxxxxxxxxxxxx

Thread-index: AQHS3hC+vkF5M5kNQkWCzGjlHPvVnKIXn2/h

Thread-topic: Vendor Connection via Proxy to SNI Server response 403 Forbidden

Hi Luca,

"My understanding is that you want to have a (reverse) http proxy that respond to Internal-site.test.com with the content of vendor-site.com, leaving to httpd the responsibility to set the "right" TLS SNI domain (in this case the one that you want is vendor-site.com).

Is my understanding correct?"

You are correct and I will turn on extra logging "trace8" tomorrow morning and complete further testing..

From: Luca Toscano <toscano.luca@xxxxxxxxx>
Sent: 06 June 2017 03:30
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Vendor Connection via Proxy to SNI Server response 403 Forbidden

Hi Reid,

2017-06-03 3:11 GMT+02:00 Reid Watson <reid.watson@xxxxxxxxxxxxxx>:

Hi Everyone,

There are few posts going around and I was wondering if any one had some advice or experienced a similar issues

Current Apache Version: httpd-2.4.12

Issue

- External Vendor WebServer enables SNI check
- I currently connect to vendor via proxy (from Http to Https)
- I disable ssl checks on the certificate
- Each time we make a connection I’m returned 403, the reason is the vendor enables SNI check and within the Client Hello (SSL Handshake) packet we set ServerName from vHost “Internal-site.test.com”

Basic config

<VirtualHost *:*>

ServerName Internal-site.test.com

SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

RewriteCond %{REQUEST_URI} ^/path
RewriteRule ^/path/(.*) https://vendor-site.com/$1 [P,L,E=vendor-site.com]

</VirtualHost>

Does any one have any advice on the current issue or a trick / workaround with mod_ssl / mod_proxy

for example would I attempt to overwrite the environment variable "SetEnv SSL_TLS_SNI vendor-site.com” ?

My understanding is that you want to have a (reverse) http proxy that respond to Internal-site.test.com with the content of vendor-site.com, leaving to httpd the responsibility to set the "right" TLS SNI domain (in this case the one that you want is vendor-site.com).

Is my understanding correct? Can you please turn loglevel to trace8 (https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) and show us what httpd logs during a request that returns 403?

Luca