Hi Dominik,
sorry for the late response.
On Tue, Oct 16, 2018 at 12:44 PM Dominik Stillhard
<Dominik.Stillhard@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> I face the problem, that the sni extension is not set on healthcheck-requests to a backend using tls. Because healthchecks are negative, this leads to ordinary requests also beeing denied.
>
> on the backend server i have the following error:
>
> AH02033: No hostname was provided via SNI for a name based virtual host
>
> I’ve also investigated it with wireshark, the extionsion is defenitely not set.
It should not, see below.
>
> My config looks as follows:
[]
>
> <Proxy balancer://mycluster lbmethod=byrequests>
> BalancerMember https://127.0.0.1:8443
> BalancerMember https://127.0.0.1:8444
https://tools.ietf.org/html/rfc6066#section-3 :
...
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
So httpd won't set the SNI in your case, I guess "localhost" instead
of 127.0.0.1 would work...
>
> ProxyPreserveHost On
While this is meaningful for forwarded client requests (their "Host:"
header can be preserved on the backend side, instead of using the one
from the ProxyPass/BalancerMember directive), it does not apply to
healthcheck where connections/requests are created on the httpd proxy
and there is nothing to preserve, so the only hostname/SNI to use in
the one from ProxyPass/BalancerMember here.
So for healthcheck requests to be accepted by your backend (name based
virtual host), you need to set real hostnames in BalancerMember(s)
above, or use "localhost" provided that "ServerAlias localhost" is
configured on the backend for the relevant vhost.
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|