Hi Yann, I've tested the configuration you proposed. Unfortunately the problem is not solved by using hostnames. I still cannot see an SNI-Extension with wireshark: Secure Sockets Layer TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 189 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 185 Version: TLS 1.2 (0x0303) Random: d0d713b41985eb8a78e657e12b9913bb77c97e7a0d1fce85... Session ID Length: 0 Cipher Suites Length: 56 Cipher Suites (28 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 88 Extension: ec_point_formats (len=4) Extension: supported_groups (len=12) Extension: SessionTicket TLS (len=0) Extension: encrypt_then_mac (len=0) Extension: extended_master_secret (len=0) Extension: signature_algorithms (len=48) My configuration is very simple: Proxy Config: -------------------------------------------------------------------------------------------- LogLevel debug LogLevel ssl_module:debug LogLevel proxy_hcheck:debug Listen 127.0.0.1:443 ServerName www.localhost.com SSLSessionCache nonenotnull <VirtualHost 127.0.0.1:443> ServerName www.localhost.com ServerAlias localhost.com SSLCertificateFile /etc/httpd/ssl/ca.crt SSLCertificateKeyFile /etc/httpd/ssl/ca.key SSLEngine on SSLProxyEngine on ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/} ProxyHCTemplate template hcinterval=4 hcexpr=isok hcmethod=get hcuri=/index.html <Proxy balancer://mycluster lbmethod=byrequests > BalancerMember https://sesdev.tarsec.com:10030 hctemplate=template BalancerMember https://sesdev.tarsec.com:10031 hctemplate=template SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLProxyProtocol TLSv1 </Proxy> <Location /> ProxyPass balancer://mycluster/ ProxyPassReverse balancer://mycluster/ </Location> </VirtualHost> -------------------------------------------------------------------------------------------- Backends Configuration: -------------------------------------------------------------------------------------------- ServerName sesdev.tarsec.com Listen 127.0.0.1:10030 DocumentRoot ${SERVER_ROOT}/htdocs ServerRoot ${SERVER_ROOT} TypesConfig ${SERVER_ROOT}/conf/mime.types LogLevel debug ErrorLog ${SERVER_ROOT}/logs/error_log TransferLog ${SERVER_ROOT}/logs/access_log PidFile ${SERVER_ROOT}/logs/pid SSLSessionCache nonenotnull SSLCertificateFile ${TEST_ENV}/../testca/CaRoot/certs/sesdev.tarsec.com.cert.pem SSLCertificateKeyFile ${TEST_ENV}/../testca/CaRoot/keys/sesdev.tarsec.com.key.pem SSLProtocol TLSv1 SSLEngine on <VirtualHost sesdev.tarsec.com:10030> SSLEngine on ServerName sesdev.tarsec.com ServerAlias sesdev.tarsec.com <Location /> </Location> </VirtualHost> -------------------------------------------------------------------------------------------- Thanks! Regards Dominik > -----Ursprüngliche Nachricht----- > Von: Yann Ylavic <ylavic.dev@xxxxxxxxx> > Gesendet: Freitag, 19. Oktober 2018 15:28 > An: users@xxxxxxxxxxxxxxxx > Betreff: Re: [users@httpd] SNI extension for healthchecks > > Hi Dominik, > > sorry for the late response. > > On Tue, Oct 16, 2018 at 12:44 PM Dominik Stillhard <Dominik.Stillhard@united- > security-providers.ch> wrote: > > > > I face the problem, that the sni extension is not set on healthcheck-requests to a > backend using tls. Because healthchecks are negative, this leads to ordinary requests > also beeing denied. > > > > on the backend server i have the following error: > > > > AH02033: No hostname was provided via SNI for a name based virtual > > host > > > > I’ve also investigated it with wireshark, the extionsion is defenitely not set. > > It should not, see below. > > > > > My config looks as follows: > [] > > > > <Proxy balancer://mycluster lbmethod=byrequests> > > BalancerMember https://127.0.0.1:8443 > > BalancerMember https://127.0.0.1:8444 > > https://tools.ietf.org/html/rfc6066#section-3 : > ... > Literal IPv4 and IPv6 addresses are not permitted in "HostName". > > So httpd won't set the SNI in your case, I guess "localhost" instead of 127.0.0.1 would > work... > > > > > ProxyPreserveHost On > > While this is meaningful for forwarded client requests (their "Host:" > header can be preserved on the backend side, instead of using the one from the > ProxyPass/BalancerMember directive), it does not apply to healthcheck where > connections/requests are created on the httpd proxy and there is nothing to preserve, > so the only hostname/SNI to use in the one from ProxyPass/BalancerMember here. > > So for healthcheck requests to be accepted by your backend (name based virtual > host), you need to set real hostnames in BalancerMember(s) above, or use "localhost" > provided that "ServerAlias localhost" is configured on the backend for the relevant > vhost. > > > Regards, > Yann. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
Attachment:
smime.p7s
Description: S/MIME cryptographic signature