Re: SNI extension for healthchecks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dominik,

On Mon, Oct 22, 2018 at 1:49 PM Dominik Stillhard
<Dominik.Stillhard@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> I've tested the configuration you proposed.
> Unfortunately the problem is not solved by using hostnames.

Yes, sorry, I was looking at 2.5/trunk code, while 2.4.x is missing
one commit (http://svn.apache.org/r1818726).
Without this change in 2.4.x, hostnames work for proxied request but
not for healthcheck (supposedly).

Could you please try with the attached patch (a backport of r1818726 to 2.4.x)?

Regards,
Yann.
Index: modules/proxy/proxy_util.c
===================================================================
--- modules/proxy/proxy_util.c	(revision 1844553)
+++ modules/proxy/proxy_util.c	(working copy)
@@ -3203,6 +3203,13 @@ static int proxy_connection_create(const char *pro
                          backend_addr, conn->hostname);
             return HTTP_INTERNAL_SERVER_ERROR;
         }
+        if (conn->ssl_hostname) {
+            /* Set a note on the connection about what CN is requested,
+             * such that mod_ssl can check if it is requested to do so.
+             */
+            apr_table_setn(conn->connection->notes, "proxy-request-hostname",
+                           conn->ssl_hostname);
+        }
     }
     else {
         /* TODO: See if this will break FTP */
Index: modules/proxy/mod_proxy_http.c
===================================================================
--- modules/proxy/mod_proxy_http.c	(revision 1844553)
+++ modules/proxy/mod_proxy_http.c	(working copy)
@@ -1972,20 +1972,10 @@ static int proxy_http_handler(request_rec *r, prox
         }
 
         /* Step Three: Create conn_rec */
-        if (!backend->connection) {
-            if ((status = ap_proxy_connection_create_ex(proxy_function,
-                                                        backend, r)) != OK)
-                break;
-            /*
-             * On SSL connections set a note on the connection what CN is
-             * requested, such that mod_ssl can check if it is requested to do
-             * so.
-             */
-            if (backend->ssl_hostname) {
-                apr_table_setn(backend->connection->notes,
-                               "proxy-request-hostname",
-                               backend->ssl_hostname);
-            }
+        if (!backend->connection &&
+                (status = ap_proxy_connection_create_ex(proxy_function,
+                                                        backend, r)) != OK) {
+            break;
         }
 
         /* Step Four: Send the Request
Index: modules/http2/mod_proxy_http2.c
===================================================================
--- modules/http2/mod_proxy_http2.c	(revision 1844553)
+++ modules/http2/mod_proxy_http2.c	(working copy)
@@ -590,21 +590,12 @@ run_connect:
             goto reconnect;
         }
         
-        if (!ctx->p_conn->data) {
-            /* New conection: set a note on the connection what CN is
-             * requested and what protocol we want */
-            if (ctx->p_conn->ssl_hostname) {
-                ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner, 
-                              "set SNI to %s for (%s)", 
-                              ctx->p_conn->ssl_hostname, 
-                              ctx->p_conn->hostname);
-                apr_table_setn(ctx->p_conn->connection->notes,
-                               "proxy-request-hostname", ctx->p_conn->ssl_hostname);
-            }
-            if (ctx->is_ssl) {
-                apr_table_setn(ctx->p_conn->connection->notes,
-                               "proxy-request-alpn-protos", "h2");
-            }
+        if (!ctx->p_conn->data && ctx->is_ssl) {
+            /* New SSL connection: set a note on the connection about what
+             * protocol we want.
+             */
+            apr_table_setn(ctx->p_conn->connection->notes,
+                           "proxy-request-alpn-protos", "h2");
         }
     }
 
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux