Apache Remote proxy for a reverse proxy SNI mismatch

Question

Having an issue with our setup of an Apache-2.2 and a reverse proxy which is proxied to via another device.

flow is: Apache A -> proxy.abc.net -> Apache B

The error we get on Apache B is

Hostname proxy.abc.net provided via SNI and hostname backend.abc.net provided via HTTP are different

Current configuration

    <VirtualHost frontend.abc.com:80>

    ServerName frontend.abc.com

    SSLEngine on
    SSLOptions +StrictRequire
    SSLProtocol -all +TLSv1
    SSLHonorCipherOrder On
    SSLCipherSuite RC4-SHA:HIGH:!ADH:!MD5
    SSLCertificateFile conf/certs/cert.cer
    SSLProxyCACertificateFile certs/proxy.cer
    SSLCertificateKeyFile conf/certs/cert.pem
    SSLCertificateChainFile conf/certs/chain.cer


    DocumentRoot /foo/bar

    SSLProxyEngine On
    ProxyRequests Off
    ProxyPreserveHost off
    ProxyErrorOverride On
    SetEnv proxy-sendchunked 1

    ProxyRemote "*"  https://proxy.abc.net:8080
    ProxyPass  /foo  https://backend.abc.net:8888/foo  disablereuse=on

</Virtual Host>

Adding

SSLProxyProtocol SSLv3

works as it doesn't do the SNI check, but SSLv3 isn't an option we are required to use TLSv1 or greater.

score 1 · Answer 1 · answered Dec 02 '18 at 01:59

Apache 2.2 has this check hardcoded (compares SNI hostname and Host hostname).

Apache 2.4 relaxes this condition and fails only if:

        * The request does not select the virtual host that was
        * selected by the SNI and its SSL parameters are different

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=annotate#l335

so the answer is to upgrade to 2.4.

Apache Remote proxy for a reverse proxy SNI mismatch

1 Answers1