SNI extension for healthchecks

2018-10-19 Thread Dominik Stillhard 
I asked this on the users mailing list and didn’t get any feedback so far, so 
i’ll forward it here. Maybe someone here has an idea…
bugreport: https://bz.apache.org/bugzilla/show_bug.cgi?id=62837


Von: Stillhard, Dominik
Gesendet: Dienstag, 16. Oktober 2018 12:44
An: us...@httpd.apache.org
Betreff: [users@httpd] SNI extension for healthchecks [signed OK]

Hello all

I face the problem, that the sni extension is not set on healthcheck-requests 
to a backend using tls. Because healthchecks are negative, this leads to 
ordinary requests also beeing denied.

on the backend server i have the following error:
AH02033: No hostname was provided via SNI for a name based virtual host
I’ve also investigated it with wireshark, the extionsion is defenitely not set.

My config looks as follows:
-
Listen 127.0.0.1:443
ServerName www.localhost.com


ServerName www.localhost.com
ServerAlias localhost.com
SSLCertificateFile /etc/httpd/ssl/ca.crt
SSLCertificateKeyFile /etc/httpd/ssl/ca.key
SSLEngine on
SSLProxyEngine on

ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/}
ProxyHCTemplate template hcinterval=5 hcexpr=isok hcmethod=get 
hcuri=/healthcheck.php

  
BalancerMember https://127.0.0.1:8443
BalancerMember https://127.0.0.1:8444
ProxyPreserveHost On
SSLProxyProtocol  TLSv1
  
  
ProxyPass  balancer://mycluster/
ProxyPassReverse  balancer://mycluster/
  

-
I’ve read that ProxyPreserveHost should be «on», but this doesn’t solve the 
problem ..
Am I missing something, or is this eventually a bug in mod_proxy_hcheck?
Thanks in advance for help/ideas on this!

Cheers
Dominik



smime.p7s
Description: S/MIME cryptographic signature

SSLProxy* directives not working inside section

2018-06-26 Thread Dominik Stillhard 
According to documentation it should be possible to set SSLProxy* directives 
inside a  section. I'm trying to do something like this :


  SSLProxyEngine on
  
  SSLProxyProtocol TLSv1.2
  SSLProxyCipherSuite 
  (other SSLProxy* directives like SSLProxyCAFile etc.)
  BalancerMember 1.
  BalacnerMember 2.
  


The idea behind that is, that i want to set different TLS-settings (for 
healthchecks) on different LoadBalancers.
When i put the SSLProxy directives on VHost-Level it works, but not inside 


Any suggestions welcome.

Dominik


smime.p7s
Description: S/MIME cryptographic signature