Hi Yann, I've tested the configuration you proposed. Unfortunately the problem is not solved by using hostnames.
I still cannot see an SNI-Extension with wireshark:
Secure Sockets Layer
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 189
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 185
Version: TLS 1.2 (0x0303)
Random: d0d713b41985eb8a78e657e12b9913bb77c97e7a0d1fce85...
Session ID Length: 0
Cipher Suites Length: 56
Cipher Suites (28 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 88
Extension: ec_point_formats (len=4)
Extension: supported_groups (len=12)
Extension: SessionTicket TLS (len=0)
Extension: encrypt_then_mac (len=0)
Extension: extended_master_secret (len=0)
Extension: signature_algorithms (len=48)
My configuration is very simple:
Proxy Config:
--------------------------------------------------------------------------------------------
LogLevel debug
LogLevel ssl_module:debug
LogLevel proxy_hcheck:debug
Listen 127.0.0.1:443
ServerName www.localhost.com
SSLSessionCache nonenotnull
<VirtualHost 127.0.0.1:443>
ServerName www.localhost.com
ServerAlias localhost.com
SSLCertificateFile /etc/httpd/ssl/ca.crt
SSLCertificateKeyFile /etc/httpd/ssl/ca.key
SSLEngine on
SSLProxyEngine on
ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/}
ProxyHCTemplate template hcinterval=4 hcexpr=isok hcmethod=get
hcuri=/index.html
<Proxy balancer://mycluster lbmethod=byrequests >
BalancerMember https://sesdev.tarsec.com:10030 hctemplate=template
BalancerMember https://sesdev.tarsec.com:10031 hctemplate=template
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyProtocol TLSv1
</Proxy>
<Location />
ProxyPass balancer://mycluster/
ProxyPassReverse balancer://mycluster/
</Location>
</VirtualHost>
--------------------------------------------------------------------------------------------
Backends Configuration:
--------------------------------------------------------------------------------------------
ServerName sesdev.tarsec.com
Listen 127.0.0.1:10030
DocumentRoot ${SERVER_ROOT}/htdocs
ServerRoot ${SERVER_ROOT}
TypesConfig ${SERVER_ROOT}/conf/mime.types
LogLevel debug
ErrorLog ${SERVER_ROOT}/logs/error_log
TransferLog ${SERVER_ROOT}/logs/access_log
PidFile ${SERVER_ROOT}/logs/pid
SSLSessionCache nonenotnull
SSLCertificateFile
${TEST_ENV}/../testca/CaRoot/certs/sesdev.tarsec.com.cert.pem
SSLCertificateKeyFile
${TEST_ENV}/../testca/CaRoot/keys/sesdev.tarsec.com.key.pem
SSLProtocol TLSv1
SSLEngine on
<VirtualHost sesdev.tarsec.com:10030>
SSLEngine on
ServerName sesdev.tarsec.com
ServerAlias sesdev.tarsec.com
<Location />
</Location>
</VirtualHost>
--------------------------------------------------------------------------------------------
Thanks! Regards Dominik
> -----Ursprüngliche Nachricht-----
> Von: Yann Ylavic <[email protected]>
> Gesendet: Freitag, 19. Oktober 2018 15:28
> An: [email protected]
> Betreff: Re: [users@httpd] SNI extension for healthchecks
>
> Hi Dominik,
>
> sorry for the late response.
>
> On Tue, Oct 16, 2018 at 12:44 PM Dominik Stillhard <Dominik.Stillhard@united-
> security-providers.ch> wrote:
> >
> > I face the problem, that the sni extension is not set on
> > healthcheck-requests to a
> backend using tls. Because healthchecks are negative, this leads to ordinary
> requests
> also beeing denied.
> >
> > on the backend server i have the following error:
> >
> > AH02033: No hostname was provided via SNI for a name based virtual
> > host
> >
> > I’ve also investigated it with wireshark, the extionsion is defenitely not
> > set.
>
> It should not, see below.
>
> >
> > My config looks as follows:
> []
> >
> > <Proxy balancer://mycluster lbmethod=byrequests>
> > BalancerMember https://127.0.0.1:8443
> > BalancerMember https://127.0.0.1:8444
>
> https://tools.ietf.org/html/rfc6066#section-3 :
> ...
> Literal IPv4 and IPv6 addresses are not permitted in "HostName".
>
> So httpd won't set the SNI in your case, I guess "localhost" instead of
> 127.0.0.1 would
> work...
>
> >
> > ProxyPreserveHost On
>
> While this is meaningful for forwarded client requests (their "Host:"
> header can be preserved on the backend side, instead of using the one from the
> ProxyPass/BalancerMember directive), it does not apply to healthcheck where
> connections/requests are created on the httpd proxy and there is nothing to
> preserve,
> so the only hostname/SNI to use in the one from ProxyPass/BalancerMember here.
>
> So for healthcheck requests to be accepted by your backend (name based virtual
> host), you need to set real hostnames in BalancerMember(s) above, or use
> "localhost"
> provided that "ServerAlias localhost" is configured on the backend for the
> relevant
> vhost.
>
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
smime.p7s
Description: S/MIME cryptographic signature
