apacheload-balancinghttpd.confmod-proxymod-ssl

SNI extension not set in healthcheck requests (Apache v.2.4.35)


I face the problem, that the SNI extension is not set on health check requests to a backend using TLS encryption. Because health checks are negative, this leads to ordinary requests also being denied.

Apache version 2.4.35

on the backend server i have the following error:

AH02033: No hostname was provided via SNI for a name based virtual host

I’ve also investigated it with wireshark, the extionsion is defenitely not set.

My config looks as follows:

Listen 127.0.0.1:443
ServerName www.localhost.com

<VirtualHost 127.0.0.1:443>
    ServerName www.localhost.com
    ServerAlias localhost.com
    SSLCertificateFile /etc/httpd/ssl/ca.crt
    SSLCertificateKeyFile /etc/httpd/ssl/ca.key
    SSLEngine on
    SSLProxyEngine on

    ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/}
    ProxyHCTemplate template hcinterval=5 hcexpr=isok hcmethod=get hcuri=/healthcheck.php

  <Proxy balancer://mycluster lbmethod=byrequests>
    BalancerMember https://127.0.0.1:8443
    BalancerMember https://127.0.0.1:8444
    ProxyPreserveHost On
    SSLProxyProtocol  TLSv1
  </Proxy>

  <Location />
    ProxyPass  balancer://mycluster/
    ProxyPassReverse  balancer://mycluster/
  </Location>
</VirtualHost>

I’ve read that ProxyPreserveHost should be «on», but this doesn’t solve the problem .. Am I missing something, or is this eventually a bug in mod_proxy_hcheck? Thanks in advance for help/ideas on this!


Solution

  • the problem is fixed with the patch provided on the official bugreport:

    https://bz.apache.org/bugzilla/show_bug.cgi?id=62837