I face the problem, that the SNI extension is not set on health check requests to a backend using TLS encryption. Because health checks are negative, this leads to ordinary requests also being denied.
Apache version 2.4.35
on the backend server i have the following error:
AH02033: No hostname was provided via SNI for a name based virtual host
I’ve also investigated it with wireshark, the extionsion is defenitely not set.
My config looks as follows:
Listen 127.0.0.1:443
ServerName www.localhost.com
<VirtualHost 127.0.0.1:443>
ServerName www.localhost.com
ServerAlias localhost.com
SSLCertificateFile /etc/httpd/ssl/ca.crt
SSLCertificateKeyFile /etc/httpd/ssl/ca.key
SSLEngine on
SSLProxyEngine on
ProxyHCExpr isok {%{REQUEST_STATUS} =~ /^[23]/}
ProxyHCTemplate template hcinterval=5 hcexpr=isok hcmethod=get hcuri=/healthcheck.php
<Proxy balancer://mycluster lbmethod=byrequests>
BalancerMember https://127.0.0.1:8443
BalancerMember https://127.0.0.1:8444
ProxyPreserveHost On
SSLProxyProtocol TLSv1
</Proxy>
<Location />
ProxyPass balancer://mycluster/
ProxyPassReverse balancer://mycluster/
</Location>
</VirtualHost>
I’ve read that ProxyPreserveHost should be «on», but this doesn’t solve the problem .. Am I missing something, or is this eventually a bug in mod_proxy_hcheck? Thanks in advance for help/ideas on this!
the problem is fixed with the patch provided on the official bugreport: