After sending the patch I did more tests with different backend real servers and found out that apache 2.4 as a server doesn't like to be asked for a SNI hostname different than the hostname on the Host header and gives an error.
I've found a more complete patch available here: https://bz.apache.org/bugzilla/show_bug.cgi?id=54656 But the discussion seems to have ended there, for what I see, if you want ProxyPreserveHost you must have the frontend certs available at the backend, at least with apache backend servers, as that's how they are implementing this, the Host header must match the certificate name. Before SNI on apache you could have a backend server with its own certificate serving a Host of another domain, but this is no longer allowed. I really think they should think about this again, IMHO the backend server should allow a mismatch if they are coming through a proxy or if a directive tells it to do so, something like SSLStrictSNIVHostCheck but that relaxes the check. Not allowing this will mean that people won't check or use certificates from the frontend to the backend, which means lower security :-( Regards. -- Manty/BestiaTester -> http://manty.net
