Hi Reid,
2017-06-03 3:11 GMT+02:00 Reid Watson <reid.wat...@auckland.ac.nz>:
> Hi Everyone,
>
> There are few posts going around and I was wondering if any one had some
> advice or experienced a similar issues
>
> Current Apache Version: httpd-2.4.12
>
> Issue
>
> - External Vendor WebServer enables SNI check
> - I currently connect to vendor via proxy (from Http to Https)
> - I disable ssl checks on the certificate
> - Each time we make a connection I’m returned 403, the reason is the
> vendor enables SNI check and within the Client Hello (SSL Handshake) packet
> we set ServerName from vHost “Internal-site.test.com”
>
> Basic config
>
> <VirtualHost *:*>
>
> ServerName Internal-site.test.com
>
> SSLProxyCheckPeerName off
> SSLProxyCheckPeerCN off
> SSLProxyCheckPeerExpire off
>
> RewriteCond %{REQUEST_URI} ^/path
> RewriteRule ^/path/(.*) https://vendor-site.com/$1 [P,L,E=
> vendor-site.com]
>
> </VirtualHost>
>
> Does any one have any advice on the current issue or a trick / workaround
> with mod_ssl / mod_proxy
>
> for example would I attempt to overwrite the environment variable "SetEnv
> SSL_TLS_SNI vendor-site.com” ?
>
My understanding is that you want to have a (reverse) http proxy that
respond to Internal-site.test.com with the content of vendor-site.com,
leaving to httpd the responsibility to set the "right" TLS SNI domain (in
this case the one that you want is vendor-site.com).
Is my understanding correct? Can you please turn loglevel to trace8 (
https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) and show us what
httpd logs during a request that returns 403?
Luca
