Re: [users@httpd] Vendor Connection via Proxy to SNI Server response 403 Forbidden

Tue, 06 Jun 2017 03:19:21 -0700 

Hi Luca,


"My understanding is that you want to have a (reverse) http proxy that respond 
to Internal-site.test.com<http://Internal-site.test.com> with the content of 
vendor-site.com<http://vendor-site.com>, leaving to httpd the responsibility to 
set the "right" TLS SNI domain (in this case the one that you want is 
vendor-site.com<http://vendor-site.com>).

Is my understanding correct?"

You are correct and I will turn on extra logging "trace8" tomorrow morning and 
complete further testing..

________________________________
From: Luca Toscano <toscano.l...@gmail.com>
Sent: 06 June 2017 03:30
To: users@httpd.apache.org
Subject: Re: [users@httpd] Vendor Connection via Proxy to SNI Server response 
403 Forbidden

Hi Reid,

2017-06-03 3:11 GMT+02:00 Reid Watson 
<reid.wat...@auckland.ac.nz<mailto:reid.wat...@auckland.ac.nz>>:
Hi Everyone,

There are few posts going around and I was wondering if any one had some advice 
or experienced a similar issues

Current Apache Version: httpd-2.4.12

Issue

- External Vendor WebServer enables SNI check
- I currently connect to vendor via proxy (from Http to Https)
- I disable ssl checks on the certificate
- Each time we make a connection I'm returned 403, the reason is the vendor 
enables SNI check and within the Client Hello (SSL Handshake) packet we set 
ServerName from vHost "Internal-site.test.com<http://Internal-site.test.com>"

Basic config

<VirtualHost *:*>

     ServerName Internal-site.test.com<http://Internal-site.test.com>

      SSLProxyCheckPeerName off
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerExpire off

     RewriteCond %{REQUEST_URI} ^/path
     RewriteRule ^/path/(.*) https://vendor-site.com/$1 
[P,L,E=vendor-site.com<http://vendor-site.com>]

</VirtualHost>

Does any one have any advice on the current issue or a trick / workaround with 
mod_ssl / mod_proxy

for example would I attempt to overwrite the environment variable "SetEnv 
SSL_TLS_SNI vendor-site.com<http://vendor-site.com>" ?

My understanding is that you want to have a (reverse) http proxy that respond 
to Internal-site.test.com<http://Internal-site.test.com> with the content of 
vendor-site.com<http://vendor-site.com>, leaving to httpd the responsibility to 
set the "right" TLS SNI domain (in this case the one that you want is 
vendor-site.com<http://vendor-site.com>).

Is my understanding correct? Can you please turn loglevel to trace8 
(https://httpd.apache.org/docs/2.4/mod/core.html#loglevel) and show us what 
httpd logs during a request that returns 403?

Luca

Reply via email to