Re: [users@httpd] Vendor Connection via Proxy to SNI Server response 403 Forbidden

[Luca Toscano]

Hi Reid,

 while re-reading the logs I noticed one thing:

2017-06-07 2:42 GMT+02:00 Reid Watson <reid.wat...@auckland.ac.nz>:

>
> [Wed Jun 07 11:54:28.887001 2017] [ssl:trace3] [pid 9177:tid
> 140532624602880] ssl_engine_io.c(1086): [remote 54.230.144.17:443] SNI
> extension for SSL Proxy request set to 'Internal-site.test.com'
> [Wed Jun 07 11:54:28.887011 2017] [ssl:trace3] [pid 9177:tid
> 140532624602880] ssl_engine_kernel.c(1788): [remote 54.230.144.17:443]
> OpenSSL: Handshake: start
>
[..]

> [Wed Jun 07 11:54:29.302044 2017] [proxy_http:trace3] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1424): [client 10.0.0.1:19478] Status
> from backend: 403
> [Wed Jun 07 11:54:29.302056 2017] [proxy_http:trace4] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1099): [client 10.0.0.1:19478] Headers
> received from backend:
> [Wed Jun 07 11:54:29.302063 2017] [proxy_http:trace4] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] Server:
> CloudFront
> [Wed Jun 07 11:54:29.302068 2017] [proxy_http:trace4] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] Date:
> Tue, 06 Jun 2017 23:54:29 GMT
> [Wed Jun 07 11:54:29.302075 2017] [proxy_http:trace4] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478]
> Content-Type: text/html
> [Wed Jun 07 11:54:29.302078 2017] [proxy_http:trace4] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478]
> Content-Length: 555
> [Wed Jun 07 11:54:29.302082 2017] [proxy_http:trace4] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478]
> Connection: close
> [Wed Jun 07 11:54:29.302085 2017] [proxy_http:trace4] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] X-Cache:
> Error from cloudfront
> [Wed Jun 07 11:54:29.302089 2017] [proxy_http:trace4] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] Via: 1.1
> 515297ac55a7ae01bf8c7d03df4fecb1.cloudfront.net (CloudFront)
> [Wed Jun 07 11:54:29.302092 2017] [proxy_http:trace4] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478]
> X-Amz-Cf-Id: xxxxxxxx
> [Wed Jun 07 11:54:29.302103 2017] [proxy_http:trace3] [pid 9177:tid
> 140532624602880] mod_proxy_http.c(1687): [client 10.0.0.1:19478] start
> body send
>

There is a clear indication that the SNI is wrong:

SNI extension for SSL Proxy request set to 'Internal-site.test.com'

So my understanding is that you perform correctly the TLS handshake to
Amazon Cloudfront (used as CDN), but since the SNI is wrong you get a 403
from the backend. Can you try to replace your Rewrite rules with
mod_proxy_http and ProxyPass (
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html) and see if anything
changes (namely if the SNI is set to the one that you expect) ?

Luca