proxy_pass not seen as SNI-client according to Apache directive

Lucas Rolff lucas at slcoding.com
Sun Feb 14 19:14:20 UTC 2016


Hi guys,

I'm having a rather odd behavior - I use nginx as a reverse proxy 
(basically as a CDN) - where if the file isn't in cache, I do use 
proxy_pass to the origin server, to get the file and then cache it.

This works perfectly in most cases, but if the origin is running apache 
and happen to use the Apache Directive "SSLStrictSNIVHostCheck" where 
it's set to On.

Basically it decides whether a non-SNI client is allowed to access a 
name-based virtual host over SSL or not.
But when using proxy_pass this seems to the apache server that it's a 
non-SNI client:
[Sun Feb 14 19:32:50 2016] [error] No hostname was provided via SNI for 
a name based virtual host
[Sun Feb 14 19:33:00 2016] [error] No hostname was provided via SNI for 
a name based virtual host

I was able to replicate this issue on multiple nginx versions (both on 
1.8.1, 1.9.9 and 1.9.10).
It results in 403 forbidden for the client.

If I set the directive SSLStrictSNIVHostCheck to off, I do not get a 403 
forbidden - and the files I try to fetch gets fetched correctly. 
(Meaning proxy_pass do understand SNI).

The nginx zone does a proxy_pass https://my_domain; and the my_domain is 
running on a server that runs SNI.

Best Regards,
Lucas Rolff



More information about the nginx mailing list