proxy_pass not seen as SNI-client according to Apache directive
Lucas Rolff
lucas at slcoding.com
Sun Feb 14 19:14:20 UTC 2016
Hi guys,
I'm having a rather odd behavior - I use nginx as a reverse proxy
(basically as a CDN) - where if the file isn't in cache, I do use
proxy_pass to the origin server, to get the file and then cache it.
This works perfectly in most cases, but if the origin is running apache
and happen to use the Apache Directive "SSLStrictSNIVHostCheck" where
it's set to On.
Basically it decides whether a non-SNI client is allowed to access a
name-based virtual host over SSL or not.
But when using proxy_pass this seems to the apache server that it's a
non-SNI client:
[Sun Feb 14 19:32:50 2016] [error] No hostname was provided via SNI for
a name based virtual host
[Sun Feb 14 19:33:00 2016] [error] No hostname was provided via SNI for
a name based virtual host
I was able to replicate this issue on multiple nginx versions (both on
1.8.1, 1.9.9 and 1.9.10).
It results in 403 forbidden for the client.
If I set the directive SSLStrictSNIVHostCheck to off, I do not get a 403
forbidden - and the files I try to fetch gets fetched correctly.
(Meaning proxy_pass do understand SNI).
The nginx zone does a proxy_pass https://my_domain; and the my_domain is
running on a server that runs SNI.
Best Regards,
Lucas Rolff
More information about the nginx
mailing list