proxy_pass not seen as SNI-client according to Apache directive
Maxim Dounin
mdounin at mdounin.ru
Mon Feb 15 02:16:38 UTC 2016
Hello!
On Sun, Feb 14, 2016 at 01:46:48PM -0800, Robert Paprocki wrote:
> > On Feb 14, 2016, at 12:58, Maxim Dounin <mdounin at mdounin.ru> wrote:
> >
> > Hello!
> >
> >> On Sun, Feb 14, 2016 at 08:14:20PM +0100, Lucas Rolff wrote:
> >>
> >> I'm having a rather odd behavior - I use nginx as a reverse proxy (basically
> >> as a CDN) - where if the file isn't in cache, I do use proxy_pass to the
> >> origin server, to get the file and then cache it.
> >>
> >> This works perfectly in most cases, but if the origin is running apache and
> >> happen to use the Apache Directive "SSLStrictSNIVHostCheck" where it's set
> >> to On.
> >
> > http://nginx.org/r/proxy_ssl_server_name
>
> Out of curiosity, is there a philosophical/design reason this
> option is not enabled by default?
There was no support for client-side SNI till nginx 1.7.0, and
when introduced it was set off by default to avoid breaking
existing configurations.
Additionally, client-side SNI discloses information about domain
name used to connect to (which is bad from security point of
view), and hardly make sense without peer certificate verification
(http://nginx.org/r/proxy_ssl_verify), which is also off by
default and can't be enabled without a list of trusted
certificates.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list