As discussed on httpd-users (http://mail-archives.apache.org/mod_mbox/httpd-users/201204.mbox/%3C20120406121150.GC22138@dinsnail.net%3E) and httpd-dev (http://mail-archives.apache.org/mod_mbox/httpd-dev/201204.mbox/%3C4F7F6F8C.5020409@primary.net%3E), httpd-2.4 and later reverse proxies use SNI towards the backend server. If ProxyPreserveHost is turned On, a mismatch between Host header and SNI data can occur which may cause the backend server to deny the request. This could be fixed by extracting the Host header from the request and putting its hostname into the SNI data.
Created attachment 28658 [details] use Host header for SNI data if ProxyPreserveHost is on This patch parses the Host header, extracts the hostname and uses it for the CN check and SNI data if ProxyPreserveHost is On. This fixes the issue for me.
I forgot: The patch is against httpd-trunk as of 2012-04-22. But it also applies against httpd-2.4 HEAD as of the same date.
Created attachment 28697 [details] Slightly different approach I think it is better to use r->hostname instead of reparsing the host header again. Can you please check if this patch works for you as well?
(In reply to comment #3) > Can you please check if this patch works for you as well? Yes, your patch works fine.
Committed to trunk as r1333969. Thanks for testing.
Will this automaticlly show up in a 2.4.x release or do I need to do something more to make it happen?
Proposed for backport to 2.4.x as r1338662.
Will be in 2.4.3: r1356881
Released with 2.4.3. Proposed for 2.2.x.
When I checked (April 2012), 2.2 couldn't do SNI when reverse proxying. A backport (of just the fix) is mute then...
I can confirm that the problem is fixed in 2.4.3. As far as I am concerned, the bug can be closed. Thank you for all your help. BTW: I'm now facing a follow-up problem with subjectAltNames for which I've opened another bug #54030 with patches for 2.4.2 and trunk.