Opened 8 years ago

Closed 6 years ago

#229 closed enhancement (fixed)

proxy_pass should be able to set SNI hostname

Reported by: Jakob Praher Owned by: somebody
Priority: minor Milestone:
Component: nginx-module Version: 1.3.x
Keywords: SSL SNI proxy_pass virtual host Cc:
uname -a:
nginx -V: trunk

Description

if the upstream source is a virtual host using ssl and selects the destintation based on SNI, the upstream cannot process the request properly when served using nginx.

Here is an example that does not pass the SNI from the client to the upstream target.

location / {

resolver 127.0.0.1;
proxy_pass https://$host;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X_FORWARDED_PROTO https;

}

Attached you find my try to fix the problem which works for me, but is not configurable through variables yet. Furtheremore it directly calls the SSL_set_tlsext_host_name in the upstream library, due to difficulties how to obtain the host name: the patch uses ngx_http_upstream_t.resolved.host.

Attachments (1)

patch_ngx_http_upstream_ssl_init_connection_SNI.diff (1.1 KB ) - added by Jakob Praher 8 years ago.
Patch for calling SSL_set_tlsext_host_name in ngx_http_upstream.c (revision 4888)

Download all attachments as: .zip

Change History (3)

by Jakob Praher, 8 years ago

Patch for calling SSL_set_tlsext_host_name in ngx_http_upstream.c (revision 4888)

comment:1 by Maxim Dounin, 8 years ago

Status: newaccepted
Summary: SNI: proxy_pass ssl does use SSL_set_tlsext_host_name - nonsymmetric to setting Host headerproxy_pass should be able to set SNI hostname
Type: defectenhancement

While an ability to set SNI hostname in proxied connection would be good, it is a) feature request, not a defect and b) should be taken with care as it needs to match the Host header as provided in the request (and it needs to be considered in upstream keepalive code, as one can't reuse connection with SNI hostname set to a different host). The patch attached certainly not something suitable for generic use.

Additionally, I would recommend submitting further patches using nginx-devel@ mailing list, not here.

comment:2 by Maxim Dounin, 6 years ago

Resolution: fixed
sensitive: 0
Status: acceptedclosed

Support for SNI introduced in nginx 1.7.0 (see 7022564a9e0e), and can be activated using the proxy_ssl_server_name directive.

Note: See TracTickets for help on using tickets.