Opened 12 years ago
Closed 10 years ago
#229 closed enhancement (fixed)
proxy_pass should be able to set SNI hostname
Reported by: | Jakob Praher | Owned by: | somebody |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-module | Version: | 1.3.x |
Keywords: | SSL SNI proxy_pass virtual host | Cc: | |
uname -a: | |||
nginx -V: | trunk |
Description
if the upstream source is a virtual host using ssl and selects the destintation based on SNI, the upstream cannot process the request properly when served using nginx.
Here is an example that does not pass the SNI from the client to the upstream target.
location / {
resolver 127.0.0.1;
proxy_pass https://$host;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X_FORWARDED_PROTO https;
}
Attached you find my try to fix the problem which works for me, but is not configurable through variables yet. Furtheremore it directly calls the SSL_set_tlsext_host_name in the upstream library, due to difficulties how to obtain the host name: the patch uses ngx_http_upstream_t.resolved.host.
Attachments (1)
Change History (3)
by , 12 years ago
Attachment: | patch_ngx_http_upstream_ssl_init_connection_SNI.diff added |
---|
comment:1 by , 12 years ago
Status: | new → accepted |
---|---|
Summary: | SNI: proxy_pass ssl does use SSL_set_tlsext_host_name - nonsymmetric to setting Host header → proxy_pass should be able to set SNI hostname |
Type: | defect → enhancement |
While an ability to set SNI hostname in proxied connection would be good, it is a) feature request, not a defect and b) should be taken with care as it needs to match the Host header as provided in the request (and it needs to be considered in upstream keepalive code, as one can't reuse connection with SNI hostname set to a different host). The patch attached certainly not something suitable for generic use.
Additionally, I would recommend submitting further patches using nginx-devel@ mailing list, not here.
comment:2 by , 10 years ago
Resolution: | → fixed |
---|---|
sensitive: | → 0 |
Status: | accepted → closed |
Support for SNI introduced in nginx 1.7.0 (see 7022564a9e0e), and can be activated using the proxy_ssl_server_name directive.
Patch for calling SSL_set_tlsext_host_name in ngx_http_upstream.c (revision 4888)