proxy_pass should be able to set SNI hostname

[Jakob Praher]

if the upstream source is a virtual host using ssl and selects the destintation based on SNI, the upstream cannot process the request properly when served using nginx.

Here is an example that does not pass the SNI from the client to the upstream target.

location / {

resolver 127.0.0.1;
proxy_pass ​https://$host;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X_FORWARDED_PROTO https;

}

Attached you find my try to fix the problem which works for me, but is not configurable through variables yet. Furtheremore it directly calls the SSL_set_tlsext_host_name in the upstream library, due to difficulties how to obtain the host name: the patch uses ngx_http_upstream_t.resolved.host.

[Jakob Praher]

Patch for calling SSL_set_tlsext_host_name in ngx_http_upstream.c (revision 4888)

[Maxim Dounin]

While an ability to set SNI hostname in proxied connection would be good, it is a) feature request, not a defect and b) should be taken with care as it needs to match the Host header as provided in the request (and it needs to be considered in upstream keepalive code, as one can't reuse connection with SNI hostname set to a different host). The patch attached certainly not something suitable for generic use.

Additionally, I would recommend submitting further patches using nginx-devel@ mailing list, not here.

[Maxim Dounin]

Support for SNI introduced in nginx 1.7.0 (see 7022564a9e0e), and can be activated using the ​proxy_ssl_server_name directive.