From: William A. Rowe Jr <wrowe@apache.org>
Date: Thu, 27 Jun 2013 17:29:17 +0000 (+0000)
Subject: mod_proxy_http: Use the same hostname for SNI as for the HTTP request when
X-Git-Tag: 2.2.25~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae3fcb04a5b71b4cd055b8a365be809d6276b052;p=thirdparty%2Fapache%2Fhttpd.git

mod_proxy_http: Use the same hostname for SNI as for the HTTP request when
forwarding to SSL backends.

PR: 53134
Backports: r1333969
Submitted by: Michael Weiser <michael weiser.dinsnail.net>, rpluem
Reviewed by: covener, wrowe, rjung



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1497470 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c7b2c6c4b16..f4f25b6f3cb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -20,6 +20,10 @@ Changes with Apache 2.2.25
   *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
      [Kaspar Brand]
 
+  *) mod_proxy: Use the the same hostname for SNI as for the HTTP request when
+     forwarding to SSL backends. PR 53134.
+     [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
+
   *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
      in the error log to debug level.  [William Rowe]
 
diff --git a/STATUS b/STATUS
index 716833afb08..e41c99b1207 100644
--- a/STATUS
+++ b/STATUS
@@ -96,14 +96,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
   
-   * mod_proxy_http: Use the same hostname for SNI as for the HTTP request when
-     forwarding to SSL backends.
-     PR: 53134
-     Based on a patch from: Michael Weiser <michael weiser.dinsnail.net>
-     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1333969
-     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356881
-     2.2.x patch: http://people.apache.org/~rjung/patches/mod_proxy_http-fix-hostname-ssl-2_2.patch
-     +1: covener, wrowe, rjung (w/r1175416 above applied first)
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index ba01c68152f..072c24a36f1 100644
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -2023,8 +2023,22 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
          * so.
          */
         if (is_ssl) {
+            const char *ssl_hostname;
+
+            /*
+             * In the case of ProxyPreserveHost on use the hostname of
+             * the request if present otherwise use the one from the
+             * backend request URI.
+             */
+            if ((conf->preserve_host != 0) && (r->hostname != NULL)) {
+                ssl_hostname = r->hostname;
+            }
+            else {
+                ssl_hostname = uri->hostname;
+            }
+
             apr_table_set(backend->connection->notes, "proxy-request-hostname",
-                          uri->hostname);
+                          ssl_hostname);
         }
     }