Don't allow SSL proxy connections to be reused
authorTom Hughes <tom@compton.nu>
Fri, 29 Aug 2014 15:47:56 +0000 (16:47 +0100)
committerTom Hughes <tom@compton.nu>
Fri, 29 Aug 2014 15:47:56 +0000 (16:47 +0100)
If we allow reuse of SSL connections then we may sent a Host
header that doesn't match the name sent in SNI when the connection
was setup, and the backend will then reject it.

cookbooks/web/templates/default/apache.frontend.erb

index 9426be81a7c22fe754052bd82d94fc233c35d868..ef06eeb83de93bb64afa1e9bc16d07789e0606d0 100644 (file)
   <Proxy balancer://backend>
     ProxySet lbmethod=bybusyness
 <% if port == 443 -%>
-    BalancerMember https://rails1
-    BalancerMember https://rails2
-    BalancerMember https://rails3
+    BalancerMember https://rails1 disablereuse=on
+    BalancerMember https://rails2 disablereuse=on
+    BalancerMember https://rails3 disablereuse=on
 <% else -%>
     BalancerMember http://rails1
     BalancerMember http://rails2