From: Tom Hughes <tom@compton.nu>
Date: Fri, 29 Aug 2014 15:47:56 +0000 (+0100)
Subject: Don't allow SSL proxy connections to be reused
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/2c2bb4b27e849ddbf5dcbeb4c722f08f82c14693

Don't allow SSL proxy connections to be reused

If we allow reuse of SSL connections then we may sent a Host
header that doesn't match the name sent in SNI when the connection
was setup, and the backend will then reject it.
---

diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index 9426be81a..ef06eeb83 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -194,9 +194,9 @@
   <Proxy balancer://backend>
     ProxySet lbmethod=bybusyness
 <% if port == 443 -%>
-    BalancerMember https://rails1
-    BalancerMember https://rails2
-    BalancerMember https://rails3
+    BalancerMember https://rails1 disablereuse=on
+    BalancerMember https://rails2 disablereuse=on
+    BalancerMember https://rails3 disablereuse=on
 <% else -%>
     BalancerMember http://rails1
     BalancerMember http://rails2