From 2c2bb4b27e849ddbf5dcbeb4c722f08f82c14693 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 29 Aug 2014 16:47:56 +0100
Subject: [PATCH] Don't allow SSL proxy connections to be reused

If we allow reuse of SSL connections then we may sent a Host
header that doesn't match the name sent in SNI when the connection
was setup, and the backend will then reject it.
---
 cookbooks/web/templates/default/apache.frontend.erb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index 9426be81a..ef06eeb83 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -194,9 +194,9 @@
   <Proxy balancer://backend>
     ProxySet lbmethod=bybusyness
 <% if port == 443 -%>
-    BalancerMember https://rails1
-    BalancerMember https://rails2
-    BalancerMember https://rails3
+    BalancerMember https://rails1 disablereuse=on
+    BalancerMember https://rails2 disablereuse=on
+    BalancerMember https://rails3 disablereuse=on
 <% else -%>
     BalancerMember http://rails1
     BalancerMember http://rails2
-- 
2.43.2