WebServer (Apache HTTP/IBM IHS) “Proxy and Reverse Proxy” -> Forward traffic to -> services (hosted on openshift as passthrough)

Question

I am trying to forward the request from IBM IHS (8.5)/Apache to service hosted on openshift as passthrough using proxy/reverse proxy feature of apache. While doing this I am getting error "503 service is not available" as I am trying to access URL as " https://abc.online.com/ " from browser but proxy is configured with URL " https://xyz.online.com/ " and with same name it's defined on openshift as well. When I try the same by exposing the openshift service as 'edge' termination I am able to hit the service running on openshift with no issue. I am not sure it's because the passthrough does not support this pattern but looking for advise.

Explained about passthrough and edge.

Passthrough TLS is terminated by the pod, so the proxy can't access the unencrypted traffic. The routing decision is based on the hostname in TLS Client Hello, the Host header is ignored. Also the traffic doesn't have to be HTTPS as the protocol wrapped by TLS is only handled by the pod.

Edge The routing decision is made by the HTTP Host header, the hostname in TLS Client Hello is ignored. The router's default wildcard certificate — or the route's individual certificate if set — is used.

Answer 1

In IHS, neither mod_proxy nor the WAS Plug-in send SNI info by default.

If you're using mod_proxy w/ eg SSLProxyEngine ON you can get SNI to be added by adding this directive in the same context as SSLProxyEngine ON .

SSLAttributeSet proxy:230 "xyz.online.com" BUFFNULL

This unusual syntax allows you to configure the security library underneath IHS even when a particular option has not been exposed through IHS configuration.