Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
apache https reverse proxy
1,396 views
Skip to first unread message
ian diddams
Jan 7, 2014, 11:58:30 AM1/7/14
to
apache 2.2.20
centos 6.4
I had a http reverse proxy working fine within a apache ssl virtual host
ProxyPass / http://sleepy:28080/
ProxyPassReverse / http://sleepy:28080/
However, this confuses jboss into thinking its handliong http traffic so returns a http address and breaking everything.
So I just set up a https reverse proxy
ProxyPass / https://sleepy:29443/
ProxyPassReverse / https://sleepy:29443/
... but this doesn;t work.
apache error logs show
[Tue Jan 07 16:34:03 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 192.168.64.20:29443 (sleepy)
[Tue Jan 07 16:34:03 2014] [error] proxy: pass request body failed to 192.168.64.20:29443 (sleepy) from 192.168.52.204 ()
a direct url for sleepy works fine.
https://sleepy:29443/regadmin/login
The cert on both the apache ssls erver and the jboss implementation is self signed 9no real cert needed as this is internal/PoC etc etc etc).
I've done various googling that suggests its cos of the self signed cert that the reverse proxy fails... but I haven;t been able to work out a workaround.
There was a suggestion to use SSLProxyCheckPeerCN, but this errors - mod_ssl IS already loaded so dunno nwhat is happening there.
any pointers gratefully accepted
ian
----
<VirtualHost *:443>
ServerAdmin i...@xxx.co.uk
ServerName dev.xxx.co.uk
ServerAlias *.dev.xxx.co.uk
DocumentRoot /opt/jboss/jboss-as-7.1.1.Final/server/tdsweb/htdocs
<Directory "/opt/jboss/jboss-as-7.1.1.Final/server/tdsweb/htdocs">
Options -Indexes
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# webserver requests
ProxyPassMatch ^/(images|contents|js|css|CMS|eyesite|oneClickEdit)/.*$ !
ProxyPassMatch ^/[^/]+\.[^/]+$ !
ProxyPass /twmc http://goofy:7110/twmc
ProxyPassReverse /twmc http://goofy:7110/twmc
ProxyPass / https://sleepy:29443/
ProxyPassReverse / https://sleepy:29443/
# ProxyPass / http://sleepy:28080/
# ProxyPassReverse / http://sleepy:28080/
ErrorLog "logs/tdsweb-https-error_log"
CustomLog "logs/tdsweb-https-access_log" common
SSLEngine on
SSLProxyEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/opt/apache/2.2.20/conf/dev.crt"
SSLCertificateKeyFile "/opt/apache/2.2.20/conf/dev.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/apache/2.2.20/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/opt/apache/2.2.20/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
centos 6.4
I had a http reverse proxy working fine within a apache ssl virtual host
ProxyPass / http://sleepy:28080/
ProxyPassReverse / http://sleepy:28080/
However, this confuses jboss into thinking its handliong http traffic so returns a http address and breaking everything.
So I just set up a https reverse proxy
ProxyPass / https://sleepy:29443/
ProxyPassReverse / https://sleepy:29443/
... but this doesn;t work.
apache error logs show
[Tue Jan 07 16:34:03 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 192.168.64.20:29443 (sleepy)
[Tue Jan 07 16:34:03 2014] [error] proxy: pass request body failed to 192.168.64.20:29443 (sleepy) from 192.168.52.204 ()
a direct url for sleepy works fine.
https://sleepy:29443/regadmin/login
The cert on both the apache ssls erver and the jboss implementation is self signed 9no real cert needed as this is internal/PoC etc etc etc).
I've done various googling that suggests its cos of the self signed cert that the reverse proxy fails... but I haven;t been able to work out a workaround.
There was a suggestion to use SSLProxyCheckPeerCN, but this errors - mod_ssl IS already loaded so dunno nwhat is happening there.
any pointers gratefully accepted
ian
----
<VirtualHost *:443>
ServerAdmin i...@xxx.co.uk
ServerName dev.xxx.co.uk
ServerAlias *.dev.xxx.co.uk
DocumentRoot /opt/jboss/jboss-as-7.1.1.Final/server/tdsweb/htdocs
<Directory "/opt/jboss/jboss-as-7.1.1.Final/server/tdsweb/htdocs">
Options -Indexes
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# webserver requests
ProxyPassMatch ^/(images|contents|js|css|CMS|eyesite|oneClickEdit)/.*$ !
ProxyPassMatch ^/[^/]+\.[^/]+$ !
ProxyPass /twmc http://goofy:7110/twmc
ProxyPassReverse /twmc http://goofy:7110/twmc
ProxyPass / https://sleepy:29443/
ProxyPassReverse / https://sleepy:29443/
# ProxyPass / http://sleepy:28080/
# ProxyPassReverse / http://sleepy:28080/
ErrorLog "logs/tdsweb-https-error_log"
CustomLog "logs/tdsweb-https-access_log" common
SSLEngine on
SSLProxyEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/opt/apache/2.2.20/conf/dev.crt"
SSLCertificateKeyFile "/opt/apache/2.2.20/conf/dev.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/apache/2.2.20/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/opt/apache/2.2.20/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
ian diddams
Jan 9, 2014, 7:30:09 AM1/9/14
to
update:
setting oglevel to debug I see these arrors :
[Thu Jan 09 12:09:39 2014] [debug] ssl_engine_kernel.c(1814): OpenSSL: Read: SSLv2/v3 read server hello A
[Thu Jan 09 12:09:39 2014] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv2/v3 read server hello A
[Thu Jan 09 12:09:39 2014] [info] [client 192.168.64.20] SSL Proxy connect failed
[Thu Jan 09 12:09:39 2014] [info] SSL Library Error: 336032784 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
didds
setting oglevel to debug I see these arrors :
[Thu Jan 09 12:09:39 2014] [debug] ssl_engine_kernel.c(1814): OpenSSL: Read: SSLv2/v3 read server hello A
[Thu Jan 09 12:09:39 2014] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv2/v3 read server hello A
[Thu Jan 09 12:09:39 2014] [info] [client 192.168.64.20] SSL Proxy connect failed
[Thu Jan 09 12:09:39 2014] [info] SSL Library Error: 336032784 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
didds
Alexander Wiedergold WIEDERGOLD.NET
Jan 11, 2014, 5:48:12 AM1/11/14
to
ian diddams
Jan 14, 2014, 8:34:01 AM1/14/14
to
there is no firewall... its the same server. apache connects to a jboss backend on the same server.
and yes, I can telnet to the pertinent URL and port on the same server required.
cheers
ian
and yes, I can telnet to the pertinent URL and port on the same server required.
cheers
ian
ian diddams
Jan 15, 2014, 10:21:19 AM1/15/14
to
FTR I gave up and used mod_jk/ajp. works a treat. *sigh*
ian
ian
0 new messages