500 Proxy Error

[Snoopy21]

two of our servers have suddenly generated this error, we are using WAproxy and ssl certificates are OK

Proxy ErrorThe proxy server could not handle the request

Reason: Error during SSL Handshake with remote server

[Snoopy21]

in waproxy.log we see this...

[2021-09-10 15:53:51] [185.30.229.67:62534] AH01097: pass request body failed to 192.168.0.5:443 (192.168.0.5) from 185.30.229.67 ()

[2021-09-10 15:55:32] [192.168.165.14:58095] AH01084: pass request body failed to 192.168.0.5:443 (192.168.0.5)

[2021-09-10 15:55:32] [192.168.165.14:58095] AH00898: Error during SSL Handshake with remote server returned by /

[2021-09-10 15:55:32] [192.168.165.14:58095] AH01097: pass request body failed to 192.168.0.5:443 (192.168.0.5) from 192.168.165.14 ()

[2021-09-10 15:55:42] [192.168.165.14:58121] AH01084: pass request body failed to 192.168.0.5:443 (192.168.0.5)

[2021-09-10 15:55:42] [192.168.165.14:58121] AH00898: Error during SSL Handshake with remote server returned by /

[2021-09-10 15:55:42] [192.168.165.14:58121] AH01097: pass request body failed to 192.168.0.5:443 (192.168.0.5) from 192.168.165.14 ()

[2021-09-10 15:55:43] [192.168.165.14:58126] AH01084: pass request body failed to 192.168.0.5:443 (192.168.0.5)

[2021-09-10 15:55:43] [192.168.165.14:58126] AH00898: Error during SSL Handshake with remote server returned by /

[2021-09-10 15:55:43] [192.168.165.14:58126] AH01097: pass request body failed to 192.168.0.5:443 (192.168.0.5) from 192.168.165.14 ()

[Benoît Jager (RCDevs)]

Hello,

Can you provide the version of your waproxy and webadm:

cat /opt/waproxy/VERSION

cat /opt/webadm/VERSION

Can you also provide the following file from webadm server:

/opt/webadm/conf/webadm.env

Can you also provide the following file from waproxy server:

/opt/waproxy/conf/waproxy.env

Also, did you updated recently webadm?

Best regards

[Snoopy21]

[root@rcvm8 ~]# cat /opt/webadm/VERSION

RCDevs WebADM Server v2.0.19 for Linux 64bit

Built May 12 2021

Including component versions:

- curl 7.76.1

- gmp 6.2.1

- apache 2.4.46

- libmcrypt 2.5.8

- libxml 2.9.10

- libpng 1.6.37

- openldap 2.5.4

- openssl 1.1.1k

- php 7.4.18

- redis 6.2.3

- unixodbc 2.3.9

- zlib 1.2.11

- libxmlrpc 0.54.2

- libqrencode 4.1.1

- maxmind 1.5.2

- libaudit 2.4.5

- libnghttp2 1.41.0

- libhiredis 1.0.0

[root@rcvm8 ~]# 

[root@sec ~]# cat /opt/waproxy/VERSION

RCDevs WebADM Publishing Proxy v1.1.11 for Linux 64bit

Built March 29 2021

Including component versions:

- apache 2.4.46

- openssl 1.1.1k

- zlib 1.2.11

- curl 7.75.0[root@sec ~]# 

[Snoopy21]

the file /opt/webadm/conf/webadm.env is not there

On Monday, 13 September 2021 at 10:03:50 UTC+1 Benoît Jager (RCDevs) wrote:

[Snoopy21]

The file /opt/waproxy/conf/waproxy.env is not there

On Monday, 13 September 2021 at 10:03:50 UTC+1 Benoît Jager (RCDevs) wrote:

[Benoît Jager (RCDevs)]

If you can install nmap on the server, can you provide with the result of these commands from your waproxy server:

nmap -sV --script ssl-enum-ciphers -p 443 192.168.0.5

nmap -sV --script ssl-enum-ciphers -p 443 127.0.0.1

This will list what TLS version your webadm and waproxy server can provide.

[Snoopy21]

PORT    STATE SERVICE  VERSION

443/tcp open  ssl/http Apache httpd

| ssl-enum-ciphers: 

|   SSLv3: No supported ciphers found

|   TLSv1.2: 

|     ciphers: 

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_DHE_RSA_WITH_AES_128_CCM - strong

|       TLS_DHE_RSA_WITH_AES_128_CCM_8 - strong

|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong

|       TLS_DHE_RSA_WITH_AES_256_CCM - strong

|       TLS_DHE_RSA_WITH_AES_256_CCM_8 - strong

|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 - strong

|       TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 - strong

|       TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA - strong

|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong

|       TLS_RSA_WITH_AES_128_CCM - strong

|       TLS_RSA_WITH_AES_128_CCM_8 - strong

|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA - strong

|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong

|       TLS_RSA_WITH_AES_256_CCM - strong

|       TLS_RSA_WITH_AES_256_CCM_8 - strong

|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong

|       TLS_RSA_WITH_ARIA_128_GCM_SHA256 - strong

|       TLS_RSA_WITH_ARIA_256_GCM_SHA384 - strong

|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 - strong

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong

|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 - strong

|       TLS_RSA_WITH_SEED_CBC_SHA - strong

|     compressors: 

|       NULL

[Snoopy21]

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000068s latency).

|_  least strength: strong

[Benoît Jager (RCDevs)]

Can you provide the result of the 2 commands (for 192.168.0.5 and localhost)?

nmap -sV --script ssl-enum-ciphers -p 443 192.168.0.5

and

nmap -sV --script ssl-enum-ciphers -p 443 127.0.0.1

[Snoopy21]

sorry first one is nmap -sV --script ssl-enum-ciphers -p 443 192.168.0.5

second post is nmap -sV --script ssl-enum-ciphers -p 443 127.0.0.1

[Benoît Jager (RCDevs)]

From the waproxy server, what is the result of this command:

curl -kv https://192.168.0.5

can you provide the configuration of waproxy:

/opt/waproxy/conf/waproxy.conf

[Snoopy21]

[root@sec ~]# curl -kv https://192.168.0.5

* About to connect() to 192.168.0.5 port 443 (#0)

*   Trying 192.168.0.5...

* Connected to 192.168.0.5 (192.168.0.5) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* skipping SSL peer certificate verification

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

* Server certificate:

* subject: CN=our.fqdn.com

* start date: Jun 03 11:49:27 2021 GMT

* expire date: Sep 01 11:49:27 2021 GMT

* common name: our.fqdn.com

* issuer: CN=R3,O=Let's Encrypt,C=US

> GET / HTTP/1.1

> User-Agent: curl/7.29.0

> Host: 192.168.0.5

> Accept: */*

> 

< HTTP/1.1 302 Found

< Date: Mon, 13 Sep 2021 09:55:05 GMT

< Server: Apache

< Strict-Transport-Security: max-age=63072000; includeSubDomains

< Content-Security-Policy: child-src 'self' data: blob:

< Cache-Control: private, must-revalidate

< X-Robots-Tag: noindex, nofollow

< location: admin/index.php

< Content-Length: 0

< Content-Type: text/html; charset=utf-8

< 

* Connection #0 to host 192

[Snoopy21]

Hi any idea's ?

[Snoopy21]

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 12.46 seconds

* Connection #0 to host 192.168.0.5 left intact

[Benoît Jager (RCDevs)]

Can you provide the /opt/webadm/logs/webadm.log file from 192.168.0.5 machine? I can provide you with a Nextcloud link so you can upload it. Let me know.

[Rob]

Yes sure 

Sent from my iPhone

On 13 Sep 2021, at 12:27, 'Benoît Jager ' via RCDevs Security Solutions - Technical <rcdevs-t...@googlegroups.com> wrote:



--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/3-0mJzeK-6M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/616a5a72-188c-49a5-adf7-c622e2977b0dn%40googlegroups.com.

[Benoît Jager (RCDevs)]

Link is https://www.rcdevs.com/share/index.php/s/sCEbm4JMn9sgyxg

Password is Okp!d1dz

[Rob]

Mercie,

Cå Complete

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/3db02ec2-9a37-468d-ae71-85f28386f83cn%40googlegroups.com.

[Benoît Jager (RCDevs)]

Can you upload all webadm.log files (e.g. with .1 .2.gz)? I have only logs from today in what you uploaded.

[Rob]

There are only two I will upload the other

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/eb45f700-f93a-49a1-be77-f0ba56bf84e1n%40googlegroups.com.

[Rob]

I have done that.

Thank you

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/eb45f700-f93a-49a1-be77-f0ba56bf84e1n%40googlegroups.com.

[Snoopy21]

I have done that again as I didn't hear back there was only one other log file in .gz format I uploaded a few hours ago and just again now as maybe you didn't get it first time

[Benoît Jager (RCDevs)]

Hello,

From the logs, I see no error on webadm side. Do you still encounter this issue?

If possible, could you run this tcpdump command on your webadm server, and do a request to your waproxy IP to see if something is going to webadm:

tcpdump -w waproxy.pcap -i any port 443 and host <REPLACE HERE WITH IP OF YOUR WAPROXY>

and upload the resulting waproxy.pcap file?

Best regards

[Snoopy21]

i have uploaded the file

[Rob]

Hi,

I did this and uploaded…

This has happened on two servers …

I really don’t understand why…

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/f32f7cd2-59bb-431d-8856-7a2e711a3c48n%40googlegroups.com.

[Benoît Jager (RCDevs)]

Hello,

can you restart the waproxy and webadm servers?

when you say this has happened on two servers, do you mean two waproxy servers?

Best regards

[Rob]

I will however I did restart both before I mean its two separate installations…

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/78e26e86-374c-43e9-aede-f7ff9da02947n%40googlegroups.com.

[Rob]

We are just buying a licence for the server with the +20% SLA as the system is now mission critical I will have a licence shortly.

We had always meant to but this but continued without for no very good reason.

Hopefully we will get our licence soon and you can hop on and take a deeper look

Thanks

Rob

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/78e26e86-374c-43e9-aede-f7ff9da02947n%40googlegroups.com.

[Rob]

I have restarted the rcdevs 2fa server and waproxy

no difference

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/78e26e86-374c-43e9-aede-f7ff9da02947n%40googlegroups.com.

[Benoît Jager (RCDevs)]

Ok, can you redo the whole setup process for waproxy using

/opt/waproxy/bin/setup

this will ask you to validate the certificate issuing from webadm web interface

[Rob]

Ok

Sent from my iPhone

On 14 Sep 2021, at 11:04, 'Benoît Jager ' via RCDevs Security Solutions - Technical <rcdevs-t...@googlegroups.com> wrote:

Ok, can you redo the whole setup process for waproxy using

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/a64feb6a-5716-423e-b670-ab7a9543fea9n%40googlegroups.com.

[Rob]

This won’t delete our users will it ?

Sent from my iPhone

On 14 Sep 2021, at 11:04, 'Benoît Jager ' via RCDevs Security Solutions - Technical <rcdevs-t...@googlegroups.com> wrote:

Ok, can you redo the whole setup process for waproxy using

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/a64feb6a-5716-423e-b670-ab7a9543fea9n%40googlegroups.com.

[Benoît Jager (RCDevs)]

No, this will regenerate only certificates on waproxy side.

[Rob]

it says all good and even got a new lets encrypt cert.

I accepted the certificate on the webadm interface still nothing

To view this discussion on the web visit https://groups.google.com/d/msgid/rcdevs-technical/b4563869-51b5-4807-8924-2a59fb69f7f2n%40googlegroups.com.