| Author |
|
ravi
Joined: 01 May 2013
Posts: 7
Location: india
|
 Posted: Tue 07 May '13 12:03 Post subject: Apache 2.4.4 Reverse Proxy and SSL issue |
 |
|
Hi all,
Apache is built with openssl OpenSSL/1.0.1e and i configured it with reverse proxy and ssl.
when i requested https://localhost/ it gives response "it works!" and when i requested https://localhost/app1/ it gives folling message in browser
Proxy Error
The proxy server could not handle the request GET /app1/.
Reason: Error during SSL Handshake with remote server
when i open apache error lo file i found following logs:
[Tue May 07 15:11:34.982849 2013] [ssl:warn] [pid 5272:tid 1988] AH02268: Proxy client certificate callback: (www.example.com:443) downstream server wanted client certificate but none are configured
[Tue May 07 15:11:34.992851 2013] [proxy_http:error] [pid 5272:tid 1988] (502)Unknown error: [client ::1:8839] AH01084: pass request body failed to 172.16.17.218:443 (172.16.17.218)
[Tue May 07 15:11:34.992851 2013] [proxy:error] [pid 5272:tid 1988] [client ::1:8839] AH00898: Error during SSL Handshake with remote server returned by /app1/
[Tue May 07 15:11:34.992851 2013] [proxy_http:error] [pid 5272:tid 1988] [client ::1:8839] AH01097: pass request body failed to 172.16.17.218:443 (172.16.17.218) from ::1 ()
[Tue May 07 15:11:35.010855 2013] [mpm_winnt:notice] [pid 6544:tid 732] AH00428: Parent: child process 5272 exited with status 3221225477 -- Restarting.
[Tue May 07 15:11:36.161085 2013] [ssl:warn] [pid 6544:tid 732] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue May 07 15:11:36.161585 2013] [ssl:warn] [pid 6544:tid 732] AH01909: RSA certificate configured for www.example.com:443 does NOT include an ID which matches the server name
[Tue May 07 15:11:36.999252 2013] [mpm_winnt:notice] [pid 6544:tid 732] AH00455: Apache/2.4.4 (Win32) OpenSSL/1.0.1e configured -- resuming normal operations
[Tue May 07 15:11:36.999252 2013] [mpm_winnt:notice] [pid 6544:tid 732] AH00456: Server built: May 3 2013 12:49:47
[Tue May 07 15:11:36.999252 2013] [core:notice] [pid 6544:tid 732] AH00094: Command line: 'C:\\Apache24\\bin\\httpd.exe -d C:/Apache24'
[Tue May 07 15:11:37.000753 2013] [mpm_winnt:notice] [pid 6544:tid 732] AH00418: Parent: Created child process 5736
[Tue May 07 15:11:38.006454 2013] [ssl:warn] [pid 5736:tid 672] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue May 07 15:11:38.006954 2013] [ssl:warn] [pid 5736:tid 672] AH01909: RSA certificate configured for www.example.com:443 does NOT include an ID which matches the server name
[Tue May 07 15:11:39.828318 2013] [ssl:warn] [pid 5736:tid 672] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue May 07 15:11:39.828818 2013] [ssl:warn] [pid 5736:tid 672] AH01909: RSA certificate configured for www.example.com:443 does NOT include an ID which matches the server name
[Tue May 07 15:11:40.002853 2013] [mpm_winnt:notice] [pid 5736:tid 672] AH00354: Child: Starting 150 worker threads.
can anyone say what is the problem.
this is my ssl configuration :
Listen 443
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/Apache24/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/Apache24/htdocs"
#ServerName www.example.com:443
ServerAdmin admin@example.com
ErrorLog "/Apache24/logs/error.log"
TransferLog "/Apache24/logs/access.log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile "/Apache24/conf/server.crt"
SSLCertificateKeyFile "/Apache24/conf/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/Apache24/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/Apache24/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
This is my reverse proxy configuration:
<IfModule !filter_module>
LoadModule filter_module modules/mod_filter.so
</IfModule>
<IfModule !dumpio_module>
LoadModule dumpio_module modules/mod_dumpio.so
</IfModule>
<IfModule !headers_module>
LoadModule headers_module modules/mod_headers.so
</IfModule>
<IfModule !proxy_module>
LoadModule proxy_module modules/mod_proxy.so
</IfModule>
<IfModule !proxy_ajp_module>
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
</IfModule>
<IfModule !proxy_balancer_module>
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
</IfModule>
<IfModule !proxy_connect_module>
LoadModule proxy_connect_module modules/mod_proxy_connect.so
</IfModule>
<IfModule !proxy_http_module>
LoadModule proxy_http_module modules/mod_proxy_http.so
</IfModule>
<IfModule !rewrite_module>
LoadModule rewrite_module modules/mod_rewrite.so
</IfModule>
<IfModule !unique_id_module>
LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>
<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>
<IfModule !status_module>
LoadModule status_module modules/mod_status.so
</IfModule>
<IfModule !info_module>
LoadModule info_module modules/mod_info.so
</IfModule>
SSLProxyEngine On
ProxyRequests Off
TraceEnable Off
FileETag None
ProxyPreserveHost On
ExtendedStatus Off |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Tue 07 May '13 12:14 Post subject: |
|
|
| What is the config of the /app/ ? |
|
| Back to top |
|
ravi
Joined: 01 May 2013
Posts: 7
Location: india
|
| Posted: Tue 07 May '13 13:19 Post subject: app1 config |
|
|
hi James,
Below is the app1 configuration
ProxyPass /app1/ https://172.16.17.218/
<Location /app1/>
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLExtended On
ProxyHTMLFixups dospath
</Location>
Any how the error is not coming when i access https://localhost/app1/ as i added SSLProxyCheckPeerCN Off in configuration
thank u james. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Tue 07 May '13 14:41 Post subject: |
|
|
After testing and looking into your log it seems that the SSL certificate from the 172.16.17.218 is not valid at all, not even the name matches.
First you have to enable SSL for you proxy SSLProxyEngine on.
Since you addedProxyPreserveHost On you need install the valid from your reverse proxy also in the backend server.
The other way would be not using SSL inside your own network if possible. |
|
| Back to top |
|
ravi
Joined: 01 May 2013
Posts: 7
Location: india
|
| Posted: Wed 08 May '13 8:24 Post subject: |
|
|
[quote="James Blond"]After testing and looking into your log it seems that the SSL certificate from the 172.16.17.218 is not valid at all, not even the name matches.
hi james,
I used following commands for creating certificate and key for apache2.4 reverse proxy server:
openssl genrsa -des3 -out server.key 2048
openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt
And to get rid of the pass-phrase dialog at Apache startup time i executed following cmds:
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
Is this right way of making ssl certificate and key or if i missed any commands u can please tell me.
Thank you,
ravi. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 09 May '13 8:24 Post subject: |
|
|
It's been a very while since I created certs myself. I use startssl.com cause it is free!
And yes I use openssl rsa -in server.key.org -out server.key also to get rid of the phrase. |
|
| Back to top |
|
