Apache :: apache proxy pass with ssl over not default(443) port

Apache LoungeWebmasters

About Forum Index Downloads Search Register Log in RSS X

Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.

Forum Index -> Apache

View previous topic :: View next topic

Topic: apache proxy pass with ssl over not default(443) port

Author

ves011

Joined: 21 Sep 2024
Posts: 1
Location: Romania

Posted: Sat 21 Sep '24 18:23 Post subject: apache proxy pass with ssl over not default(443) port

I’m running a personal webserver in my home network powered by apache 2.4.52, serving several sites with ssl enabled . SSL certificates are generated with easy-rsa by a self-signed authority. The ssl sites are running on ports 443, 444 and 442, and have SSLVerifyClient set to “require”. The sites running on 442 and 443 have also “ProxyPass” and “ProxyPassReverse” set to allow some javascripts clients in browser to connect to mqtt broker (mosquito) listening on 127.0.0.1:1883
On 443 is running the “production” site, while on 442 is running “development” site.
Everything on “production” site works ok, but on “development” site not.
The configuration for both sites is identical except the port and directory structure.
When I open :442 site, error.log shows everywhere “proxy.gnet:443”. I guess something wrong with my configuration but cannot figure out.
To make it working I open first :443 site, then I see apache is connected to mqtt port(1883). After this :442 works ok.
Here it is the configuration

Code:

<IfModule mod_ssl.c>
ErrorLog /var/log/apache2/ssl_engine.log
LogLevel debug
<VirtualHost *:442>
#<VirtualHost *:443>
   SSLEngine on
   ServerAdmin webmaster@localhost
   ServerName proxy.gnet
   DocumentRoot /share/dev/web/ctrl_web
   #DocumentRoot /var/www/iot
   <Directory /share/dev/web/ctrl_web>
   #<Directory /var/www/iot>
      Require       ssl-verify-client
      SSLVerifyDepth 1
      SSLOptions +FakeBasicAuth
      SSLRequireSSL
      <Files "index.html">
         SSLRequire    %{SSL_CLIENT_S_DN_CN} eq "admin.gnet" or \
                        %{SSL_CLIENT_S_DN_CN} eq "pump.gnet" or \
                        %{SSL_CLIENT_S_DN_CN} eq "agate.gnet"
      </Files>
      <Files "pump.*">
         SSLRequire    %{SSL_CLIENT_S_DN_CN} eq "pump.gnet" or \
                        %{SSL_CLIENT_S_DN_CN} eq "admin.gnet"
      </Files>
      <Files "agate.*">
         SSLRequire    %{SSL_CLIENT_S_DN_CN} eq "agate.gnet" or \
                        %{SSL_CLIENT_S_DN_CN} eq "admin.gnet"
      </Files>
   </Directory>

   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined

   SSLUseStapling off


   SSLCertificateFile /etc/easy-rsa/pki/issued/proxy.gnet.crt
   SSLCertificateKeyFile /etc/easy-rsa/pki/private/proxy.gnet.key
   SSLCACertificateFile /etc/easy-rsa/pki/ca.crt
   SSLVerifyClient require
   SSLVerifyDepth 1

   ProxyRequests on
   ProxyPass "/wss/" "ws://127.0.0.1:1883"
   ProxyPassReverse "/wss/" "ws://127.0.0.1:1883"

</VirtualHost>
</IfModule>

And error log

Code:

[Sat Sep 21 18:37:26.237541 2024] [ssl:info] [pid 280974] [client 192.168.1.108:52574] AH01964: Connection to child 11 established (server proxy.gnet:443)
[Sat Sep 21 18:37:26.237957 2024] [ssl:debug] [pid 280974] ssl_engine_kernel.c(2395): [client 192.168.1.108:52574] AH02043: SSL virtual host for servername proxy.gnet found
[Sat Sep 21 18:37:26.238187 2024] [core:debug] [pid 280974] protocol.c(2460): [client 192.168.1.108:52574] AH03155: select protocol from , choices=h2,http/1.1 for server proxy.gnet
[Sat Sep 21 18:37:26.239130 2024] [ssl:info] [pid 281004] [client 192.168.1.108:52575] AH01964: Connection to child 39 established (server proxy.gnet:443)
[Sat Sep 21 18:37:26.239499 2024] [ssl:debug] [pid 281004] ssl_engine_kernel.c(2395): [client 192.168.1.108:52575] AH02043: SSL virtual host for servername proxy.gnet found
[Sat Sep 21 18:37:26.239649 2024] [core:debug] [pid 281004] protocol.c(2460): [client 192.168.1.108:52575] AH03155: select protocol from , choices=h2,http/1.1 for server proxy.gnet
[Sat Sep 21 18:37:26.488746 2024] [ssl:debug] [pid 281004] ssl_engine_kernel.c(1764): [client 192.168.1.108:52575] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=GNet CA / issuer: CN=GNet CA / serial: 6CEB5EA9D7D0B9BFC2F4249BEE1D71B5B9870BC7 / notbefore: Jan 13 06:58:19 2023 GMT / notafter: Jan 10 06:58:19 2033 GMT]
[Sat Sep 21 18:37:26.489311 2024] [ssl:debug] [pid 281004] ssl_engine_kernel.c(1764): [client 192.168.1.108:52575] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=admin.gnet / issuer: CN=GNet CA / serial: 456172CBF7C1AF91542DD00E8796F32B / notbefore: Jan 13 07:31:30 2023 GMT / notafter: Apr 17 07:31:30 2025 GMT]
[Sat Sep 21 18:37:26.490205 2024] [ssl:debug] [pid 281004] ssl_engine_kernel.c(2254): [client 192.168.1.108:52575] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
[Sat Sep 21 18:37:26.491214 2024] [ssl:debug] [pid 281004] ssl_engine_kernel.c(415): [client 192.168.1.108:52575] AH02034: Initial (No.1) HTTPS request received for child 39 (server proxy.gnet:443)
[Sat Sep 21 18:37:26.491581 2024] [authz_core:debug] [pid 281004] mod_authz_core.c(815): [client 192.168.1.108:52575] AH01626: authorization result of Require ssl-verify-client : granted
[Sat Sep 21 18:37:26.491632 2024] [authz_core:debug] [pid 281004] mod_authz_core.c(815): [client 192.168.1.108:52575] AH01626: authorization result of <RequireAny>: granted
[Sat Sep 21 18:37:26.491760 2024] [authz_core:debug] [pid 281004] mod_authz_core.c(815): [client 192.168.1.108:52575] AH01626: authorization result of Require ssl-verify-client : granted
[Sat Sep 21 18:37:26.491802 2024] [authz_core:debug] [pid 281004] mod_authz_core.c(815): [client 192.168.1.108:52575] AH01626: authorization result of <RequireAny>: granted
[Sat Sep 21 18:37:26.492555 2024] [deflate:debug] [pid 281004] mod_deflate.c(869): [client 192.168.1.108:52575] AH01384: Zlib: Compressed 1236 to 614 : URL /index.html
[Sat Sep 21 18:37:26.493545 2024] [ssl:debug] [pid 280974] ssl_engine_kernel.c(1764): [client 192.168.1.108:52574] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=GNet CA / issuer: CN=GNet CA / serial: 6CEB5EA9D7D0B9BFC2F4249BEE1D71B5B9870BC7 / notbefore: Jan 13 06:58:19 2023 GMT / notafter: Jan 10 06:58:19 2033 GMT]
[Sat Sep 21 18:37:26.493953 2024] [ssl:debug] [pid 280974] ssl_engine_kernel.c(1764): [client 192.168.1.108:52574] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=admin.gnet / issuer: CN=GNet CA / serial: 456172CBF7C1AF91542DD00E8796F32B / notbefore: Jan 13 07:31:30 2023 GMT / notafter: Apr 17 07:31:30 2025 GMT]
[Sat Sep 21 18:37:26.494491 2024] [ssl:debug] [pid 280974] ssl_engine_kernel.c(2254): [client 192.168.1.108:52574] AH02041: Protocol: TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits)
[Sat Sep 21 18:37:26.501361 2024] [ssl:debug] [pid 281004] ssl_engine_kernel.c(415): [client 192.168.1.108:52575] AH02034: Subsequent (No.2) HTTPS request received for child 39 (server proxy.gnet:443), referer: https://proxy.gnet:442/
[Sat Sep 21 18:37:26.501554 2024] [authz_core:debug] [pid 281004] mod_authz_core.c(815): [client 192.168.1.108:52575] AH01626: authorization result of Require ssl-verify-client : granted, referer: https://proxy.gnet:442/

Any suggestion is welcome.

Topic: apache proxy pass with ssl over not default(443) port

View previous topic :: View next topic

Forum Index -> Apache