https://bz.apache.org/bugzilla/show_bug.cgi?id=68517
Bug ID: 68517
Summary: Getting AH00898: Error during SSL Handshake with
remote server while using apache as reverse proxy
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: All
Assignee: bugs@httpd.apache.org
Reporter: sbhanwra18@gmail.com
Target Milestone: ---
We have installed apache 2.4.58 in a new directory, We use the same setting and
SSL certificate wallets as apache 2.4.57 . However, we keep getting 502 bad
gateway issue in newer apache while its working fine in apache 2.4.57 on same
server
I tried tried below settings as well, but no luck.
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
I have verified by proxyCA with curl, it works fine.
I struggled with this issue for couple of weeks.
Thanks a lot,
The error log:
[Thu Jan 18 15:00:11.652886 2024] [proxy:error] [pid 8119:tid 140431891339008]
(20014)Internal error (specific information not available): [client
x.x.x.x.x.x.:40441] AH01084: pass request body failed to x.x.x.x.x.x.:443
(innoprosys.com)
[Thu Jan 18 15:00:11.652931 2024] [proxy:error] [pid 8119:tid 140431891339008]
[client x.x.x.x.x.x.:40441] AH00898: Error during SSL Handshake with remote
server returned by /xxx/xxx/xxx/api/
[Thu Jan 18 15:00:11.652934 2024] [proxy_http:error] [pid 8119:tid
140431891339008] [client x.x.x.x.x.x.:40441] AH01097: pass request body failed
to x.x.x.x.x.x.:443 (xxxx.com) from x.x.x.x.x.x. ()
SSL Logs :
[18/Jan/2024:15:00:11 +0300] XXXXX TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET
/XXX/XXX/XXX/api/?key=TMS1LN9X4TZRP3MKGU0B HTTP/1.1" 273
The VH config:
Listen 5995
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
# SSL Protocol support:
SSLProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/u01/apache/httpd-2.4.58/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:5995>
# General setup for the virtual host
DocumentRoot "/u01/apache/httpd-2.4.58/htdocs"
ServerName xxxxx.xxx.com.sa:5995
ServerAdmin you@example.com
ErrorLog "/u01/apache/httpd-2.4.58/logs/error_log"
TransferLog "/u01/apache/httpd-2.4.58/logs/access_log"
SSLEngine on
# Server Certificate:
SSLCertificateFile
"/u01/apache/httpd-2.4.58/nwc-config/certificates/server/xxx.xx.com.sa.pem"
# Server Private Key:
SSLCertificateKeyFile
"/u01/apache/httpd-2.4.58/nwc-config/certificates/server/xxxxx.xxx.com.sa_key1.key"
SSLCACertificatePath "/u01/apache/httpd-2.4.58/nwc-config/certificates/ca"
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/u01/apache/httpd-2.4.58/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# compact non-error SSL logfile on a virtual host basis.
CustomLog "/u01/apache/httpd-2.4.58/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLProxyEngine On
SSLProxyProtocol all -SSLv3 -TLSv1.1
SSLProxyCACertificatePath "/u01/apache/httpd-2.4.58/nwc-config/certificates/ca"
ProxyRequests On
ProxyVia On
ProxyPreserveHost Off
<Location /xxx/xxx/xxx/api/>
ProxyPass https://xxx.com/xxx/xxx/xxx/api/
ProxyPassReverse https://xxxx.com/xxx/apis/xxx/api/
</Location>
</VirtualHost>
The compile settings:
./httpd -V
Server version: Apache/2.4.58 (Unix)
Server built: Jan 15 2024 12:58:36
Server's Module Magic Number: 20120211:129
Server loaded: APR 1.7.4, APR-UTIL 1.6.3, PCRE 8.45 2021-06-15
Compiled using: APR 1.7.4, APR-UTIL 1.6.3, PCRE 8.45 2021-06-15
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/u01/apache/httpd-2.4.58"
-D SUEXEC_BIN="/u01/apache/httpd-2.4.58/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
Bug ID: 68517
Summary: Getting AH00898: Error during SSL Handshake with
remote server while using apache as reverse proxy
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: All
Assignee: bugs@httpd.apache.org
Reporter: sbhanwra18@gmail.com
Target Milestone: ---
We have installed apache 2.4.58 in a new directory, We use the same setting and
SSL certificate wallets as apache 2.4.57 . However, we keep getting 502 bad
gateway issue in newer apache while its working fine in apache 2.4.57 on same
server
I tried tried below settings as well, but no luck.
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
I have verified by proxyCA with curl, it works fine.
I struggled with this issue for couple of weeks.
Thanks a lot,
The error log:
[Thu Jan 18 15:00:11.652886 2024] [proxy:error] [pid 8119:tid 140431891339008]
(20014)Internal error (specific information not available): [client
x.x.x.x.x.x.:40441] AH01084: pass request body failed to x.x.x.x.x.x.:443
(innoprosys.com)
[Thu Jan 18 15:00:11.652931 2024] [proxy:error] [pid 8119:tid 140431891339008]
[client x.x.x.x.x.x.:40441] AH00898: Error during SSL Handshake with remote
server returned by /xxx/xxx/xxx/api/
[Thu Jan 18 15:00:11.652934 2024] [proxy_http:error] [pid 8119:tid
140431891339008] [client x.x.x.x.x.x.:40441] AH01097: pass request body failed
to x.x.x.x.x.x.:443 (xxxx.com) from x.x.x.x.x.x. ()
SSL Logs :
[18/Jan/2024:15:00:11 +0300] XXXXX TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET
/XXX/XXX/XXX/api/?key=TMS1LN9X4TZRP3MKGU0B HTTP/1.1" 273
The VH config:
Listen 5995
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
# SSL Protocol support:
SSLProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/u01/apache/httpd-2.4.58/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:5995>
# General setup for the virtual host
DocumentRoot "/u01/apache/httpd-2.4.58/htdocs"
ServerName xxxxx.xxx.com.sa:5995
ServerAdmin you@example.com
ErrorLog "/u01/apache/httpd-2.4.58/logs/error_log"
TransferLog "/u01/apache/httpd-2.4.58/logs/access_log"
SSLEngine on
# Server Certificate:
SSLCertificateFile
"/u01/apache/httpd-2.4.58/nwc-config/certificates/server/xxx.xx.com.sa.pem"
# Server Private Key:
SSLCertificateKeyFile
"/u01/apache/httpd-2.4.58/nwc-config/certificates/server/xxxxx.xxx.com.sa_key1.key"
SSLCACertificatePath "/u01/apache/httpd-2.4.58/nwc-config/certificates/ca"
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/u01/apache/httpd-2.4.58/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# compact non-error SSL logfile on a virtual host basis.
CustomLog "/u01/apache/httpd-2.4.58/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLProxyEngine On
SSLProxyProtocol all -SSLv3 -TLSv1.1
SSLProxyCACertificatePath "/u01/apache/httpd-2.4.58/nwc-config/certificates/ca"
ProxyRequests On
ProxyVia On
ProxyPreserveHost Off
<Location /xxx/xxx/xxx/api/>
ProxyPass https://xxx.com/xxx/xxx/xxx/api/
ProxyPassReverse https://xxxx.com/xxx/apis/xxx/api/
</Location>
</VirtualHost>
The compile settings:
./httpd -V
Server version: Apache/2.4.58 (Unix)
Server built: Jan 15 2024 12:58:36
Server's Module Magic Number: 20120211:129
Server loaded: APR 1.7.4, APR-UTIL 1.6.3, PCRE 8.45 2021-06-15
Compiled using: APR 1.7.4, APR-UTIL 1.6.3, PCRE 8.45 2021-06-15
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/u01/apache/httpd-2.4.58"
-D SUEXEC_BIN="/u01/apache/httpd-2.4.58/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org