Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
Proxy with ssl backend server
jw at raven
May 25, 2023, 5:37 AM
Post #1 of 6 (283 views)
Permalink
Hello,

I am trying to use apache as a proxy to pass requests to a https backend like this:

<VirtualHost *:443>

SSLProxyEngine on
ProxyPass /service/ https://backend.do.main:4434/service
ProxyPassReverse /service/ https://backend.do.main:4434/service
ProxyPassReverseCookiePath / /service/
ProxyHTMLURLMap https://backend.do.main:4434/service /service
<Location /service/>
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-sendcl
ProxyHTMLEnable On
ProxyHTMLExtended On
LogLevel Debug
ProxyHTMLURLMap https://backend.do.main:4434/service/service/
RequestHeader unset Accept-Encoding
AuthName "Application /service"
AuthType Basic
AuthUserFile /m/b/httpd/passwd
AuthGroupFile /m/b/httpd/group
Require group service
SSLRequireSSL
RequestHeader set Authorization "Basic 123456778"
RequestHeader set X_FORWARDED_PROTO 'https'
</Location>

</VirtualHost>

This works fine for http backends, but with https, I get following errors:

[Thu May 25 13:34:04.690065 2023] [proxy:debug] [pid 2259] mod_proxy.c(1245): [client 109.43.178.5:13845] AH01143: Running scheme https handler (attempt 0)
[Thu May 25 13:34:04.690076 2023] [proxy:debug] [pid 2259] proxy_util.c(2216): [client 109.43.178.5:13845] AH00944: connecting https://backend.do.main:4434/service/ to backend.do.main:4434
[Thu May 25 13:34:04.690119 2023] [proxy:debug] [pid 2259] proxy_util.c(2425): [client 109.43.178.5:13845] AH00947: connected /service/ to backend.do.main:4434
[Thu May 25 13:34:04.690559 2023] [ssl:info] [pid 2259] [remote 192.168.1.106:4434] AH01964: Connection to child 0 established (server lw.strangled.net:443)
[Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context
[Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
[Thu May 25 13:34:04.690749 2023] [proxy:error] [pid 2259] (103)Software caused connection abort: [client 109.43.178.5:13845] AH01084: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan)
[Thu May 25 13:34:04.690783 2023] [proxy_http:error] [pid 2259] [client 109.43.178.5:13845] AH01097: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan) from 109.43.178.5 ()

I guess, the reason for this problem might be that the backend server uses
a self signed certificate created like this:

openssl req \
-new -newkey rsa:4096 \
-subj /C=DE/CN=backend \
-addext subjectAltName=DNS:backend.do.main \
-addext certificatePolicies=1.2.3.4 \
-x509 -nodes \
-days 3650 \
-out server-cert.pem \
-keyout server-key.pem \

I tried disable certificate check by addin following options, but the did
not help:

SSLProxyVerify none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off

Any ideas what might be wrong with my configuration?

How could I explicitly install the backend certificate as "trusted"?
I tried SSLProxyMachineCertificatePath, but also without success.


--
Josef Wolf
jw@raven.inka.de

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Proxy with ssl backend server [ In reply to ]
jw at raven
May 30, 2023, 3:51 AM
Post #2 of 6 (283 views)
Permalink
No ideas on this one?

On Thu, May 25, 2023 at 02:37:50PM +0200, Josef Wolf wrote:
> Hello,
>
> I am trying to use apache as a proxy to pass requests to a https backend like this:
>
> <VirtualHost *:443>
>
> SSLProxyEngine on
> ProxyPass /service/ https://backend.do.main:4434/service
> ProxyPassReverse /service/ https://backend.do.main:4434/service
> ProxyPassReverseCookiePath / /service/
> ProxyHTMLURLMap https://backend.do.main:4434/service /service
> <Location /service/>
> SetEnv force-proxy-request-1.0 1
> SetEnv proxy-nokeepalive 1
> SetEnv proxy-sendcl
> ProxyHTMLEnable On
> ProxyHTMLExtended On
> LogLevel Debug
> ProxyHTMLURLMap https://backend.do.main:4434/service/service/
> RequestHeader unset Accept-Encoding
> AuthName "Application /service"
> AuthType Basic
> AuthUserFile /m/b/httpd/passwd
> AuthGroupFile /m/b/httpd/group
> Require group service
> SSLRequireSSL
> RequestHeader set Authorization "Basic 123456778"
> RequestHeader set X_FORWARDED_PROTO 'https'
> </Location>
>
> </VirtualHost>
>
> This works fine for http backends, but with https, I get following errors:
>
> [Thu May 25 13:34:04.690065 2023] [proxy:debug] [pid 2259] mod_proxy.c(1245): [client 109.43.178.5:13845] AH01143: Running scheme https handler (attempt 0)
> [Thu May 25 13:34:04.690076 2023] [proxy:debug] [pid 2259] proxy_util.c(2216): [client 109.43.178.5:13845] AH00944: connecting https://backend.do.main:4434/service/ to backend.do.main:4434
> [Thu May 25 13:34:04.690119 2023] [proxy:debug] [pid 2259] proxy_util.c(2425): [client 109.43.178.5:13845] AH00947: connected /service/ to backend.do.main:4434
> [Thu May 25 13:34:04.690559 2023] [ssl:info] [pid 2259] [remote 192.168.1.106:4434] AH01964: Connection to child 0 established (server lw.strangled.net:443)
> [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context
> [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
> [Thu May 25 13:34:04.690749 2023] [proxy:error] [pid 2259] (103)Software caused connection abort: [client 109.43.178.5:13845] AH01084: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan)
> [Thu May 25 13:34:04.690783 2023] [proxy_http:error] [pid 2259] [client 109.43.178.5:13845] AH01097: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan) from 109.43.178.5 ()
>
> I guess, the reason for this problem might be that the backend server uses
> a self signed certificate created like this:
>
> openssl req \
> -new -newkey rsa:4096 \
> -subj /C=DE/CN=backend \
> -addext subjectAltName=DNS:backend.do.main \
> -addext certificatePolicies=1.2.3.4 \
> -x509 -nodes \
> -days 3650 \
> -out server-cert.pem \
> -keyout server-key.pem \
>
> I tried disable certificate check by addin following options, but the did
> not help:
>
> SSLProxyVerify none
> SSLProxyCheckPeerCN Off
> SSLProxyCheckPeerName Off
> SSLProxyCheckPeerExpire Off
>
> Any ideas what might be wrong with my configuration?
>
> How could I explicitly install the backend certificate as "trusted"?
> I tried SSLProxyMachineCertificatePath, but also without success.
>
>
> --
> Josef Wolf
> jw@raven.inka.de
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--
Josef Wolf
jw@raven.inka.de

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Proxy with ssl backend server [ In reply to ]
ylavic.dev at gmail
May 31, 2023, 1:58 AM
Post #3 of 6 (281 views)
Permalink
On Thu, May 25, 2023 at 2:38?PM Josef Wolf <jw@raven.inka.de> wrote:
>
> I am trying to use apache as a proxy to pass requests to a https backend like this:
>
> <VirtualHost *:443>
>
> SSLProxyEngine on
> ProxyPass /service/ https://backend.do.main:4434/service
> ProxyPassReverse /service/ https://backend.do.main:4434/service
> ProxyPassReverseCookiePath / /service/
> ProxyHTMLURLMap https://backend.do.main:4434/service /service
> <Location /service/>
> SetEnv force-proxy-request-1.0 1
> SetEnv proxy-nokeepalive 1
> SetEnv proxy-sendcl
> ProxyHTMLEnable On
> ProxyHTMLExtended On
> LogLevel Debug
> ProxyHTMLURLMap https://backend.do.main:4434/service/service/
> RequestHeader unset Accept-Encoding
> AuthName "Application /service"
> AuthType Basic
> AuthUserFile /m/b/httpd/passwd
> AuthGroupFile /m/b/httpd/group
> Require group service
> SSLRequireSSL
> RequestHeader set Authorization "Basic 123456778"
> RequestHeader set X_FORWARDED_PROTO 'https'
> </Location>
>
> </VirtualHost>
>
> This works fine for http backends, but with https, I get following errors:

I tried this configuration and it works for me.

>
> [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context
> [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx

Do you build httpd by yourself? Which OS / httpd / openssl version? It
looks like httpd (mod_ssl) links/runs against an openssl version
different from the one it's been built with.

Regards;
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Proxy with ssl backend server [ In reply to ]
jw at raven
May 31, 2023, 5:51 AM
Post #4 of 6 (281 views)
Permalink
On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote:
> On Thu, May 25, 2023 at 2:38?PM Josef Wolf <jw@raven.inka.de> wrote:
> >
> > I am trying to use apache as a proxy to pass requests to a https backend like this:
> >
> > <VirtualHost *:443>
> >
> > SSLProxyEngine on
> > ProxyPass /service/ https://backend.do.main:4434/service
> > ProxyPassReverse /service/ https://backend.do.main:4434/service
> > ProxyPassReverseCookiePath / /service/
> > ProxyHTMLURLMap https://backend.do.main:4434/service /service
> > <Location /service/>
> > SetEnv force-proxy-request-1.0 1
> > SetEnv proxy-nokeepalive 1
> > SetEnv proxy-sendcl
> > ProxyHTMLEnable On
> > ProxyHTMLExtended On
> > LogLevel Debug
> > ProxyHTMLURLMap https://backend.do.main:4434/service/service/
> > RequestHeader unset Accept-Encoding
> > AuthName "Application /service"
> > AuthType Basic
> > AuthUserFile /m/b/httpd/passwd
> > AuthGroupFile /m/b/httpd/group
> > Require group service
> > SSLRequireSSL
> > RequestHeader set Authorization "Basic 123456778"
> > RequestHeader set X_FORWARDED_PROTO 'https'
> > </Location>
> >
> > </VirtualHost>
> >
> > This works fine for http backends, but with https, I get following errors:
>
> I tried this configuration and it works for me.

Yes. This is why I suspect it has to do with the way I generate the
self-signed certificate:

openssl req \
-new -newkey rsa:4096 \
-subj /C=DE/CN=backend \
-addext subjectAltName=DNS:backend.do.main \
-addext certificatePolicies=1.2.3.4 \
-x509 -nodes \
-days 3650 \
-out server-cert.pem \
-keyout server-key.pem

> > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context
> > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
>
> Do you build httpd by yourself? Which OS / httpd / openssl version? It
> looks like httpd (mod_ssl) links/runs against an openssl version
> different from the one it's been built with.

This is not built by myself. All is stock opensuse-Leap-15.1

Apache serves happily SSL to the clients. Only backend servers are not
working.

--
Josef Wolf
jw@raven.inka.de

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Proxy with ssl backend server [ In reply to ]
ylavic.dev at gmail
May 31, 2023, 7:39 AM
Post #5 of 6 (281 views)
Permalink
On Wed, May 31, 2023 at 2:52?PM Josef Wolf <jw@raven.inka.de> wrote:
>
> On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote:
> > On Thu, May 25, 2023 at 2:38?PM Josef Wolf <jw@raven.inka.de> wrote:
> > >
> > > I am trying to use apache as a proxy to pass requests to a https backend like this:
> > >
> > > <VirtualHost *:443>
> > >
> > > SSLProxyEngine on
> > > ProxyPass /service/ https://backend.do.main:4434/service
> > > ProxyPassReverse /service/ https://backend.do.main:4434/service
> > > ProxyPassReverseCookiePath / /service/
> > > ProxyHTMLURLMap https://backend.do.main:4434/service /service
> > > <Location /service/>
> > > SetEnv force-proxy-request-1.0 1
> > > SetEnv proxy-nokeepalive 1
> > > SetEnv proxy-sendcl
> > > ProxyHTMLEnable On
> > > ProxyHTMLExtended On
> > > LogLevel Debug
> > > ProxyHTMLURLMap https://backend.do.main:4434/service/service/
> > > RequestHeader unset Accept-Encoding
> > > AuthName "Application /service"
> > > AuthType Basic
> > > AuthUserFile /m/b/httpd/passwd
> > > AuthGroupFile /m/b/httpd/group
> > > Require group service
> > > SSLRequireSSL
> > > RequestHeader set Authorization "Basic 123456778"
> > > RequestHeader set X_FORWARDED_PROTO 'https'
> > > </Location>
> > >
> > > </VirtualHost>
> > >
> > > This works fine for http backends, but with https, I get following errors:
> >
> > I tried this configuration and it works for me.
>
> Yes. This is why I suspect it has to do with the way I generate the
> self-signed certificate:
>
> openssl req \
> -new -newkey rsa:4096 \
> -subj /C=DE/CN=backend \
> -addext subjectAltName=DNS:backend.do.main \
> -addext certificatePolicies=1.2.3.4 \
> -x509 -nodes \
> -days 3650 \
> -out server-cert.pem \
> -keyout server-key.pem
>
> > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context
> > > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx

I don't think it has to do with the certificate generated/configured
on the backend side. This error happens at the creation of the SSL
connection, no communication with the backend yet.

> >
> > Do you build httpd by yourself? Which OS / httpd / openssl version? It
> > looks like httpd (mod_ssl) links/runs against an openssl version
> > different from the one it's been built with.
>
> This is not built by myself. All is stock opensuse-Leap-15.1

I don't know which version/patches of httpd is shipped with
opensuse-Leap-15.1 (httpd-2.4.33 possibly?), but the configuration
above seems to work with the latest/upstream httpd-2.4.57 release.
Maybe you can give the latest opensuse-Leap a try (15.4 or 15.5 seem
to ship httpd-2.4.57)?


Regards;
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Proxy with ssl backend server [ In reply to ]
ylavic.dev at gmail
May 31, 2023, 7:54 AM
Post #6 of 6 (281 views)
Permalink
On Wed, May 31, 2023 at 4:39?PM Yann Ylavic <ylavic.dev@gmail.com> wrote:
>
> On Wed, May 31, 2023 at 2:52?PM Josef Wolf <jw@raven.inka.de> wrote:
> >
> > On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote:
> > > On Thu, May 25, 2023 at 2:38?PM Josef Wolf <jw@raven.inka.de> wrote:
> > > >
> > > > I am trying to use apache as a proxy to pass requests to a https backend like this:
> > > >
> > > > <VirtualHost *:443>
> > > >
> > > > SSLProxyEngine on
> > > > ProxyPass /service/ https://backend.do.main:4434/service
> > > > ProxyPassReverse /service/ https://backend.do.main:4434/service
> > > > ProxyPassReverseCookiePath / /service/
> > > > ProxyHTMLURLMap https://backend.do.main:4434/service /service
> > > > <Location /service/>
> > > > SetEnv force-proxy-request-1.0 1
> > > > SetEnv proxy-nokeepalive 1
> > > > SetEnv proxy-sendcl
> > > > ProxyHTMLEnable On
> > > > ProxyHTMLExtended On
> > > > LogLevel Debug
> > > > ProxyHTMLURLMap https://backend.do.main:4434/service/service/
> > > > RequestHeader unset Accept-Encoding
> > > > AuthName "Application /service"
> > > > AuthType Basic
> > > > AuthUserFile /m/b/httpd/passwd
> > > > AuthGroupFile /m/b/httpd/group
> > > > Require group service
> > > > SSLRequireSSL
> > > > RequestHeader set Authorization "Basic 123456778"
> > > > RequestHeader set X_FORWARDED_PROTO 'https'
> > > > </Location>
> > > >
> > > > </VirtualHost>
> > > >
> > > > This works fine for http backends, but with https, I get following errors:
> > >
> > > I tried this configuration and it works for me.
> >
> > Yes. This is why I suspect it has to do with the way I generate the
> > self-signed certificate:
> >
> > openssl req \
> > -new -newkey rsa:4096 \
> > -subj /C=DE/CN=backend \
> > -addext subjectAltName=DNS:backend.do.main \
> > -addext certificatePolicies=1.2.3.4 \
> > -x509 -nodes \
> > -days 3650 \
> > -out server-cert.pem \
> > -keyout server-key.pem
> >
> > > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context
> > > > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
>
> I don't think it has to do with the certificate generated/configured
> on the backend side. This error happens at the creation of the SSL
> connection, no communication with the backend yet.
>
> > >
> > > Do you build httpd by yourself? Which OS / httpd / openssl version? It
> > > looks like httpd (mod_ssl) links/runs against an openssl version
> > > different from the one it's been built with.
> >
> > This is not built by myself. All is stock opensuse-Leap-15.1
>
> I don't know which version/patches of httpd is shipped with
> opensuse-Leap-15.1 (httpd-2.4.33 possibly?), but the configuration
> above seems to work with the latest/upstream httpd-2.4.57 release.
> Maybe you can give the latest opensuse-Leap a try (15.4 or 15.5 seem
> to ship httpd-2.4.57)?

This looks like https://bz.apache.org/bugzilla/show_bug.cgi?id=62232
which was fixed in httpd-2.4.34.

>
>
> Regards;
> Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal