Hello,
I am trying to use apache as a proxy to pass requests to a https backend like this:
<VirtualHost *:443>
SSLProxyEngine on
ProxyPass /service/ https://backend.do.main:4434/service
ProxyPassReverse /service/ https://backend.do.main:4434/service
ProxyPassReverseCookiePath / /service/
ProxyHTMLURLMap https://backend.do.main:4434/service /service
<Location /service/>
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-sendcl
ProxyHTMLEnable On
ProxyHTMLExtended On
LogLevel Debug
ProxyHTMLURLMap https://backend.do.main:4434/service/service/
RequestHeader unset Accept-Encoding
AuthName "Application /service"
AuthType Basic
AuthUserFile /m/b/httpd/passwd
AuthGroupFile /m/b/httpd/group
Require group service
SSLRequireSSL
RequestHeader set Authorization "Basic 123456778"
RequestHeader set X_FORWARDED_PROTO 'https'
</Location>
</VirtualHost>
This works fine for http backends, but with https, I get following errors:
[Thu May 25 13:34:04.690065 2023] [proxy:debug] [pid 2259] mod_proxy.c(1245): [client 109.43.178.5:13845] AH01143: Running scheme https handler (attempt 0)
[Thu May 25 13:34:04.690076 2023] [proxy:debug] [pid 2259] proxy_util.c(2216): [client 109.43.178.5:13845] AH00944: connecting https://backend.do.main:4434/service/ to backend.do.main:4434
[Thu May 25 13:34:04.690119 2023] [proxy:debug] [pid 2259] proxy_util.c(2425): [client 109.43.178.5:13845] AH00947: connected /service/ to backend.do.main:4434
[Thu May 25 13:34:04.690559 2023] [ssl:info] [pid 2259] [remote 192.168.1.106:4434] AH01964: Connection to child 0 established (server lw.strangled.net:443)
[Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context
[Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
[Thu May 25 13:34:04.690749 2023] [proxy:error] [pid 2259] (103)Software caused connection abort: [client 109.43.178.5:13845] AH01084: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan)
[Thu May 25 13:34:04.690783 2023] [proxy_http:error] [pid 2259] [client 109.43.178.5:13845] AH01097: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan) from 109.43.178.5 ()
I guess, the reason for this problem might be that the backend server uses
a self signed certificate created like this:
openssl req \
-new -newkey rsa:4096 \
-subj /C=DE/CN=backend \
-addext subjectAltName=DNS:backend.do.main \
-addext certificatePolicies=1.2.3.4 \
-x509 -nodes \
-days 3650 \
-out server-cert.pem \
-keyout server-key.pem \
I tried disable certificate check by addin following options, but the did
not help:
SSLProxyVerify none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
Any ideas what might be wrong with my configuration?
How could I explicitly install the backend certificate as "trusted"?
I tried SSLProxyMachineCertificatePath, but also without success.
--
Josef Wolf
jw@raven.inka.de
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
I am trying to use apache as a proxy to pass requests to a https backend like this:
<VirtualHost *:443>
SSLProxyEngine on
ProxyPass /service/ https://backend.do.main:4434/service
ProxyPassReverse /service/ https://backend.do.main:4434/service
ProxyPassReverseCookiePath / /service/
ProxyHTMLURLMap https://backend.do.main:4434/service /service
<Location /service/>
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-sendcl
ProxyHTMLEnable On
ProxyHTMLExtended On
LogLevel Debug
ProxyHTMLURLMap https://backend.do.main:4434/service/service/
RequestHeader unset Accept-Encoding
AuthName "Application /service"
AuthType Basic
AuthUserFile /m/b/httpd/passwd
AuthGroupFile /m/b/httpd/group
Require group service
SSLRequireSSL
RequestHeader set Authorization "Basic 123456778"
RequestHeader set X_FORWARDED_PROTO 'https'
</Location>
</VirtualHost>
This works fine for http backends, but with https, I get following errors:
[Thu May 25 13:34:04.690065 2023] [proxy:debug] [pid 2259] mod_proxy.c(1245): [client 109.43.178.5:13845] AH01143: Running scheme https handler (attempt 0)
[Thu May 25 13:34:04.690076 2023] [proxy:debug] [pid 2259] proxy_util.c(2216): [client 109.43.178.5:13845] AH00944: connecting https://backend.do.main:4434/service/ to backend.do.main:4434
[Thu May 25 13:34:04.690119 2023] [proxy:debug] [pid 2259] proxy_util.c(2425): [client 109.43.178.5:13845] AH00947: connected /service/ to backend.do.main:4434
[Thu May 25 13:34:04.690559 2023] [ssl:info] [pid 2259] [remote 192.168.1.106:4434] AH01964: Connection to child 0 established (server lw.strangled.net:443)
[Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context
[Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
[Thu May 25 13:34:04.690749 2023] [proxy:error] [pid 2259] (103)Software caused connection abort: [client 109.43.178.5:13845] AH01084: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan)
[Thu May 25 13:34:04.690783 2023] [proxy_http:error] [pid 2259] [client 109.43.178.5:13845] AH01097: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan) from 109.43.178.5 ()
I guess, the reason for this problem might be that the backend server uses
a self signed certificate created like this:
openssl req \
-new -newkey rsa:4096 \
-subj /C=DE/CN=backend \
-addext subjectAltName=DNS:backend.do.main \
-addext certificatePolicies=1.2.3.4 \
-x509 -nodes \
-days 3650 \
-out server-cert.pem \
-keyout server-key.pem \
I tried disable certificate check by addin following options, but the did
not help:
SSLProxyVerify none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
Any ideas what might be wrong with my configuration?
How could I explicitly install the backend certificate as "trusted"?
I tried SSLProxyMachineCertificatePath, but also without success.
--
Josef Wolf
jw@raven.inka.de
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org