Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
proxying SSL -> SSL
peljasz at yahoo
Oct 4, 2023, 1:40 AM
Post #1 of 4 (124 views)
Permalink
Hi guys.

I've sroogled & have found people suggesting working
examples, I thought I had some notes but now I'm thinking I
read that it should not work..
so I'm not sure what to think of this seemingly setup:

<VirtualHost siem.mine.priv:443>
  ServerAdmin webdev@lemko.xyz
  ServerName siem.mine.priv

  ErrorLog /var/log/httpd/siem.mine.priv-error_log
  CustomLog /var/log/httpd/siem.mine.priv-access_log common

  SSLProxyEngine on
  #SSLEngine on
  #SSLProxyVerify none
  #SSLProxyCheckPeerCN off
  SSLCertificateFile      /etc/pki/tls/certs/siem.mine.priv.crt
  SSLCertificateKeyFile /etc/pki/tls/private/siem.mine.priv.key
  #SSLProxyCACertificateFile
/etc/wazuh-indexer/certs/root-ca.pem
  #SSLProxyMachineCertificateFile
/etc/wazuh-indexer/certs/admin.pem

  RequestHeader set X-Forwarded-Proto “https”
  RequestHeader set X-Forwarded-Port “443”

  ProxyRequests Off
  #ProxyPreserveHost on
  #ProxyPass         / https://127.0.0.1:8443/
  #ProxyPassReverse  / https://127.0.0.1:8443/

  <Location "/">
    # preserve Host header to avoid cross-origin problems
    ProxyPreserveHost on
    # proxy to
    ProxyPass https://127.0.0.1:8443/
    ProxyPassReverse https://127.0.0.1:8443/
  </Location>

</VirtualHost>

As you can see I've fiddle whit all those options in
different combinations but nothing works for me.
Would you know how to fix or... perhaps you have Apache
rev-proxying to Wazuh?

errors in log:
....
[Wed Oct 04 10:34:54.179364 2023] [proxy:error] [pid
1069029:tid 1069198] (20014)Internal error (specific
information not available): [client 10.3.9.144:46858]
AH01084: pass request body failed to 127.0.0.1:8443 (127.0.0.1)
[Wed Oct 04 10:34:54.179394 2023] [proxy:error] [pid
1069029:tid 1069198] [client 10.3.9.144:46858] AH00898:
Error during SSL Handshake with remote server returned by /
[Wed Oct 04 10:34:54.179397 2023] [proxy_http:error] [pid
1069029:tid 1069198] [client 10.3.9.144:46858] AH01097: pass
request body failed to 127.0.0.1:8443 (127.0.0.1) from
10.3.9.144 ()

many thanks, L.
RE: proxying SSL -> SSL [ In reply to ]
Marc at f1-outsourcing
Oct 4, 2023, 2:14 AM
Post #2 of 4 (124 views)
Permalink
>
> Hi guys.
>
> I've sroogled & have found people suggesting working examples, I thought I
> had some notes but now I'm thinking I read that it should not work..
> so I'm not sure what to think of this seemingly setup:
>
> <VirtualHost siem.mine.priv:443>
> ServerAdmin webdev@lemko.xyz <mailto:webdev@lemko.xyz>
> ServerName siem.mine.priv
>
> ErrorLog /var/log/httpd/siem.mine.priv-error_log
> CustomLog /var/log/httpd/siem.mine.priv-access_log common
>
> SSLProxyEngine on
> #SSLEngine on
> #SSLProxyVerify none
> #SSLProxyCheckPeerCN off
> SSLCertificateFile /etc/pki/tls/certs/siem.mine.priv.crt
> SSLCertificateKeyFile /etc/pki/tls/private/siem.mine.priv.key
> #SSLProxyCACertificateFile /etc/wazuh-indexer/certs/root-ca.pem
> #SSLProxyMachineCertificateFile /etc/wazuh-indexer/certs/admin.pem
>
> RequestHeader set X-Forwarded-Proto “https”
> RequestHeader set X-Forwarded-Port “443”
>
> ProxyRequests Off
> #ProxyPreserveHost on
> #ProxyPass / https://127.0.0.1:8443/
> #ProxyPassReverse / https://127.0.0.1:8443/
>
> <Location "/">
> # preserve Host header to avoid cross-origin problems
> ProxyPreserveHost on
> # proxy to
> ProxyPass https://127.0.0.1:8443/
> ProxyPassReverse https://127.0.0.1:8443/
> </Location>
>
> </VirtualHost>
>
> As you can see I've fiddle whit all those options in different combinations
> but nothing works for me.
> Would you know how to fix or... perhaps you have Apache rev-proxying to
> Wazuh?
>

Have you added this
SSLProxyEngine on

???????????????????????????????????????????????????????????????????????F?V?7V'67&?&R?R???âW6W'2?V?7V'67&?&T?GGB?6?R??&p?f?"FF?F????6????G2?R???âW6W'2?V??GGB?6?R??&p
Re: proxying SSL -> SSL [ In reply to ]
peljasz at yahoo
Oct 4, 2023, 4:35 AM
Post #3 of 4 (124 views)
Permalink
On 04/10/2023 10:40, lejeczek wrote:
> Hi guys.
>
> I've sroogled & have found people suggesting working
> examples, I thought I had some notes but now I'm thinking
> I read that it should not work..
> so I'm not sure what to think of this seemingly setup:
>
> <VirtualHost siem.mine.priv:443>
>   ServerAdmin webdev@lemko.xyz
>   ServerName siem.mine.priv
>
>   ErrorLog /var/log/httpd/siem.mine.priv-error_log
>   CustomLog /var/log/httpd/siem.mine.priv-access_log common
>
>   SSLProxyEngine on
>   #SSLEngine on
>   #SSLProxyVerify none
>   #SSLProxyCheckPeerCN off
>   SSLCertificateFile /etc/pki/tls/certs/siem.mine.priv.crt
>   SSLCertificateKeyFile
> /etc/pki/tls/private/siem.mine.priv.key
>   #SSLProxyCACertificateFile
> /etc/wazuh-indexer/certs/root-ca.pem
>   #SSLProxyMachineCertificateFile
> /etc/wazuh-indexer/certs/admin.pem
>
>   RequestHeader set X-Forwarded-Proto “https”
>   RequestHeader set X-Forwarded-Port “443”
>
>   ProxyRequests Off
>   #ProxyPreserveHost on
>   #ProxyPass         / https://127.0.0.1:8443/
>   #ProxyPassReverse  / https://127.0.0.1:8443/
>
>   <Location "/">
>     # preserve Host header to avoid cross-origin problems
>     ProxyPreserveHost on
>     # proxy to
>     ProxyPass https://127.0.0.1:8443/
>     ProxyPassReverse https://127.0.0.1:8443/
>   </Location>
>
> </VirtualHost>
>
> As you can see I've fiddle whit all those options in
> different combinations but nothing works for me.
> Would you know how to fix or... perhaps you have Apache
> rev-proxying to Wazuh?
>
> errors in log:
> ....
> [Wed Oct 04 10:34:54.179364 2023] [proxy:error] [pid
> 1069029:tid 1069198] (20014)Internal error (specific
> information not available): [client 10.3.9.144:46858]
> AH01084: pass request body failed to 127.0.0.1:8443
> (127.0.0.1)
> [Wed Oct 04 10:34:54.179394 2023] [proxy:error] [pid
> 1069029:tid 1069198] [client 10.3.9.144:46858] AH00898:
> Error during SSL Handshake with remote server returned by /
> [Wed Oct 04 10:34:54.179397 2023] [proxy_http:error] [pid
> 1069029:tid 1069198] [client 10.3.9.144:46858] AH01097:
> pass request body failed to 127.0.0.1:8443 (127.0.0.1)
> from 10.3.9.144 ()
>
> many thanks, L.
ought... sometimes systemctl's _reload_ will not do but
"full" restart will
Re: proxying SSL -> SSL [ In reply to ]
thumbs at apache
Oct 4, 2023, 5:12 AM
Post #4 of 4 (124 views)
Permalink
First, do not define vhosts as <hostname>:PORT, but rather either *:443 or
IP:443.

Secondly, to proxy from TLS to TLS, you need both SSLEngine on and
SSLProxyEngine on.

Avoid proxying from a <Location> block, unless strictly necessary. Use the
vhost context. You can use the Location block to set headers instead.

Lastly, your TLS vhost requires SSLCertificateFile and
SSLCertificateKeyFile.

On Wed, Oct 4, 2023 at 7:38?AM lejeczek <peljasz@yahoo.co.uk.invalid> wrote:

>
>
> On 04/10/2023 10:40, lejeczek wrote:
>
> Hi guys.
>
> I've sroogled & have found people suggesting working examples, I thought I
> had some notes but now I'm thinking I read that it should not work..
> so I'm not sure what to think of this seemingly setup:
>
> <VirtualHost siem.mine.priv:443>
> ServerAdmin webdev@lemko.xyz
> ServerName siem.mine.priv
>
> ErrorLog /var/log/httpd/siem.mine.priv-error_log
> CustomLog /var/log/httpd/siem.mine.priv-access_log common
>
> SSLProxyEngine on
> #SSLEngine on
> #SSLProxyVerify none
> #SSLProxyCheckPeerCN off
> SSLCertificateFile /etc/pki/tls/certs/siem.mine.priv.crt
> SSLCertificateKeyFile /etc/pki/tls/private/siem.mine.priv.key
> #SSLProxyCACertificateFile /etc/wazuh-indexer/certs/root-ca.pem
> #SSLProxyMachineCertificateFile /etc/wazuh-indexer/certs/admin.pem
>
> RequestHeader set X-Forwarded-Proto “https”
> RequestHeader set X-Forwarded-Port “443”
>
> ProxyRequests Off
> #ProxyPreserveHost on
> #ProxyPass / https://127.0.0.1:8443/
> #ProxyPassReverse / https://127.0.0.1:8443/
>
> <Location "/">
> # preserve Host header to avoid cross-origin problems
> ProxyPreserveHost on
> # proxy to
> ProxyPass https://127.0.0.1:8443/
> ProxyPassReverse https://127.0.0.1:8443/
> </Location>
>
> </VirtualHost>
>
> As you can see I've fiddle whit all those options in different
> combinations but nothing works for me.
> Would you know how to fix or... perhaps you have Apache rev-proxying to
> Wazuh?
>
> errors in log:
> ....
> [Wed Oct 04 10:34:54.179364 2023] [proxy:error] [pid 1069029:tid 1069198]
> (20014)Internal error (specific information not available): [client
> 10.3.9.144:46858] AH01084: pass request body failed to 127.0.0.1:8443
> (127.0.0.1)
> [Wed Oct 04 10:34:54.179394 2023] [proxy:error] [pid 1069029:tid 1069198]
> [client 10.3.9.144:46858] AH00898: Error during SSL Handshake with remote
> server returned by /
> [Wed Oct 04 10:34:54.179397 2023] [proxy_http:error] [pid 1069029:tid
> 1069198] [client 10.3.9.144:46858] AH01097: pass request body failed to
> 127.0.0.1:8443 (127.0.0.1) from 10.3.9.144 ()
>
> many thanks, L.
>
> ought... sometimes systemctl's _reload_ will not do but "full" restart will
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal