James Chamberlain wrote: > Turns out I had the wrong version in my previous message. It is actually > this: > > Apache/2.4.37 (Unix) mod_nss/1.0.18 NSS/3.40.1 mod_jk/1.2.37 configured > -- resuming normal operations > > For some reason the log shows the other version first, but I confirmed > that it is in fact 2.4.37. > > Is there any additional logging or debugging that you think could help > in identifying what is going on?
You might check the proxy log to see if it is being contact at all. If it is then a network trace may show TLS handshake errors. There are TRACE log levels in Apache which might provide additional output in the proxy module. rob > > Thank you, > > - James > > On Wed, Jan 2, 2019 at 1:16 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > James Chamberlain wrote: > > Hello, > > > > I am testing out mod_nss 1.0.18 using the following combo: Server: > > Apache/2.4.20, Interface: mod_nss/1.0.18, Library: NSS/3.40.1 > > > > The requests from clients are coming in via https and being reverse > > proxied to an http endpoint using mod_proxy. > > > > The response to the browser takes a long time, but eventually the > > following is returned: > > > > > > Bad Request > > > > Your browser sent a request that this server could not understand. > > > > > > Here is an excerpt from the httpd error log: > > > > [Mon Dec 17 15:58:13.927232 2018] [:info] [pid 24535:tid > > 140117113034496] SSL library error 0 writing data > > > > [Mon Dec 17 15:58:13.927274 2018] [:info] [pid 24535:tid > > 140117113034496] SSL Library Error: 0 Unknown > > > > [Mon Dec 17 15:58:13.927331 2018] [proxy:error] [pid 24535:tid > > 140117113034496] (20014)Internal error (specific information not > > available): [client 192.168.20.1:52182 <http://192.168.20.1:52182> > <http://192.168.20.1:52182>] > > AH01084: pass request body failed to 127.0.0.1:6400 > <http://127.0.0.1:6400> > > <http://127.0.0.1:6400> (127.0.0.1) > > > > [Mon Dec 17 15:58:13.927369 2018] [proxy_http:error] [pid 24535:tid > > 140117113034496] [client 192.168.20.1:52182 > <http://192.168.20.1:52182> <http://192.168.20.1:52182>] > > AH01097: pass request body failed to 127.0.0.1:6400 > <http://127.0.0.1:6400> > > <http://127.0.0.1:6400> (127.0.0.1) from 192.168.20.1 (testclient) > > > > [Mon Dec 17 15:58:13.927382 2018] [proxy:debug] [pid 24535:tid > > 140117113034496] proxy_util.c(2330): AH00943: HTTP: has released > > connection for (127.0.0.1) > > > > [Mon Dec 17 15:58:13.927398 2018] [:debug] [pid 24535:tid > > 140117113034496] nss_engine_io.c(666): SSL connection destroyed > without > > being closed > > > > > > I'm not sure where to look for the problem. This all used to work just > > fine. Can anybody point me in the right direction? > > The only major change in 1.0.18 is to fix an issue with reverse proxies > introduced in Apache 2.4.33. It would appear the change isn't backwards > compatible with 2.4.20 (I did it last April and don't remember if I did > any testing on older Apache releases). > > So for now downgrading seems like the best bet. The only other changes > were some minor issues detected by clang-analyze. > > I'm not sure it is worth the effort to try to detect the version of > Apache and register the proxy callbacks dynamically or not. > > rob > _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
