Hi there.
I'm attempting to setup a reverse proxy using OpenBSD-2.7, OpenSSL-0.9.5a,
mod_ssl-2.6.4_1.3.12, and Apache-1.3.12.
Up to this point, I've gotten the reverse proxy setup and it runs correctly
for retrieving port 80 based materials. But I cannot get Apache to launch
with SSL support.
Here is the error that I am getting from apache-rproxy.elog:
[Mon Jun 19 05:26:09 2000] [error] mod_ssl: Init:
(openliness-qa.mydomain.com:443) Unable to configure RSA server private key
(OpenSSL library error follows)
[Mon Jun 19 05:26:09 2000] [error] OpenSSL: error:0B080074::lib(11)
:func(128) :reason(116)
Can anyone help me? I have the cert for openliness-qa on the rproxy server.
Do I actually need the key as well or is the proxy becoming transparent
after the certificate has been passed from the Proxy to the client? If I'm
really curious why http will work, but attempting to start https is failing.
Here is my httpd.conf file.
##
## apache-rproxy.conf -- Apache configuration for Reverse Proxy
Usage
##
# server type
ServerType standalone
Port 80
Listen 443
MinSpareServers 2
StartServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 100
# server operation parameters
KeepAlive on
MaxKeepAliveRequests 100
KeepAliveTimeout 15
Timeout 400
IdentityCheck off
HostnameLookups on
# paths to runtime files
PidFile /opt/apache/logs/apache-rproxy.pid
LockFile /opt/apache/logs/apache-rproxy.lock
ErrorLog /opt/apache/logs/apache-rproxy.elog
# unused paths
ServerRoot /opt/apache
DocumentRoot /tmp
CacheRoot /tmp
TypesConfig /dev/null
AccessConfig /dev/null
ResourceConfig /dev/null
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLEngine on
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/opt/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/opt/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /opt/apache/logs/ssl_engine_log
SSLLogLevel info
SSLCertificateFile /opt/apache/conf/ssl.crt/snakeoil-rsa.crt
SSLCertificateKeyFile /opt/apache/conf/ssl.key/snakeoil-rsa.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /opt/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# speed up and secure processing
<Directory />
Options -FollowSymLinks -SymLinksIfOwnerMatch
AllowOverride None
</Directory>
# the status page for monitoring the reverse proxy
<Location /rproxy-status>
SetHandler server-status
</Location>
# enable the URL rewriting engine
RewriteEngine on
RewriteLogLevel 2
NameVirtualHost webhome.mydomain.com:80
NameVirtualHost openliness-qa.mydomain.com:443
<VirtualHost webhome.mydomain.com:80>
SSLDisable
ServerName webhome.mydomain.com
CustomLog /opt/apache/logs/apache-rproxy-wh.dlog
"%{%v/%T}t %h -> %{SERVER}e URL: %U"
RewriteLog /opt/apache/logs/apache-rproxy-wh.rwlog
TransferLog /opt/apache/logs/apache-rproxy-wh.tlog
# define a rewriting map with value-lists where
# mod_rewrite randomly chooses a particular value
RewriteMap server
rnd:/opt/apache/conf/apache-rproxy-wh.conf-servers
# make sure the status page is handled locally
# and make sure no one uses our proxy except ourself
RewriteRule ^/apache-rproxy-status.* - [L]
RewriteRule ^(http|ftp)://.* - [F]
# now choose the possible servers for particular URL types
RewriteRule ^/(.*\.(cgi|shtml))$ to://${server:dynamic}/$1
[S=1]
RewriteRule ^/(.*)$ to://${server:static}/$1
# and delegate the generated URL by passing it
# through the proxy module
RewriteRule ^to://([^/]+)/(.*) http://$1/$2
[E=SERVER:$1,P,L]
# and make really sure all other stuff is forbidden
# when it should survive the above rules...
RewriteRule .* - [F]
# enable the Proxy module without caching
ProxyRequests on
NoCache *
# setup URL reverse mapping for redirect reponses
ProxyPassReverse / http://webhome.mydomain.com/
</VirtualHost>
<VirtualHost openliness-qa.mydomain.com:443>
ServerName openliness-qa.mydomain.com
SSLCertificateFile /opt/apache/conf/ol-cert.pem
CustomLog /opt/apache/logs/apache-rproxy-ol.dlog
"%{%v/%T}t %h -> %{SERVER}e URL: %U"
RewriteLog /opt/apache/logs/apache-rproxy-ol.rwlog
TransferLog /opt/apache/logs/apache-rproxy-ol.tlog
# define a rewriting map with value-lists where
# mod_rewrite randomly chooses a particular value
RewriteMap server
rnd:/opt/apache/conf/apache-rproxy-ol.conf-servers
# make sure the status page is handled locally
# and make sure no one uses our proxy except ourself
RewriteRule ^/apache-rproxy-status.* - [L]
RewriteRule ^(https|ftp)://.* - [F]
# now choose the possible servers for particular URL types
RewriteRule ^/(.*\.(cgi|shtml|jsp))$ to://${server:dynamic}/$1
[S=1]
RewriteRule ^/(.*)$ to://${server:static}/$1
# and delegate the generated URL by passing it
# through the proxy module
RewriteRule ^to://([^/]+)/(.*) https://$1/$2
[E=SERVER:$1,P,L]
# and make really sure all other stuff is forbidden
# when it should survive the above rules...
RewriteRule .* - [F]
# enable the Proxy module without caching
ProxyRequests on
NoCache *
# setup URL reverse mapping for redirect reponses
ProxyPassReverse / https://openliness-qa.mydomain.com/
</VirtualHost>
Any help, or pointers to help are greatly appreciated.
Jared Schmidt, MCP
email: [EMAIL PROTECTED]
wwweb: http://dragon-rider.org
PowerStreak Networks, Inc.
Junior Network Analyst
email: [EMAIL PROTECTED]
wwweb: http://powerstreak.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
