Re: [users@httpd] Apache 2.4 forward Proxy Configuration Issue
On Wed, Feb 15, 2017 at 6:59 AM, Tapas Mishrawrote: > But when I am disabling SSL in the virtual host and trying to connect > outbound http it's working. Most clients expect to speak HTTP to the proxy. -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache 2.4 forward Proxy Configuration Issue
Hi all, I am trying to configure a Apache forward proxy with SSL. But I am not able to connect external host using the proxy. Below is my virtual host configuration. Listen 10.157.131.196:12149 ServerName ech-10-157-131-196.test.com SSLEngine On SSLCertificateFile /opt/ssl/apache-selfsigned-new.crt SSLCertificateKeyFile /opt/ssl/apache-selfsigned-new.key ProxyVia On ProxyRequests On SSLProxyEngine On RewriteEngine On RewriteCond %{REQUEST_URI} !https://www.google.com/ [NC] RewriteRule .* - [F] *Scenario 1:* Using Curl try to access https://www.goole.com curl -v --proxy 10.157.131.196:12149 https://www.google.com * About to connect() to proxy 10.157.131.196 port 12149 (#0) * Trying 10.157.131.196... connected * Connected to 10.157.131.196 (10.157.131.196) port 12149 (#0) * Establish HTTP proxy tunnel to www.google.com:443 > CONNECT www.google.com:443 HTTP/1.1 > Host: www.google.com:443 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 > Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Proxy-Connection: Keep-Alive > * Proxy CONNECT aborted * Closing connection #0 curl: (56) Proxy CONNECT aborted *Seenario 2:* Using Curl try to access http://www.google.com curl -v --proxy 10.157.131.196:12149 http://www.google.com * About to connect() to proxy 10.157.131.196 port 12149 (#0) * Trying 10.157.131.196... connected * Connected to 10.157.131.196 (10.157.131.196) port 12149 (#0) > GET http://www.google.com/ HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 > Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: www.google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 400 Bad Request < Date: Wed, 15 Feb 2017 10:03:52 GMT < Server: Apache < Content-Length: 362 < Connection: close < Content-Type: text/html; charset=iso-8859-1 < 400 Bad Request Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. * Closing connection #0 But when I am disabling SSL in the virtual host and trying to connect outbound http it's working. Virtual host Configuration: Listen 10.157.131.196:12149 ServerName ech-10-157-131-196.test.com #SSLEngine On #SSLCertificateFile /opt/ssl/apache-selfsigned-new.crt #SSLCertificateKeyFile /opt/ssl/apache-selfsigned-new.key ProxyVia On ProxyRequests On #SSLProxyEngine On RewriteEngine On RewriteCond %{REQUEST_URI} !https://www.google.com/ [NC] RewriteRule .* - [F] *Scenario 1:* Using Curl try to access https://www.goole.com curl -v --proxy 10.157.131.196:12149 https://www.google.com * About to connect() to proxy 10.157.131.196 port 12149 (#0) * Trying 10.157.131.196... connected * Connected to 10.157.131.196 (10.157.131.196) port 12149 (#0) * Establish HTTP proxy tunnel to www.google.com:443 > CONNECT www.google.com:443 HTTP/1.1 > Host: www.google.com:443 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 > Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Proxy-Connection: Keep-Alive > < HTTP/1.1 500 Internal Server Error < Date: Wed, 15 Feb 2017 10:13:15 GMT < Server: Apache < Content-Length: 546 < Connection: close < Content-Type: text/html; charset=iso-8859-1 < * Received HTTP code 500 from proxy after CONNECT * Closing connection #0 curl: (56) Received HTTP code 500 from proxy after CONNECT *Seenario 2:* Using Curl try to access http://www.google.com curl -v --proxy 10.157.131.196:12149 http://www.google.com * About to connect() to proxy 10.157.131.196 port 12149 (#0) * Trying 10.157.131.196... connected * Connected to 10.157.131.196 (10.157.131.196) port 12149 (#0) > GET http://www.google.com/ HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 > Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: www.google.com > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 302 Found < Date: Wed, 15 Feb 2017 10:14:20 GMT < Server: Apache < Location: http://www.cfauth.com/?cfru=aHR0cDovL3d3dy5nb29nbGUuY29tLw== < Cache-Control: no-cache < Pragma: no-cache < Content-Type: text/html; charset=utf-8 < Content-Length: 660 < Via: 1.1 ech-10-157-131-196.test.com < Redirect Redirect (authentication_redirect_to_virtual_host)
[users@httpd] Processes starts
Hi When I am stating my httpd-2.4.23 servers, sometime 6 process id's or sometimes 7 process id's are generated. Can I edit how many process id's I want to start. I am assuming 1 process id is of root and remaining 5 of its thread. Please help to know why this is happening and where it is stated how much to open? Second doubt is I want to check process id's in access_log, I am editing %P for process id in format, I am getting correct value. I want to use %{format}P. I tried with this but this is not working, please helpp how to get pid,tid,hextid using %{format}P. Thanks Hemant
Re: [users@httpd] filtering by IP SAN entries in the client certificate
On 02/15/2017 11:31 AM, Andrei Ivanov wrote: > Hi, > I have a requirement to check incoming requests, something that would be > succinctly expressed this way: > > > Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" > > > This would check that the request IP address is among the IP addresses > in the client certificate. > > Unfortunately, this doesn't work: > 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to > mod_nss, which exports it > 2. The expression evaluation engine doesn't know how to evaluate this > kind of expression > 3. I've tried using mod_lua for the expression, but it can't access this > kind of environment variables (and the SSL specific only if exposed by > mod_ssl, not other modules, like mod_nss) Have you tried using a rewriterule hack to pass the var? RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPaddr}] that would expose it in mod_lua as r.subprocess_env['sanip'], provided mod_nss actually exposes it. > > I have ran out of ideas on what to try. > > Please help. > > Thank you. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] filtering by IP SAN entries in the client certificate
Hi, I have a requirement to check incoming requests, something that would be succinctly expressed this way: Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" This would check that the request IP address is among the IP addresses in the client certificate. Unfortunately, this doesn't work: 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to mod_nss, which exports it 2. The expression evaluation engine doesn't know how to evaluate this kind of expression 3. I've tried using mod_lua for the expression, but it can't access this kind of environment variables (and the SSL specific only if exposed by mod_ssl, not other modules, like mod_nss) I have ran out of ideas on what to try. Please help. Thank you.
Re: [users@httpd] Session disconnection
Hi, On Wed, Feb 15, 2017 at 7:32 AM, Fady Haikalwrote: > > Disable reuse set to on means that it will disconnect the connection > once the proxy call it completed. So this will affect the AJAX > functions that required the connection to be always on. Hmm, mod_proxy_http will close the connection once there is nothing more expected on it from an HTTP point of view, so nothing should break with or without keepalive. If this is the case (i.e. protocol is WebSocket), maybe you'd need mod_proxy_wstunnel instead? Regards, Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Session disconnection
2017-02-14 16:55 GMT+01:00 Fady Haikal: > Luca, > Apache/2.4.18 (Win64) > > 10.114.119.* are the clients machines, 10.114.43.102 and 10.114.43.103 > are the app servers > > yes i can see 502 in the httpd access log but all are related to a > specific ajax we are using in our application, in other words it's not > related to the disconnection issues we are facing > > from application server i cannot see any error, but from the client > machine the session expired > > For this kind of debugging issues I'd suggest you to follow up in the #httpd IRC Freenode channel, because we might need to ask you a lot of questions and the mailing lists might be a bit overkill. Thanks! Luca