Re: [users@httpd] Proxy with ssl backend server
On Wed, May 31, 2023 at 4:39 PM Yann Ylavic wrote: > > On Wed, May 31, 2023 at 2:52 PM Josef Wolf wrote: > > > > On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote: > > > On Thu, May 25, 2023 at 2:38 PM Josef Wolf wrote: > > > > > > > > I am trying to use apache as a proxy to pass requests to a https > > > > backend like this: > > > > > > > > > > > > > > > > SSLProxyEngine on > > > > ProxyPass/service/ https://backend.do.main:4434/service > > > > ProxyPassReverse /service/ https://backend.do.main:4434/service > > > > ProxyPassReverseCookiePath / /service/ > > > > ProxyHTMLURLMap https://backend.do.main:4434/service /service > > > > > > > > SetEnv force-proxy-request-1.0 1 > > > > SetEnv proxy-nokeepalive 1 > > > > SetEnv proxy-sendcl > > > > ProxyHTMLEnable On > > > > ProxyHTMLExtended On > > > > LogLevel Debug > > > > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > > > > RequestHeader unset Accept-Encoding > > > > AuthName"Application /service" > > > > AuthType Basic > > > > AuthUserFile/m/b/httpd/passwd > > > > AuthGroupFile /m/b/httpd/group > > > > Require group service > > > > SSLRequireSSL > > > > RequestHeader set Authorization "Basic 123456778" > > > > RequestHeader set X_FORWARDED_PROTO 'https' > > > > > > > > > > > > > > > > > > > > This works fine for http backends, but with https, I get following > > > > errors: > > > > > > I tried this configuration and it works for me. > > > > Yes. This is why I suspect it has to do with the way I generate the > > self-signed certificate: > > > >openssl req \ > > -new -newkey rsa:4096 \ > > -subj /C=DE/CN=backend \ > > -addext subjectAltName=DNS:backend.do.main \ > > -addext certificatePolicies=1.2.3.4 \ > > -x509 -nodes \ > > -days 3650 \ > > -out server-cert.pem \ > > -keyout server-key.pem > > > > > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote > > > > 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from > > > > the SSL context > > > > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library > > > > Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx > > I don't think it has to do with the certificate generated/configured > on the backend side. This error happens at the creation of the SSL > connection, no communication with the backend yet. > > > > > > > Do you build httpd by yourself? Which OS / httpd / openssl version? It > > > looks like httpd (mod_ssl) links/runs against an openssl version > > > different from the one it's been built with. > > > > This is not built by myself. All is stock opensuse-Leap-15.1 > > I don't know which version/patches of httpd is shipped with > opensuse-Leap-15.1 (httpd-2.4.33 possibly?), but the configuration > above seems to work with the latest/upstream httpd-2.4.57 release. > Maybe you can give the latest opensuse-Leap a try (15.4 or 15.5 seem > to ship httpd-2.4.57)? This looks like https://bz.apache.org/bugzilla/show_bug.cgi?id=62232 which was fixed in httpd-2.4.34. > > > Regards; > Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Proxy with ssl backend server
On Wed, May 31, 2023 at 2:52 PM Josef Wolf wrote: > > On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote: > > On Thu, May 25, 2023 at 2:38 PM Josef Wolf wrote: > > > > > > I am trying to use apache as a proxy to pass requests to a https backend > > > like this: > > > > > > > > > > > > SSLProxyEngine on > > > ProxyPass/service/ https://backend.do.main:4434/service > > > ProxyPassReverse /service/ https://backend.do.main:4434/service > > > ProxyPassReverseCookiePath / /service/ > > > ProxyHTMLURLMap https://backend.do.main:4434/service /service > > > > > > SetEnv force-proxy-request-1.0 1 > > > SetEnv proxy-nokeepalive 1 > > > SetEnv proxy-sendcl > > > ProxyHTMLEnable On > > > ProxyHTMLExtended On > > > LogLevel Debug > > > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > > > RequestHeader unset Accept-Encoding > > > AuthName"Application /service" > > > AuthType Basic > > > AuthUserFile/m/b/httpd/passwd > > > AuthGroupFile /m/b/httpd/group > > > Require group service > > > SSLRequireSSL > > > RequestHeader set Authorization "Basic 123456778" > > > RequestHeader set X_FORWARDED_PROTO 'https' > > > > > > > > > > > > > > > This works fine for http backends, but with https, I get following errors: > > > > I tried this configuration and it works for me. > > Yes. This is why I suspect it has to do with the way I generate the > self-signed certificate: > >openssl req \ > -new -newkey rsa:4096 \ > -subj /C=DE/CN=backend \ > -addext subjectAltName=DNS:backend.do.main \ > -addext certificatePolicies=1.2.3.4 \ > -x509 -nodes \ > -days 3650 \ > -out server-cert.pem \ > -keyout server-key.pem > > > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote > > > 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from > > > the SSL context > > > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library > > > Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx I don't think it has to do with the certificate generated/configured on the backend side. This error happens at the creation of the SSL connection, no communication with the backend yet. > > > > Do you build httpd by yourself? Which OS / httpd / openssl version? It > > looks like httpd (mod_ssl) links/runs against an openssl version > > different from the one it's been built with. > > This is not built by myself. All is stock opensuse-Leap-15.1 I don't know which version/patches of httpd is shipped with opensuse-Leap-15.1 (httpd-2.4.33 possibly?), but the configuration above seems to work with the latest/upstream httpd-2.4.57 release. Maybe you can give the latest opensuse-Leap a try (15.4 or 15.5 seem to ship httpd-2.4.57)? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Proxy with ssl backend server
On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote: > On Thu, May 25, 2023 at 2:38 PM Josef Wolf wrote: > > > > I am trying to use apache as a proxy to pass requests to a https backend > > like this: > > > > > > > > SSLProxyEngine on > > ProxyPass/service/ https://backend.do.main:4434/service > > ProxyPassReverse /service/ https://backend.do.main:4434/service > > ProxyPassReverseCookiePath / /service/ > > ProxyHTMLURLMap https://backend.do.main:4434/service /service > > > > SetEnv force-proxy-request-1.0 1 > > SetEnv proxy-nokeepalive 1 > > SetEnv proxy-sendcl > > ProxyHTMLEnable On > > ProxyHTMLExtended On > > LogLevel Debug > > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > > RequestHeader unset Accept-Encoding > > AuthName"Application /service" > > AuthType Basic > > AuthUserFile/m/b/httpd/passwd > > AuthGroupFile /m/b/httpd/group > > Require group service > > SSLRequireSSL > > RequestHeader set Authorization "Basic 123456778" > > RequestHeader set X_FORWARDED_PROTO 'https' > > > > > > > > > > This works fine for http backends, but with https, I get following errors: > > I tried this configuration and it works for me. Yes. This is why I suspect it has to do with the way I generate the self-signed certificate: openssl req \ -new -newkey rsa:4096 \ -subj /C=DE/CN=backend \ -addext subjectAltName=DNS:backend.do.main \ -addext certificatePolicies=1.2.3.4 \ -x509 -nodes \ -days 3650 \ -out server-cert.pem \ -keyout server-key.pem > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote > > 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the > > SSL context > > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library > > Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx > > Do you build httpd by yourself? Which OS / httpd / openssl version? It > looks like httpd (mod_ssl) links/runs against an openssl version > different from the one it's been built with. This is not built by myself. All is stock opensuse-Leap-15.1 Apache serves happily SSL to the clients. Only backend servers are not working. -- Josef Wolf j...@raven.inka.de - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Proxy with ssl backend server
On Thu, May 25, 2023 at 2:38 PM Josef Wolf wrote: > > I am trying to use apache as a proxy to pass requests to a https backend like > this: > > > > SSLProxyEngine on > ProxyPass/service/ https://backend.do.main:4434/service > ProxyPassReverse /service/ https://backend.do.main:4434/service > ProxyPassReverseCookiePath / /service/ > ProxyHTMLURLMap https://backend.do.main:4434/service /service > > SetEnv force-proxy-request-1.0 1 > SetEnv proxy-nokeepalive 1 > SetEnv proxy-sendcl > ProxyHTMLEnable On > ProxyHTMLExtended On > LogLevel Debug > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > RequestHeader unset Accept-Encoding > AuthName"Application /service" > AuthType Basic > AuthUserFile/m/b/httpd/passwd > AuthGroupFile /m/b/httpd/group > Require group service > SSLRequireSSL > RequestHeader set Authorization "Basic 123456778" > RequestHeader set X_FORWARDED_PROTO 'https' > > > > > This works fine for http backends, but with https, I get following errors: I tried this configuration and it works for me. > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote > 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the > SSL context > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: > error:140BA0C3:SSL routines:SSL_new:null ssl ctx Do you build httpd by yourself? Which OS / httpd / openssl version? It looks like httpd (mod_ssl) links/runs against an openssl version different from the one it's been built with. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Proxy with ssl backend server
No ideas on this one? On Thu, May 25, 2023 at 02:37:50PM +0200, Josef Wolf wrote: > Hello, > > I am trying to use apache as a proxy to pass requests to a https backend like > this: > > > > SSLProxyEngine on > ProxyPass/service/ https://backend.do.main:4434/service > ProxyPassReverse /service/ https://backend.do.main:4434/service > ProxyPassReverseCookiePath / /service/ > ProxyHTMLURLMap https://backend.do.main:4434/service /service > > SetEnv force-proxy-request-1.0 1 > SetEnv proxy-nokeepalive 1 > SetEnv proxy-sendcl > ProxyHTMLEnable On > ProxyHTMLExtended On > LogLevel Debug > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > RequestHeader unset Accept-Encoding > AuthName"Application /service" > AuthType Basic > AuthUserFile/m/b/httpd/passwd > AuthGroupFile /m/b/httpd/group > Require group service > SSLRequireSSL > RequestHeader set Authorization "Basic 123456778" > RequestHeader set X_FORWARDED_PROTO 'https' > > > > > This works fine for http backends, but with https, I get following errors: > > [Thu May 25 13:34:04.690065 2023] [proxy:debug] [pid 2259] > mod_proxy.c(1245): [client 109.43.178.5:13845] AH01143: Running scheme https > handler (attempt 0) > [Thu May 25 13:34:04.690076 2023] [proxy:debug] [pid 2259] > proxy_util.c(2216): [client 109.43.178.5:13845] AH00944: connecting > https://backend.do.main:4434/service/ to backend.do.main:4434 > [Thu May 25 13:34:04.690119 2023] [proxy:debug] [pid 2259] > proxy_util.c(2425): [client 109.43.178.5:13845] AH00947: connected /service/ > to backend.do.main:4434 > [Thu May 25 13:34:04.690559 2023] [ssl:info] [pid 2259] [remote > 192.168.1.106:4434] AH01964: Connection to child 0 established (server > lw.strangled.net:443) > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote > 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the > SSL context > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: > error:140BA0C3:SSL routines:SSL_new:null ssl ctx > [Thu May 25 13:34:04.690749 2023] [proxy:error] [pid 2259] (103)Software > caused connection abort: [client 109.43.178.5:13845] AH01084: pass request > body failed to 192.168.1.106:4434 (vdr2.wolf.lan) > [Thu May 25 13:34:04.690783 2023] [proxy_http:error] [pid 2259] [client > 109.43.178.5:13845] AH01097: pass request body failed to 192.168.1.106:4434 > (vdr2.wolf.lan) from 109.43.178.5 () > > I guess, the reason for this problem might be that the backend server uses > a self signed certificate created like this: > >openssl req \ > -new -newkey rsa:4096 \ > -subj /C=DE/CN=backend \ > -addext subjectAltName=DNS:backend.do.main \ > -addext certificatePolicies=1.2.3.4 \ > -x509 -nodes \ > -days 3650 \ > -out server-cert.pem \ > -keyout server-key.pem \ > > I tried disable certificate check by addin following options, but the did > not help: > > SSLProxyVerify none > SSLProxyCheckPeerCN Off > SSLProxyCheckPeerName Off > SSLProxyCheckPeerExpire Off > > Any ideas what might be wrong with my configuration? > > How could I explicitly install the backend certificate as "trusted"? > I tried SSLProxyMachineCertificatePath, but also without success. > > > -- > Josef Wolf > j...@raven.inka.de > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Josef Wolf j...@raven.inka.de - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Proxy with ssl backend server
Hello, I am trying to use apache as a proxy to pass requests to a https backend like this: SSLProxyEngine on ProxyPass/service/ https://backend.do.main:4434/service ProxyPassReverse /service/ https://backend.do.main:4434/service ProxyPassReverseCookiePath / /service/ ProxyHTMLURLMap https://backend.do.main:4434/service /service SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 SetEnv proxy-sendcl ProxyHTMLEnable On ProxyHTMLExtended On LogLevel Debug ProxyHTMLURLMap https://backend.do.main:4434/service/service/ RequestHeader unset Accept-Encoding AuthName"Application /service" AuthType Basic AuthUserFile/m/b/httpd/passwd AuthGroupFile /m/b/httpd/group Require group service SSLRequireSSL RequestHeader set Authorization "Basic 123456778" RequestHeader set X_FORWARDED_PROTO 'https' This works fine for http backends, but with https, I get following errors: [Thu May 25 13:34:04.690065 2023] [proxy:debug] [pid 2259] mod_proxy.c(1245): [client 109.43.178.5:13845] AH01143: Running scheme https handler (attempt 0) [Thu May 25 13:34:04.690076 2023] [proxy:debug] [pid 2259] proxy_util.c(2216): [client 109.43.178.5:13845] AH00944: connecting https://backend.do.main:4434/service/ to backend.do.main:4434 [Thu May 25 13:34:04.690119 2023] [proxy:debug] [pid 2259] proxy_util.c(2425): [client 109.43.178.5:13845] AH00947: connected /service/ to backend.do.main:4434 [Thu May 25 13:34:04.690559 2023] [ssl:info] [pid 2259] [remote 192.168.1.106:4434] AH01964: Connection to child 0 established (server lw.strangled.net:443) [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx [Thu May 25 13:34:04.690749 2023] [proxy:error] [pid 2259] (103)Software caused connection abort: [client 109.43.178.5:13845] AH01084: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan) [Thu May 25 13:34:04.690783 2023] [proxy_http:error] [pid 2259] [client 109.43.178.5:13845] AH01097: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan) from 109.43.178.5 () I guess, the reason for this problem might be that the backend server uses a self signed certificate created like this: openssl req \ -new -newkey rsa:4096 \ -subj /C=DE/CN=backend \ -addext subjectAltName=DNS:backend.do.main \ -addext certificatePolicies=1.2.3.4 \ -x509 -nodes \ -days 3650 \ -out server-cert.pem \ -keyout server-key.pem \ I tried disable certificate check by addin following options, but the did not help: SSLProxyVerify none SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off SSLProxyCheckPeerExpire Off Any ideas what might be wrong with my configuration? How could I explicitly install the backend certificate as "trusted"? I tried SSLProxyMachineCertificatePath, but also without success. -- Josef Wolf j...@raven.inka.de - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
