Re: [users@httpd] Proxy with ssl backend server

Wed, 31 May 2023 05:53:11 -0700 

On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote:
> On Thu, May 25, 2023 at 2:38 PM Josef Wolf <[email protected]> wrote:
> >
> > I am trying to use apache as a proxy to pass requests to a https backend 
> > like this:
> >
> >   <VirtualHost *:443>
> >
> >     SSLProxyEngine       on
> >     ProxyPass            /service/ https://backend.do.main:4434/service
> >     ProxyPassReverse     /service/ https://backend.do.main:4434/service
> >     ProxyPassReverseCookiePath / /service/
> >     ProxyHTMLURLMap https://backend.do.main:4434/service /service
> >     <Location            /service/>
> >       SetEnv force-proxy-request-1.0 1
> >       SetEnv proxy-nokeepalive 1
> >       SetEnv proxy-sendcl
> >       ProxyHTMLEnable On
> >       ProxyHTMLExtended On
> >       LogLevel Debug
> >       ProxyHTMLURLMap https://backend.do.main:4434/service/service/
> >       RequestHeader unset Accept-Encoding
> >       AuthName        "Application /service"
> >       AuthType Basic
> >       AuthUserFile    /m/b/httpd/passwd
> >       AuthGroupFile   /m/b/httpd/group
> >       Require         group service
> >       SSLRequireSSL
> >       RequestHeader set Authorization "Basic 123456778"
> >       RequestHeader set X_FORWARDED_PROTO 'https'
> >     </Location>
> >
> >   </VirtualHost>
> >
> > This works fine for http backends, but with https, I get following errors:
> 
> I tried this configuration and it works for me.

Yes. This is why I suspect it has to do with the way I generate the
self-signed certificate:

   openssl req \
    -new -newkey rsa:4096 \
    -subj /C=DE/CN=backend \
    -addext subjectAltName=DNS:backend.do.main \
    -addext certificatePolicies=1.2.3.4 \
    -x509 -nodes \
    -days 3650 \
    -out server-cert.pem \
    -keyout server-key.pem
                                           
> >   [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 
> > 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the 
> > SSL context
> >   [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library 
> > Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
> 
> Do you build httpd by yourself? Which OS / httpd / openssl version? It
> looks like httpd (mod_ssl) links/runs against an openssl version
> different from the one it's been built with.

This is not built by myself. All is stock opensuse-Leap-15.1

Apache serves happily SSL to the clients. Only backend servers are not
working.

-- 
Josef Wolf
[email protected]

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to