On Wed, May 31, 2023 at 2:52 PM Josef Wolf <j...@raven.inka.de> wrote:
> On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote:
> > On Thu, May 25, 2023 at 2:38 PM Josef Wolf <j...@raven.inka.de> wrote:
> > >
> > > I am trying to use apache as a proxy to pass requests to a https backend 
> > > like this:
> > >
> > >   <VirtualHost *:443>
> > >
> > >     SSLProxyEngine       on
> > >     ProxyPass            /service/ https://backend.do.main:4434/service
> > >     ProxyPassReverse     /service/ https://backend.do.main:4434/service
> > >     ProxyPassReverseCookiePath / /service/
> > >     ProxyHTMLURLMap https://backend.do.main:4434/service /service
> > >     <Location            /service/>
> > >       SetEnv force-proxy-request-1.0 1
> > >       SetEnv proxy-nokeepalive 1
> > >       SetEnv proxy-sendcl
> > >       ProxyHTMLEnable On
> > >       ProxyHTMLExtended On
> > >       LogLevel Debug
> > >       ProxyHTMLURLMap https://backend.do.main:4434/service/service/
> > >       RequestHeader unset Accept-Encoding
> > >       AuthName        "Application /service"
> > >       AuthType Basic
> > >       AuthUserFile    /m/b/httpd/passwd
> > >       AuthGroupFile   /m/b/httpd/group
> > >       Require         group service
> > >       SSLRequireSSL
> > >       RequestHeader set Authorization "Basic 123456778"
> > >       RequestHeader set X_FORWARDED_PROTO 'https'
> > >     </Location>
> > >
> > >   </VirtualHost>
> > >
> > > This works fine for http backends, but with https, I get following errors:
> >
> > I tried this configuration and it works for me.
> Yes. This is why I suspect it has to do with the way I generate the
> self-signed certificate:
>    openssl req \
>     -new -newkey rsa:4096 \
>     -subj /C=DE/CN=backend \
>     -addext subjectAltName=DNS:backend.do.main \
>     -addext certificatePolicies= \
>     -x509 -nodes \
>     -days 3650 \
>     -out server-cert.pem \
>     -keyout server-key.pem
> > >   [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 
> > >] AH01962: Unable to create a new SSL connection from 
> > > the SSL context
> > >   [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library 
> > > Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx

I don't think it has to do with the certificate generated/configured
on the backend side. This error happens at the creation of the SSL
connection, no communication with the backend yet.

> >
> > Do you build httpd by yourself? Which OS / httpd / openssl version? It
> > looks like httpd (mod_ssl) links/runs against an openssl version
> > different from the one it's been built with.
> This is not built by myself. All is stock opensuse-Leap-15.1

I don't know which version/patches of httpd is shipped with
opensuse-Leap-15.1 (httpd-2.4.33 possibly?), but the configuration
above seems to work with the latest/upstream httpd-2.4.57 release.
Maybe you can give the latest opensuse-Leap a try (15.4 or 15.5 seem
to ship httpd-2.4.57)?


To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to