Andy,What do you see in error logs and proxy logs when you try to bring up the web server?On Sun, Mar 8, 2015 at 5:11 PM, A M <amm.priv2@xxxxxxxxx> wrote:
Hello Igor, and many thanks for your comment!I have followed your advice, but now the server refuses to start at all.So now I have in httpd.conf:
------------------------------------------------
NameVirtualHost *:80
<VirtualHost *:80>
ServerName apachefrontend.example.com
ServerAlias appserver1.example.com appserver2.example.com
RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
</VirtualHost>
<VirtualHost *:443>
ServerName appserver1.example.com
ProxyRequests Off
ProxyPass / http://appserver1.backend
ProxyPassReverse / http://appserver1.backend
</VirtualHost>
<VirtualHost *:443>
ServerName appserver2.example.com
ProxyRequests Off
ProxyPass / http://appserver2.backend
ProxyPassReverse / http://appserver2.backend
</VirtualHost>
------------------------------------------------------------------------And these uncommented lines in ssl.conf:
-----------------------------------------------------------------------
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ServerName apachefrontend.example.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
-----------------------------------------------------------------------------------
[root@www conf]# apachectl -S
[Sun Mar 08 12:28:37 2015] [warn] module headers_module is already loaded, skipping
[Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already loaded, skipping
[Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded, skipping
[Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:8443 apachefrontend.example.com (/etc/httpd/conf.d/nss.conf:84)
_default_:443 apachefrontend.example.com (/etc/httpd/conf.d/ssl.conf:74)
*:443 appserver1.backend (/etc/httpd/conf/httpd.conf:1034)
*:443 appserver2.backend (/etc/httpd/conf/httpd.conf:1041)
*:80 is a NameVirtualHost
default server apachefrontend.example.com (/etc/httpd/conf/httpd.conf:1028)
port 80 namevhost apachefrontend.example.com (/etc/httpd/conf/httpd.conf:1028)
alias appserver1.example.com
alias appserver2.example.com
Syntax OK.. and the server refuses to start at all..Playing with NameVirtualHost: *.443 and/or specifying explicitly server nameswith ServerName does not help me tp get rid of the overlap on 443. At most, I
am receiving the missing SSL support errors for the backend servers (and I
cannot add SSL support for them, they have to remain plain HTTP)..If you have any further ideas on what to try, please let me know.
Thanks again and best regards - Andy.On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:
On 08/03/2015 10:01 AM, "A M" <amm.priv2@xxxxxxxxx> wrote:
>
>
> Hello experts,
>
> I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
> for a couple of plain backend HTTP servers sitting on a backend private
> network. The plaform is Centos 6, the Apache rpm is httpd-2.2.15-39.el6.centos.
>
> I first created three DNS entries, all pointing to the same public IP:
>
> apachefrontend.example.com
> appserver1.example.com
> appserver2.example.com
>
> I then generated the SSL cert and key for the frontend host and verified that
> SSL config was correct (all settings and key/cert were defined inside the file
> /etc/httpd/conf.d/ssl.conf). The URL "https://apachefrontend.example.com"
> replied OK.
>
> I have then set up a forced redirection to port 443 on the mother
> server and defined two virtual hosts, in this manner:
>
> ..
> NameVirtualHost *:80
>First change this:
> <VirtualHost *:80>
> ServerName apachefrontend.example.com
> RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
> </VirtualHost>
>to:
<VirtualHost *:80>
ServerName apachefrontend.example.com
ServerAlias appserver1.example.com appserver2.example.comRedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
</VirtualHost>Then get rid of these two:
> <VirtualHost *:80>
> ServerName appserver1.example.com
> ProxyRequests Off
> ProxyPass / http://appserver1.backend/
> ProxyPassReverse / http://appserver1.backend/
> </VirtualHost>
>
> <VirtualHost *:80>
> ServerName appserver2.example.com
> ProxyRequests Off
> ProxyPass / http://appserver2.backend/
> ProxyPassReverse / http://appserver2.backend/
> </VirtualHost>
> ..More specific convert them to ssl vhosts:
<VirtualHost *:443>
ServerName appserver1.example.com
ProxyRequests Off
ProxyPass / http://appserver1.backend/
ProxyPassReverse / http://appserver1.backend/
</VirtualHost><VirtualHost *:443>
ServerName appserver2.example.com
ProxyRequests Off
ProxyPass / http://appserver2.backend/
ProxyPassReverse / http://appserver2.backend/
</VirtualHost>which will effectively do what you want which is terminate ssl on the frontend.
> Now,
>
> - If I go to "http://apachefrontend.example.com", I am
> correctly ending up at "https://apachefrontend.example.com";
>
> - If I go to "http://appserver1[2].example.com", I arrive to
> the backend servers allright, but only via the port 80.
>
> This behaviour is apparently correct, but so far I have not found
> the right configuration options needed to enforce the secure
> connection to the backend servers via the reverse proxy (I may
> not enable SSL on the backend servers as they are running some
> privately managed applications and cannot be tweaked).
>
> Could someone kindly post an example of working configuration
> of the same type?
>
> Thanks ahead for any advice!
>
> Andy.
>
>
>