Hi.
I am trying to set up reverse proxy load balancing using Apache.
I've read https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html and
https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html and
https://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html
What I want to achieve is:
HTTPS connection to my load balancer (which has an appropriate SSL certificate
for its own URL) forwarding requests on to (currently two) HTTPS back-end
servers (each of which also has an appropriate SSL certificate for its distinct
URL).
I can get things working fine if I use HTTP for the "proxy to backend"
connection.
As soon as I use HTTPS, I get "All workers are in error state".
Here is my (sanitised) configuration:
--------
ProxyHCExpr ok200 {%{REQUEST_STATUS} =~ /^200/}
<Proxy balancer://url.mydomain.net>
BalancerMember https://first.server.net route=first.server.net hcmethod=GET
hcuri=/isalive hcexpr=ok200 hcinterval=10
BalancerMember https://second.server.net route=second.server.net
hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
ProxySet lbmethod=bytraffic
</Proxy>
<VirtualHost 198.51.100.222:443>
ServerName url.mydomain.net
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/url.mydomain.net.crt
SSLCertificateKeyFile /etc/url.mydomain.net.key
ProxyPass / balancer://url.mydomain.net/
ProxyPassReverse / balancer://url.mydomain.net/
</VirtualHost>
--------
What happens is that every 10 seconds I get the following entries in
/var/log/apache2/error.log:
[Fri Sep 13 02:50:07.600652 2019] [ssl:error] [pid 8628:tid 140240740148992]
[remote 203.0.113.223:443] AH01961: SSL Proxy requested for
my.local.host.name:80 but not enabled [Hint: SSLProxyEngine]
[Fri Sep 13 02:50:07.600703 2019] [proxy:error] [pid 8628:tid 140240740148992]
AH00961: HCOH: failed to enable ssl support for 203.0.13.223:443
(first.server.net)
Plus the same thing for second.server.net
Now, I can see the "Hint: SSLProxyEngine", but I already have that in my
VirtualHost definition, so I don't know what this hint is trying to hint at.
What I also do not understand is the "SSL Proxy requested for
my.local.host.name:80" part. I have completely disabled port 80 on this
machine. Apache is not listening on port 80, I do not need to use standard
HTTP, and a packet capture shows that nothing is being sent to, or received
on, port 80, anywhere.
If I change the BalancerMember URLs to use HTTP instead of HTTPS, the backend
workers become available and I can proxy requests to them, but this is not how
the eventual system is required to work. I have to point at HTTPS-only
backend servers.
So, what am I doing wrong, and/or what do I need to change in order to get
BalancerMembers using HTTPS to become available for use?
Happy to supply any further details needed if people ask.
Thanks,
Antony.
--
All generalisations are inaccurate.
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|