Re: RE: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse proxy load balancing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sslproxyengine on must be defined where the balancer is defined due to its members being ssl, try that or move the balancer definition inside the virtual host. 

El sáb., 14 sept. 2019 1:14, Santosh Kondapuram <SKondapuram@xxxxxxxxxxxxx.invalid> escribió:
Can you try adding the following Apache directive setting it to none:  SSLProxyVerify none

Thanks,
Santosh.

-----Original Message-----
From: Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, September 13, 2019 6:15 PM
To: users@xxxxxxxxxxxxxxxx
Subject: [EXT] Apache 2.4.25 (Debian Stretch 9.11) reverse proxy load balancing

Hi.

I am trying to set up reverse proxy load balancing using Apache.

I've read https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html and https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html and https://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html

What I want to achieve is:

HTTPS connection to my load balancer (which has an appropriate SSL certificate for its own URL) forwarding requests on to (currently two) HTTPS back-end servers (each of which also has an appropriate SSL certificate for its distinct URL).

I can get things working fine if I use HTTP for the "proxy to backend"
connection.

As soon as I use HTTPS, I get "All workers are in error state".

Here is my (sanitised) configuration:

--------
ProxyHCExpr ok200 {%{REQUEST_STATUS} =~ /^200/}

<Proxy balancer://url.mydomain.net>
    BalancerMember https://first.server.net route=first.server.net hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
    BalancerMember https://second.server.net route=second.server.net hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
    ProxySet lbmethod=bytraffic
</Proxy>

<VirtualHost 198.51.100.222:443>
    ServerName url.mydomain.net
    SSLEngine On
    SSLProxyEngine On
    SSLCertificateFile /etc/url.mydomain.net.crt
    SSLCertificateKeyFile /etc/url.mydomain.net.key
    ProxyPass / balancer://url.mydomain.net/
    ProxyPassReverse / balancer://url.mydomain.net/ </VirtualHost>
--------


What happens is that every 10 seconds I get the following entries in
/var/log/apache2/error.log:

[Fri Sep 13 02:50:07.600652 2019] [ssl:error] [pid 8628:tid 140240740148992] [remote 203.0.113.223:443] AH01961: SSL Proxy requested for
my.local.host.name:80 but not enabled [Hint: SSLProxyEngine] [Fri Sep 13 02:50:07.600703 2019] [proxy:error] [pid 8628:tid 140240740148992]
AH00961: HCOH: failed to enable ssl support for 203.0.13.223:443
(first.server.net)

Plus the same thing for second.server.net

Now, I can see the "Hint: SSLProxyEngine", but I already have that in my VirtualHost definition, so I don't know what this hint is trying to hint at.

What I also do not understand is the "SSL Proxy requested for my.local.host.name:80" part.  I have completely disabled port 80 on this machine.  Apache is not listening on port 80, I do not need to use standard HTTP, and a packet capture shows that nothing is being sent to, or received on, port 80, anywhere.


If I change the BalancerMember URLs to use HTTP instead of HTTPS, the backend workers become available and I can proxy requests to them, but this is not how the eventual system is required to work.  I have to point at HTTPS-only backend servers.


So, what am I doing wrong, and/or what do I need to change in order to get BalancerMembers using HTTPS to become available for use?


Happy to supply any further details needed if people ask.


Thanks,


Antony.

--
All generalisations are inaccurate.

                                                   Please reply to the list;
                                                         please *don't* CC me.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


This e-mail message and any files transmitted with it may contain confidential and proprietary information and are intended solely for the use of the individual or entity to which they are addressed. Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you have received this e-mail in error please notify the sender by reply email and destroy all copies of the original message. Thank you for your cooperation.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux