On Saturday 14 September 2019 at 01:13:38, Santosh Kondapuram wrote:
> Can you try adding the following Apache directive setting it to none:
> SSLProxyVerify none
No, I'm not trying to reduce the security of the system, and all certificates
are real, so they do verify correctly.
Antony.
> -----Original Message-----
> From: Antony Stone <Antony.Stone@xxxxxxxxxxxxxxxxxxxxx>
> Sent: Friday, September 13, 2019 6:15 PM
> To: users@xxxxxxxxxxxxxxxx
> Subject: [EXT] Apache 2.4.25 (Debian Stretch 9.11) reverse
> proxy load balancing
>
> Hi.
>
> I am trying to set up reverse proxy load balancing using Apache.
>
> I've read https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html and
> https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html and
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html
>
> What I want to achieve is:
>
> HTTPS connection to my load balancer (which has an appropriate SSL
> certificate for its own URL) forwarding requests on to (currently two)
> HTTPS back-end servers (each of which also has an appropriate SSL
> certificate for its distinct URL).
>
> I can get things working fine if I use HTTP for the "proxy to backend"
> connection.
>
> As soon as I use HTTPS, I get "All workers are in error state".
>
> Here is my (sanitised) configuration:
>
> --------
> ProxyHCExpr ok200 {%{REQUEST_STATUS} =~ /^200/}
>
> <Proxy balancer://url.mydomain.net>
> BalancerMember https://first.server.net route=first.server.net
> hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10 BalancerMember
> https://second.server.net route=second.server.net hcmethod=GET
> hcuri=/isalive hcexpr=ok200 hcinterval=10 ProxySet lbmethod=bytraffic
> </Proxy>
>
> <VirtualHost 198.51.100.222:443>
> ServerName url.mydomain.net
> SSLEngine On
> SSLProxyEngine On
> SSLCertificateFile /etc/url.mydomain.net.crt
> SSLCertificateKeyFile /etc/url.mydomain.net.key
> ProxyPass / balancer://url.mydomain.net/
> ProxyPassReverse / balancer://url.mydomain.net/ </VirtualHost>
> --------
>
>
> What happens is that every 10 seconds I get the following entries in
> /var/log/apache2/error.log:
>
> [Fri Sep 13 02:50:07.600652 2019] [ssl:error] [pid 8628:tid
> 140240740148992] [remote 203.0.113.223:443] AH01961: SSL Proxy requested
> for my.local.host.name:80 but not enabled [Hint: SSLProxyEngine] [Fri Sep
> 13 02:50:07.600703 2019] [proxy:error] [pid 8628:tid 140240740148992]
> AH00961: HCOH: failed to enable ssl support for 203.0.13.223:443
> (first.server.net)
>
> Plus the same thing for second.server.net
>
> Now, I can see the "Hint: SSLProxyEngine", but I already have that in my
> VirtualHost definition, so I don't know what this hint is trying to hint
> at.
>
> What I also do not understand is the "SSL Proxy requested for
> my.local.host.name:80" part. I have completely disabled port 80 on this
> machine. Apache is not listening on port 80, I do not need to use
> standard HTTP, and a packet capture shows that nothing is being sent to,
> or received on, port 80, anywhere.
>
>
> If I change the BalancerMember URLs to use HTTP instead of HTTPS, the
> backend workers become available and I can proxy requests to them, but
> this is not how the eventual system is required to work. I have to point
> at HTTPS-only backend servers.
>
>
> So, what am I doing wrong, and/or what do I need to change in order to get
> BalancerMembers using HTTPS to become available for use?
>
>
> Happy to supply any further details needed if people ask.
>
>
> Thanks,
>
>
> Antony.
>
> --
> All generalisations are inaccurate.
>
> Please reply to the
> list; please *don't* CC me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
> This e-mail message and any files transmitted with it may contain
> confidential and proprietary information and are intended solely for the
> use of the individual or entity to which they are addressed. Any
> unauthorized review, use, disclosure or distribution is strictly
> prohibited. If you have received this e-mail in error please notify the
> sender by reply email and destroy all copies of the original message.
> Thank you for your cooperation.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--
I want to build a machine that will be proud of me.
- Danny Hillis, creator of The Connection Machine
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|