No ideas on this one? On Thu, May 25, 2023 at 02:37:50PM +0200, Josef Wolf wrote: > Hello, > > I am trying to use apache as a proxy to pass requests to a https backend like this: > > <VirtualHost *:443> > > SSLProxyEngine on > ProxyPass /service/ https://backend.do.main:4434/service > ProxyPassReverse /service/ https://backend.do.main:4434/service > ProxyPassReverseCookiePath / /service/ > ProxyHTMLURLMap https://backend.do.main:4434/service /service > <Location /service/> > SetEnv force-proxy-request-1.0 1 > SetEnv proxy-nokeepalive 1 > SetEnv proxy-sendcl > ProxyHTMLEnable On > ProxyHTMLExtended On > LogLevel Debug > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > RequestHeader unset Accept-Encoding > AuthName "Application /service" > AuthType Basic > AuthUserFile /m/b/httpd/passwd > AuthGroupFile /m/b/httpd/group > Require group service > SSLRequireSSL > RequestHeader set Authorization "Basic 123456778" > RequestHeader set X_FORWARDED_PROTO 'https' > </Location> > > </VirtualHost> > > This works fine for http backends, but with https, I get following errors: > > [Thu May 25 13:34:04.690065 2023] [proxy:debug] [pid 2259] mod_proxy.c(1245): [client 109.43.178.5:13845] AH01143: Running scheme https handler (attempt 0) > [Thu May 25 13:34:04.690076 2023] [proxy:debug] [pid 2259] proxy_util.c(2216): [client 109.43.178.5:13845] AH00944: connecting https://backend.do.main:4434/service/ to backend.do.main:4434 > [Thu May 25 13:34:04.690119 2023] [proxy:debug] [pid 2259] proxy_util.c(2425): [client 109.43.178.5:13845] AH00947: connected /service/ to backend.do.main:4434 > [Thu May 25 13:34:04.690559 2023] [ssl:info] [pid 2259] [remote 192.168.1.106:4434] AH01964: Connection to child 0 established (server lw.strangled.net:443) > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx > [Thu May 25 13:34:04.690749 2023] [proxy:error] [pid 2259] (103)Software caused connection abort: [client 109.43.178.5:13845] AH01084: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan) > [Thu May 25 13:34:04.690783 2023] [proxy_http:error] [pid 2259] [client 109.43.178.5:13845] AH01097: pass request body failed to 192.168.1.106:4434 (vdr2.wolf.lan) from 109.43.178.5 () > > I guess, the reason for this problem might be that the backend server uses > a self signed certificate created like this: > > openssl req \ > -new -newkey rsa:4096 \ > -subj /C=DE/CN=backend \ > -addext subjectAltName=DNS:backend.do.main \ > -addext certificatePolicies=1.2.3.4 \ > -x509 -nodes \ > -days 3650 \ > -out server-cert.pem \ > -keyout server-key.pem \ > > I tried disable certificate check by addin following options, but the did > not help: > > SSLProxyVerify none > SSLProxyCheckPeerCN Off > SSLProxyCheckPeerName Off > SSLProxyCheckPeerExpire Off > > Any ideas what might be wrong with my configuration? > > How could I explicitly install the backend certificate as "trusted"? > I tried SSLProxyMachineCertificatePath, but also without success. > > > -- > Josef Wolf > jw@xxxxxxxxxxxxx > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > -- Josef Wolf jw@xxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|