On Wed, May 31, 2023 at 2:52 PM Josef Wolf <jw@xxxxxxxxxxxxx> wrote: > > On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote: > > On Thu, May 25, 2023 at 2:38 PM Josef Wolf <jw@xxxxxxxxxxxxx> wrote: > > > > > > I am trying to use apache as a proxy to pass requests to a https backend like this: > > > > > > <VirtualHost *:443> > > > > > > SSLProxyEngine on > > > ProxyPass /service/ https://backend.do.main:4434/service > > > ProxyPassReverse /service/ https://backend.do.main:4434/service > > > ProxyPassReverseCookiePath / /service/ > > > ProxyHTMLURLMap https://backend.do.main:4434/service /service > > > <Location /service/> > > > SetEnv force-proxy-request-1.0 1 > > > SetEnv proxy-nokeepalive 1 > > > SetEnv proxy-sendcl > > > ProxyHTMLEnable On > > > ProxyHTMLExtended On > > > LogLevel Debug > > > ProxyHTMLURLMap https://backend.do.main:4434/service/service/ > > > RequestHeader unset Accept-Encoding > > > AuthName "Application /service" > > > AuthType Basic > > > AuthUserFile /m/b/httpd/passwd > > > AuthGroupFile /m/b/httpd/group > > > Require group service > > > SSLRequireSSL > > > RequestHeader set Authorization "Basic 123456778" > > > RequestHeader set X_FORWARDED_PROTO 'https' > > > </Location> > > > > > > </VirtualHost> > > > > > > This works fine for http backends, but with https, I get following errors: > > > > I tried this configuration and it works for me. > > Yes. This is why I suspect it has to do with the way I generate the > self-signed certificate: > > openssl req \ > -new -newkey rsa:4096 \ > -subj /C=DE/CN=backend \ > -addext subjectAltName=DNS:backend.do.main \ > -addext certificatePolicies=1.2.3.4 \ > -x509 -nodes \ > -days 3650 \ > -out server-cert.pem \ > -keyout server-key.pem > > > > [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context > > > [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx I don't think it has to do with the certificate generated/configured on the backend side. This error happens at the creation of the SSL connection, no communication with the backend yet. > > > > Do you build httpd by yourself? Which OS / httpd / openssl version? It > > looks like httpd (mod_ssl) links/runs against an openssl version > > different from the one it's been built with. > > This is not built by myself. All is stock opensuse-Leap-15.1 I don't know which version/patches of httpd is shipped with opensuse-Leap-15.1 (httpd-2.4.33 possibly?), but the configuration above seems to work with the latest/upstream httpd-2.4.57 release. Maybe you can give the latest opensuse-Leap a try (15.4 or 15.5 seem to ship httpd-2.4.57)? Regards; Yann. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|