Re: Proxy with ssl backend server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, May 31, 2023 at 4:39 PM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
>
> On Wed, May 31, 2023 at 2:52 PM Josef Wolf <jw@xxxxxxxxxxxxx> wrote:
> >
> > On Wed, May 31, 2023 at 10:58:27AM +0200, Yann Ylavic wrote:
> > > On Thu, May 25, 2023 at 2:38 PM Josef Wolf <jw@xxxxxxxxxxxxx> wrote:
> > > >
> > > > I am trying to use apache as a proxy to pass requests to a https backend like this:
> > > >
> > > >   <VirtualHost *:443>
> > > >
> > > >     SSLProxyEngine       on
> > > >     ProxyPass            /service/ https://backend.do.main:4434/service
> > > >     ProxyPassReverse     /service/ https://backend.do.main:4434/service
> > > >     ProxyPassReverseCookiePath / /service/
> > > >     ProxyHTMLURLMap https://backend.do.main:4434/service /service
> > > >     <Location            /service/>
> > > >       SetEnv force-proxy-request-1.0 1
> > > >       SetEnv proxy-nokeepalive 1
> > > >       SetEnv proxy-sendcl
> > > >       ProxyHTMLEnable On
> > > >       ProxyHTMLExtended On
> > > >       LogLevel Debug
> > > >       ProxyHTMLURLMap https://backend.do.main:4434/service/service/
> > > >       RequestHeader unset Accept-Encoding
> > > >       AuthName        "Application /service"
> > > >       AuthType Basic
> > > >       AuthUserFile    /m/b/httpd/passwd
> > > >       AuthGroupFile   /m/b/httpd/group
> > > >       Require         group service
> > > >       SSLRequireSSL
> > > >       RequestHeader set Authorization "Basic 123456778"
> > > >       RequestHeader set X_FORWARDED_PROTO 'https'
> > > >     </Location>
> > > >
> > > >   </VirtualHost>
> > > >
> > > > This works fine for http backends, but with https, I get following errors:
> > >
> > > I tried this configuration and it works for me.
> >
> > Yes. This is why I suspect it has to do with the way I generate the
> > self-signed certificate:
> >
> >    openssl req \
> >     -new -newkey rsa:4096 \
> >     -subj /C=DE/CN=backend \
> >     -addext subjectAltName=DNS:backend.do.main \
> >     -addext certificatePolicies=1.2.3.4 \
> >     -x509 -nodes \
> >     -days 3650 \
> >     -out server-cert.pem \
> >     -keyout server-key.pem
> >
> > > >   [Thu May 25 13:34:04.690666 2023] [ssl:error] [pid 2259] [remote 192.168.1.106:4434] AH01962: Unable to create a new SSL connection from the SSL context
> > > >   [Thu May 25 13:34:04.690700 2023] [ssl:error] [pid 2259] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx
>
> I don't think it has to do with the certificate generated/configured
> on the backend side. This error happens at the creation of the SSL
> connection, no communication with the backend yet.
>
> > >
> > > Do you build httpd by yourself? Which OS / httpd / openssl version? It
> > > looks like httpd (mod_ssl) links/runs against an openssl version
> > > different from the one it's been built with.
> >
> > This is not built by myself. All is stock opensuse-Leap-15.1
>
> I don't know which version/patches of httpd is shipped with
> opensuse-Leap-15.1 (httpd-2.4.33 possibly?), but the configuration
> above seems to work with the latest/upstream httpd-2.4.57 release.
> Maybe you can give the latest opensuse-Leap a try (15.4 or 15.5 seem
> to ship httpd-2.4.57)?

This looks like https://bz.apache.org/bugzilla/show_bug.cgi?id=62232
which was fixed in httpd-2.4.34.

>
>
> Regards;
> Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux