Hello list. With the following configuration, mod_proxy works perfectly in the non-ssl vhost, but not in the ssl one. The client hangs a long time for an answer, which finally comes as "Site error" message, with a "404 858" error status in the logs. The waiting time before the error occurs is superior to mod_proxy timeout configuration. <VirtualHost *:80> Servername foo.domain.com ProxyPass / http://127.0.0.1:8080/ </VirtualHost> <VirtualHost *:443> Servername foo.domain.com ProxyPass / http://127.0.0.1:8080/ GnuTLSEnable on GnuTLSPriorities NORMAL GnuTLSCertificateFile /etc/pki/tls/certs/foo.crt GnuTLSKeyFile /etc/pki/tls/private/foo.key </VirtualHost> Using debug log level, here is the log trace of successfule proxy connection: [Fri Feb 22 15:26:28 2008] [debug] mod_cache.c(131): Adding CACHE_SAVE filter for / [Fri Feb 22 15:26:28 2008] [debug] mod_cache.c(138): Adding CACHE_REMOVE_URL filter for / [Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(54): proxy: HTTP: canonicalising URL //www.msr-inria.inria.fr/ [Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1412): [client 195.83.212.52] proxy: http: found worker http://www.msr-inria.inria.fr/ for http://www.msr-inria.inria.fr/ [Fri Feb 22 15:26:28 2008] [debug] mod_proxy.c(819): Running scheme http handler (attempt 0) [Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(1693): proxy: HTTP: serving URL http://www.msr-inria.inria.fr/ [Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1852): proxy: HTTP: has acquired connection for (www.msr-inria.inria.fr) [Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1913): proxy: connecting http://www.msr-inria.inria.fr/ to www.msr-inria.inria.fr:80 [Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(2012): proxy: connected / to www.msr-inria.inria.fr:80 [Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(2169): proxy: HTTP: fam 2 socket created to connect to www.msr-inria.inria.fr [Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(2266): proxy: HTTP: connection complete to 193.55.250.161:80 (www.msr-inria.inria.fr) [Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(1478): proxy: start body send [Fri Feb 22 15:26:28 2008] [debug] mod_cache.c(528): cache: / not cached. Reason: Expires header already expired, not cacheable [Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(1567): proxy: end body send [Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1870): proxy: HTTP: has released connection for (www.msr-inria.inria.fr) Here is an unsucessful one. The 'GnuTLS: Handshake Failed' make me think than mod_gnutls tries to cypher outgoing connection too, and fails: [Fri Feb 22 15:33:15 2008] [debug] mod_cache.c(131): Adding CACHE_SAVE filter for / [Fri Feb 22 15:33:15 2008] [debug] mod_cache.c(138): Adding CACHE_REMOVE_URL filter for / [Fri Feb 22 15:33:15 2008] [debug] mod_proxy_http.c(54): proxy: HTTP: canonicalising URL //www.msr-inria.inria.fr/ [Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(1412): [client 195.83.212.52] proxy: http: found worker http://www.msr-inria.inria.fr/ for http://www.msr-inria.inria.fr/ [Fri Feb 22 15:33:15 2008] [debug] mod_proxy.c(819): Running scheme http handler (attempt 0) [Fri Feb 22 15:33:15 2008] [debug] mod_proxy_http.c(1693): proxy: HTTP: serving URL http://www.msr-inria.inria.fr/ [Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(1852): proxy: HTTP: has acquired connection for (www.msr-inria.inria.fr) [Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(1913): proxy: connecting http://www.msr-inria.inria.fr/ to www.msr-inria.inria.fr:80 [Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(2012): proxy: connected / to www.msr-inria.inria.fr:80 [Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(2169): proxy: HTTP: fam 2 socket created to connect to www.msr-inria.inria.fr [Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(2266): proxy: HTTP: connection complete to 193.55.250.161:80 (www.msr-inria.inria.fr) [Fri Feb 22 15:34:56 2008] [error] [client 193.55.250.161] GnuTLS: Handshake Failed. Hit Maximum Attempts [Fri Feb 22 15:34:56 2008] [error] [client 193.55.250.161] GnuTLS: Handshake Failed. Hit Maximum Attempts [Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52] (104)Connection reset by peer: proxy: error reading status line from remote server www.msr-inria.inria.fr [Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52] (104)Connection reset by peer: proxy: error reading status line from remote server www.msr-inria.inria.fr [Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52] proxy: Error reading from remote server returned by /error/HTTP_BAD_GATEWAY.html.var [Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52] proxy: Error reading from remote server returned by /error/HTTP_BAD_GATEWAY.html.var [Fri Feb 22 15:34:56 2008] [debug] proxy_util.c(1870): proxy: HTTP: has released connection for (*) [Fri Feb 22 15:34:56 2008] [debug] proxy_util.c(1870): proxy: HTTP: has released connection for (*) The same configuration worked perfectly with mod_ssl (we switched for SNI support). I reported the issue to mod_gnutls author (http://lists.outoforder.cc/pipermail/modules/2008-February/000097.html), but he me to look for mod_proxy maintainer help, as he didn't knew this module enough himself. I had a quick look at apache bugzilla, but most issues I found were related to proxying ssl connections explicitely (as http://issues.apache.org/bugzilla/show_bug.cgi?id=29744), whereas my problem seem rather with proxying a non-ssl connection from a ssl one. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx