logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



SessionCryptoPassphrase errors with reverse proxy

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
tallandtree



Joined: 31 Mar 2016
Posts: 4
Location: NL

PostPosted: Thu 31 Mar '16 13:06    Post subject: SessionCryptoPassphrase errors with reverse proxy Reply with quote

I'm setting up apache (2.4, from dockerhub, latest httpd:2.4) in a docker environment as reverse proxy to other applications (jenkins, dockerui, jira, etc) and use forms and sessions to authenticate to jenkins. But I experience issues with the use of session encryption (through SessionCryptoPassphrase) only in combination with jenkins.

Without SessionCryptoPassphrase set, everything works smooth, no errors. But with encrypted sessions, I get a lot of random errors in the apache error log on jenkins pages (session_crypto:error and proxy:error) and the jenkins site becomes slow and sometimes gives script errors in the browser.

Part of httpd-vhosts.conf:
Code:
SessionCryptoDriver openssl
Listen 443 https

<VirtualHost *:443>
  <Location "/">
    AuthFormLoginRequiredLocation "/login.html"
    AuthFormLoginSuccessLocation "/index.html"
    AuthType form
    AuthFormProvider admin-users ldap-users
    LDAPReferrals Off
    AuthName realm
    Session On
    SessionCryptoPassphrase secret
    SessionCookieName mySession path=/; domain=mydomain.com; HttpOnly; secure
  </Location>
  <Location "/dologin.html">
    SetHandler form-login-handler
    AuthFormLoginRequiredLocation "/loginerror.html"
    AuthFormLoginSuccessLocation "/index.html"
    AuthFormProvider admin-users ldap-users
    LDAPReferrals Off
    AuthType form
    AuthName realm
    Session On
    SessionCryptoPassphrase secret
    SessionCookieName sys-yoda1Session path=/; domain=mydomain.com; HttpOnly; secure
  </Location>

   SSLEngine on
   SSLCertificateFile "/usr/local/apache2/conf/certs/server-cert.pem"
   SSLCertificateKeyFile "/usr/local/apache2/conf/certs/server-key.pem"
    ProxyRequests     Off
    ProxyPreserveHost On
    AllowEncodedSlashes NoDecode

  <Proxy *>
   SetEnv proxy-initial-not-pooled 1
   Require valid-user
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
        RequestHeader unset X-Forwarded-User
        RewriteEngine On
        RewriteCond %{LA-U:REMOTE_USER} (.+)
        RewriteRule .* - [E=RU:%1,NS]
        RequestHeader set X-Forwarded-User %{RU}e
  </Proxy>
  <Location "/cm-jenkins/">
   ProxyPass http://cm-jenkins:8080/cm-jenkins/ nocanon
   ProxyPassReverse http://cm-jenkins:8080/cm-jenkins/
   ProxyPassReverse http://mydomain.com/cm-jenkins/
  </Location>


I've also tried with ajp instead of http, but exactly same behaviour (errors).

Error (random on page clicks in apache error log):

Code:
[Thu Mar 31 10:44:26.033743 2016] [session_crypto:error] [pid 8:tid 140165737998080] (100006)Error string not specified yet: [client 10.100.19.221:52592] AH01842: decrypt session failed, wrong passphrase?, referer: https://mydomain.com/cm-jenkins/asynchPeople/
[Thu Mar 31 10:44:26.033783 2016] [session:error] [pid 8:tid 140165737998080] (100006)Error string not specified yet: [client 10.100.19.221:52592] AH01817: error while decoding the session, session not loaded: /cm-jenkins/static/fb6c7098/images/24x24/user.png, referer: https://mydomain.com/cm-jenkins/asynchPeople/
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Mon 04 Apr '16 12:15    Post subject: Reply with quote

There was a toptic about that on the dev mailing list. I don't know if that patch ever went into trunk and 2.4 branch

See http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAPV0b05uD1TqXQ0LrgNu8UQzy9tB1suDWL4XZk9CGOvPmY-6gQ@mail.gmail.com%3E
Back to top
tallandtree



Joined: 31 Mar 2016
Posts: 4
Location: NL

PostPosted: Mon 04 Apr '16 12:27    Post subject: Reply with quote

Not sure if that is the same issue, as I'm not changing the SessionCryptoPassphrase. But it can be related of course.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1