Topic: HTTP Proxy and SSL

[forumRP]

Hi All,


I wanted to configure the apache as below,

Client Browser -> HTTPS -> Apache Proxy -> HTTP -> JBOSS

Apache is used for load balancing purpose and SSL front end for users.

This site seems working ok but when i doing a load testing with WebloadUI software . when it reaches 10 users. errors are coming that ( Unable to decrypt SSL data from the server. Error 0x80090326 ) .

I think there are remaining configs need to do on apache. my ssl.conf config as below,

<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/5domains.crt
SSLCertificateKeyFile /etc/pki/tls/private/5domains.key
SSLCertificateChainFile /etc/pki/tls/certs/5domains_intermediate.crt

<Location /Connect>
ProxyPass http://JBOSS-server-IP:8080/Connect
ProxyPassReverse http://JBOSS-server-IP:8080/Connect
Order Allow,Deny
Allow from all
</Location>


<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>



THANKS.

[James Blond]

I guess that is a renegotiation error of the SSL handshake.



I would try to remove the downgrade-1.0 force-response-1.0 for MSIE. All current IE don't need that downgrade

You may also take a look at http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslinsecurerenegotiation