| Author |
|
virtualks
Joined: 17 May 2013
Posts: 4
Location: US, Minneapolis
|
 Posted: Fri 17 May '13 20:08 Post subject: Configure https reverse proxy to serve http backend content |
 |
|
Is the following configuration possible in 2.2?
client -https-> DMZ reverse proxy -http-> myserver
If so, I would really appreciate the relevant httpd.conf code. I cannot get it to work to save my life... |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3118
Location: Hilversum, NL, EU
|
| Posted: Fri 17 May '13 20:35 Post subject: |
|
|
Did you try the following in the conf of the DMZ sever ?
| Code: | # In conf/httpd.conf :
ProxyRequests Off
<IfModule ssl_module>
Include conf/extra/httpd-ssl.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# In conf/extra/httpd-ssl.conf :
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
<VirtualHost www.xxx.xxx:443>
DocumentRoot "x:/xxx/xxx"
ServerName www.xxx.xxx:443
errorLog x:/xxx/xxx/serror.log
ProxyPreserveHost On
ProxyPass / http://myserver/
ProxyPassReverse / http://myserver/
SSLEngine on
SSLHonorCipherOrder On
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SSLCompression off
## edit the following to your needs ##
SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key
SSLCertificateChainFile conf/server.ca.crt
SSLCACertificateFile conf/ca-bundle.crt
## Edit log file locations to your needs ##
ErrorLog "c:/Apache24/logs/serror.log"
CustomLog "c:/Apache24/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost> |
|
|
| Back to top |
|
virtualks
Joined: 17 May 2013
Posts: 4
Location: US, Minneapolis
|
| Posted: Fri 17 May '13 21:43 Post subject: |
|
|
Steffen,
I copied the suggested text directly into the two conf files and now Apache does not start. Nothing is written to the log files and the Windows EventLog is not helpful:
The Apache2.2 service terminated with service-specific error Incorrect function..
Do I need to uncomment any further LoadModule directives?
I am running Apache 2.2.22 on Windows Server 2008 R2. |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 702
|
| Posted: Fri 17 May '13 22:21 Post subject: |
|
|
Just copy it is not the way, try to understand what is going on.
Nothing in the Windows Event log ?
Try to start httpd.exe in a command window. |
|
| Back to top |
|
virtualks
Joined: 17 May 2013
Posts: 4
Location: US, Minneapolis
|
| Posted: Fri 17 May '13 22:40 Post subject: |
|
|
Sorry, I did not mean that I copied the text EXACTLY - I modified it as appropriate to our environment.
I found out that the problem is "SSLCompression off" - it is apparently available only in 2.2.24 or higher.
When I comment that out, Apache starts, but I still get the IE popup "Do you want to view only the webpage content that was delivered securely?"
When I click "Yes" IE throws the "Navigation to the webpage was canceled" error. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7404
Location: EU, Germany, Next to Hamburg
|
| Posted: Sat 18 May '13 16:05 Post subject: |
|
|
| virtualks wrote: |
When I comment that out, Apache starts, but I still get the IE popup "Do you want to view only the webpage content that was delivered securely?"
When I click "Yes" IE throws the "Navigation to the webpage was canceled" error. |
Do you want to view only the webpage content that was delivered securely?
The issue seems to be in the HTML code it self. Try to click "NO". It seems that there is some stuff in the HTML code with http:// (often external resources or bad programming style). The IE says only that some stuff comes not over https ;) |
|
| Back to top |
|
virtualks
Joined: 17 May 2013
Posts: 4
Location: US, Minneapolis
|
| Posted: Thu 23 May '13 20:43 Post subject: |
|
|
The problem is that, while I can proxy http all day, I cannot proxy https. Here is the end of the error log:
[Thu May 23 11:28:14 2013] [debug] proxy_util.c(2011): proxy: HTTP: has acquired connection for (cogcsi01.ci.glendale.ca.us)
[Thu May 23 11:28:14 2013] [debug] proxy_util.c(2067): proxy: connecting http://cogcsi01.ci.glendale.ca.us:28501/tksprod/logon.do to cogcsi01.ci.glendale.ca.us:28501
[Thu May 23 11:28:14 2013] [debug] proxy_util.c(2193): proxy: connected /tksprod/logon.do to cogcsi01.ci.glendale.ca.us:28501
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from BIO#4dfe20 [mem: cd3ff0] (BIO dump follows)
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1869): | 0000: 17 03 01 00 44 ....D |
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1897): OpenSSL: read 68/68 bytes from BIO#4dfe20 [mem: cd3ff5] (BIO dump follows)
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1869): | 0000: 32 34 24 fe c8 57 d5 47-c1 ee aa 07 14 c6 3c 4d 24$..W.G......<M |
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1869): | 0010: 7b 7e 63 20 89 66 e0 0d-c3 53 86 d1 b9 ec cf 02 {~c .f...S...... |
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1869): | 0020: 47 0a 36 e6 66 f4 01 57-ce c1 9f 8f 42 73 ae e5 G.6.f..W....Bs.. |
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1869): | 0030: 02 6d 9c 54 7a b5 44 84-ce c8 da 08 a4 9e e0 36 .m.Tz.D........6 |
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1869): | 0040: a1 81 06 77 ...w |
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Thu May 23 11:28:14 2013] [debug] mod_proxy_http.c(1743): proxy: start body send
[Thu May 23 11:28:14 2013] [debug] mod_proxy_http.c(1847): proxy: end body send
[Thu May 23 11:28:14 2013] [debug] proxy_util.c(2029): proxy: HTTP: has released connection for (cogcsi01.ci.glendale.ca.us)
[Thu May 23 11:28:14 2013] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#4dfe20 [mem: cd3ff0]
[Thu May 23 11:28:14 2013] [info] [client 206.117.117.153] (70014)End of file found: SSL input filter read failed.[Thu May 23 11:28:14 2013] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully
[Thu May 23 11:28:14 2013] [info] [client 206.117.117.153] Connection closed to child 63 with standard shutdown (server cogcsi.ci.glendale.ca.us:443)
Here is my SSL VirtualHost:
<VirtualHost *:443>
ServerAdmin timsmith@ci.glendale.ca.us
DocumentRoot "C:/temp"
ServerName https://cogcsi.ci.glendale.ca.us:443
ErrorLog "logs/err443.log"
CustomLog "logs/acc443.log" common
LogLevel debug
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
RewriteEngine On
RewriteOptions inherit
SSLEngine on
SSLProxyProtocol all -SSLv2
SSLOptions +StdEnvVars
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
SSLProtocol all -SSLv2
SSLCertificateFile "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\SSL\COGCSISSL.crt"
SSLCertificateKeyFile "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\SSL\server.key"
SSLCertificateChainFile "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\SSL\intermediate.crt"
ProxyRequests off
ProxyPreserveHost On
ProxyPass /tksprod/ http://cogcsi01.ci.glendale.ca.us:28501/tksprod/
ProxyPassReverse /tksprod/ http://cogcsi01.ci.glendale.ca.us:28501/tksprod/
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
Am I missing one or more SSL directives? |
|
| Back to top |
|
