• apache https reverse proxy

    From ian diddams@1:0/0 to All on Tue Jan 7 16:58:30 2014
    apache 2.2.20
    centos 6.4

    I had a http reverse proxy working fine within a apache ssl virtual host

    ProxyPass / http://sleepy:28080/
    ProxyPassReverse / http://sleepy:28080/

    However, this confuses jboss into thinking its handliong http traffic so returns a http address and breaking everything.

    So I just set up a https reverse proxy

    ProxyPass / https://sleepy:29443/
    ProxyPassReverse / https://sleepy:29443/


    .... but this doesn;t work.

    apache error logs show

    [Tue Jan 07 16:34:03 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 192.168.64.20:29443 (sleepy)
    [Tue Jan 07 16:34:03 2014] [error] proxy: pass request body failed to 192.168.64.20:29443 (sleepy) from 192.168.52.204 ()

    a direct url for sleepy works fine.

    https://sleepy:29443/regadmin/login

    The cert on both the apache ssls erver and the jboss implementation is self signed 9no real cert needed as this is internal/PoC etc etc etc).


    I've done various googling that suggests its cos of the self signed cert that the reverse proxy fails... but I haven;t been able to work out a workaround. There was a suggestion to use SSLProxyCheckPeerCN, but this errors - mod_ssl IS already loaded so dunno nwhat is happening there.

    any pointers gratefully accepted

    ian
    ----

    <VirtualHost *:443>
    ServerAdmin ian@xxx.co.uk
    ServerName dev.xxx.co.uk
    ServerAlias *.dev.xxx.co.uk
    DocumentRoot /opt/jboss/jboss-as-7.1.1.Final/server/tdsweb/htdocs
    <Directory "/opt/jboss/jboss-as-7.1.1.Final/server/tdsweb/htdocs">
    Options -Indexes
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>
    # webserver requests
    ProxyPassMatch ^/(images|contents|js|css|CMS|eyesite|oneClickEdit)/.*$ !
    ProxyPassMatch ^/[^/]+\.[^/]+$ !
    ProxyPass /twmc http://goofy:7110/twmc
    ProxyPassReverse /twmc http://goofy:7110/twmc
    ProxyPass / https://sleepy:29443/
    ProxyPassReverse / https://sleepy:29443/
    # ProxyPass / http://sleepy:28080/
    # ProxyPassReverse / http://sleepy:28080/

    ErrorLog "logs/tdsweb-https-error_log"
    CustomLog "logs/tdsweb-https-access_log" common
    SSLEngine on
    SSLProxyEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "/opt/apache/2.2.20/conf/dev.crt"
    SSLCertificateKeyFile "/opt/apache/2.2.20/conf/dev.key"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/opt/apache/2.2.20/cgi-bin">
    SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    CustomLog "/opt/apache/2.2.20/logs/ssl_request_log" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobbs.
  • From ian diddams@1:0/0 to All on Thu Jan 9 12:30:09 2014
    update:

    setting oglevel to debug I see these arrors :

    [Thu Jan 09 12:09:39 2014] [debug] ssl_engine_kernel.c(1814): OpenSSL: Read: SSLv2/v3 read server hello A
    [Thu Jan 09 12:09:39 2014] [debug] ssl_engine_kernel.c(1838): OpenSSL: Exit: error in SSLv2/v3 read server hello A
    [Thu Jan 09 12:09:39 2014] [info] [client 192.168.64.20] SSL Proxy connect failed
    [Thu Jan 09 12:09:39 2014] [info] SSL Library Error: 336032784 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure


    didds

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobbs.
  • From Alexander Wiedergold WIEDERGOLD.NET@110:300/11 to All on Sat Jan 11 10:48:12 2014
    Am 07.01.2014 17:58, schrieb ian diddams:
    apache 2.2.20
    centos 6.4

    I had a http reverse proxy working fine within a apache ssl virtual host

    ProxyPass / http://sleepy:28080/
    ProxyPassReverse / http://sleepy:28080/

    However, this confuses jboss into thinking its handliong http traffic so
    returns a http address and breaking everything.

    So I just set up a https reverse proxy

    ProxyPass / https://sleepy:29443/
    ProxyPassReverse / https://sleepy:29443/


    ... but this doesn;t work.

    apache error logs show

    [Tue Jan 07 16:34:03 2014] [error] (502)Unknown error 502: proxy: pass
    request body failed to 192.168.64.20:29443 (sleepy)
    [Tue Jan 07 16:34:03 2014] [error] proxy: pass request body failed to
    192.168.64.20:29443 (sleepy) from 192.168.52.204 ()

    a direct url for sleepy works fine.

    https://sleepy:29443/regadmin/login

    The cert on both the apache ssls erver and the jboss implementation is self
    signed 9no real cert needed as this is internal/PoC etc etc etc).


    I've done various googling that suggests its cos of the self signed cert
    that the reverse proxy fails... but I haven;t been able to work out a workaround.
    There was a suggestion to use SSLProxyCheckPeerCN, but this errors - mod_ssl
    IS already loaded so dunno nwhat is happening there.

    any pointers gratefully accepted

    ian
    ----

    <VirtualHost *:443>
    ServerAdmin ian@xxx.co.uk
    ServerName dev.xxx.co.uk
    ServerAlias *.dev.xxx.co.uk
    DocumentRoot /opt/jboss/jboss-as-7.1.1.Final/server/tdsweb/htdocs
    <Directory "/opt/jboss/jboss-as-7.1.1.Final/server/tdsweb/htdocs">
    Options -Indexes
    AllowOverride None
    Order allow,deny
    Allow from all
    </Directory>
    # webserver requests
    ProxyPassMatch ^/(images|contents|js|css|CMS|eyesite|oneClickEdit)/.*$
    ProxyPassMatch ^/[^/]+\.[^/]+$ !
    ProxyPass /twmc http://goofy:7110/twmc
    ProxyPassReverse /twmc http://goofy:7110/twmc
    ProxyPass / https://sleepy:29443/
    ProxyPassReverse / https://sleepy:29443/
    # ProxyPass / http://sleepy:28080/
    # ProxyPassReverse / http://sleepy:28080/

    ErrorLog "logs/tdsweb-https-error_log"
    CustomLog "logs/tdsweb-https-access_log" common
    SSLEngine on
    SSLProxyEngine on
    SSLCipherSuite
    ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile "/opt/apache/2.2.20/conf/dev.crt"
    SSLCertificateKeyFile "/opt/apache/2.2.20/conf/dev.key"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/opt/apache/2.2.20/cgi-bin">
    SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    CustomLog "/opt/apache/2.2.20/logs/ssl_request_log" \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>

    is port 28080 by Firewall open

    --
    ...
    http://wiedergold.net/

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: 1&1 Internet AG (110:300/11@linuxnet)
  • From ian diddams@1:0/0 to All on Tue Jan 14 13:34:01 2014
    there is no firewall... its the same server. apache connects to a jboss backend on the same server.

    and yes, I can telnet to the pertinent URL and port on the same server required.

    cheers

    ian

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobbs.
  • From ian diddams@1:0/0 to All on Wed Jan 15 15:21:19 2014
    FTR I gave up and used mod_jk/ajp. works a treat. *sigh*

    ian



    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobbs.