Find the answer to your Linux question:
Results 1 to 4 of 4
I want to be able to redirect http and https traffic coming in to my central server to different virtual servers. I have a host (the central server) and four ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,049

    Apache proxy over port 443


    I want to be able to redirect http and https traffic coming in to my central server to different virtual servers.

    I have a host (the central server) and four different guests. Each guest hosts a website for a different domain. Each domain name resolves to my host server from outside. And on my host I configured Apache to use VirtualHosts and ProxyPass (& ProxyPassReverse) to redirect requests for port 80 to the correct corresponding guest. This works correctly. Joy

    But two of the domains also have ssl configured and are also listening on port 443. And here is where it goes wrong. I get ssl certificate errors, and I'm at a loss how to fix these.


    Code:
    NameVirtualHost 192.168.1.1:80
    <VirtualHost 192.168.1.1:80>
            ServerName www.domain1.nl
        ProxyPreserveHost On
        ProxyPass / http://www.domain1.nl/
        ProxyPassReverse / http://www.domain1.nl/
        ErrorLog logs/domain1-error_log
        CustomLog logs/domain1-access_log combined
    </VirtualHost>
    <VirtualHost 192.168.1.1:80>
            ServerName www.domain2.net
        ProxyPreserveHost On
        ProxyPass / http://www.domain2.net/
        ProxyPassReverse / http://www.domain2.net/
        ErrorLog logs/domain2-error_log
        CustomLog logs/domain2-access_log combined
    </VirtualHost>
    <VirtualHost 192.168.1.1:80>
            ServerName www.domain3.org
        ProxyPreserveHost On
        ProxyPass / http://www.domain3.org/
        ProxyPassReverse / http://www.domain3.org/
        ErrorLog logs/domain3-error_log
        CustomLog logs/doman3-access_log combined
    </VirtualHost>
    
    
    NameVirtualHost 192.168.1.1:443
    <VirtualHost 192.168.1.1:443>
            ServerName www.domain2.net
        ProxyPreserveHost On
        ProxyPass / https://www.domain2.net
        ProxyPassReverse / https://www.domain2.net
        ErrorLog logs/domain2-error_log
        CustomLog logs/domain2-access_log combined
    </VirtualHost>
    <VirtualHost 192.168.1.1:443>
            ServerName www.domain3.org
        ProxyPreserveHost On
        ProxyPass / https://www.domain3.org/
        ProxyPassReverse / https://www.domain3.org/
        ErrorLog logs/domain3-error_log
        CustomLog logs/domain3-access_log combined
    </VirtualHost>

    As I said, the normal port 80 requests get routed to the correct server just the way I want them. But requests on port 443 lead to a:
    Code:
    ssl_error_rx_record_too_long
    Now I tried some things I found on the internet such as adding:
    SSLProxyEngine On
    SSLProxyCheckPeerCN on
    But this either had no effect or made matters worst.

    Any thoughts?


    _____
    My stop-gap fix for now is to redirect port 443 traffic using iptables on the host and then it works correctly for one domain. But the downside of that is that I cannot choose between https://domain2 and https://domain3 based on url. In iptables it's either domain2 or domain3.
    Can't tell an OS by it's GUI

  2. #2
    Just Joined!
    Join Date
    Aug 2009
    Location
    Toronto
    Posts
    34
    hmmm I know this might sound silly, but what does the access and error logs says when you get ssl certificate erros

  3. #3
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,517
    Well, you say you get this error, "ssl_error_rx_record_too_long". Are you sure that only https requests are going to port 443? Anyway, I'll run this problem by some colleagues at work tomorrow who deal with this stuff all the time and see what they say.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  4. #4
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,049
    Quote Originally Posted by amlife
    hmmm I know this might sound silly, but what does the access and error logs says when you get ssl certificate erros
    Not silly at all. I should have mentioned. Below... (192.168.1.28 is my laptop)

    On the host error log:
    Code:
    [Mon Jan 30 09:06:30 2012] [error] [client 192.168.1.28] invalid request-URI
    [Mon Jan 30 09:06:30 2012] [error] [client 192.168.1.28] Invalid URI in request \x16\x03\x01
    On the host access log:
    Code:
    192.168.1.28 - - [30/Jan/2012:09:06:30 +0100] "\x16\x03\x01" 400 308 "-" "-"
    On the guests, the logs are silent when https is requested, and http gets handled correctly.



    Quote Originally Posted by Rubberman
    Well, you say you get this error, "ssl_error_rx_record_too_long". Are you sure that only https requests are going to port 443?
    I am rather sure, yes. Because http requests get handled correctly and this only happens for https. But, if I catch off port 443 traffic with iptables and forward it directly to either guest then the error disappears.
    But then, only one of the guests works correctly of course and I have to choose which one in iptables on the host, whereas I want both guests to be reachable based on url like it works with http traffic.

    I know the "ssl_error_rx_record_too_long" mainly from misconfigured VirtualHosts (the error message is a bit cryptic) and I've long fiddled with the settings on the host VirtualHost directives.



    If I try this:
    Code:
    me@laptop# telnet 192.168.1.1 443
    Trying 192.168.1.1...
    Connected to 192.168.1.1.
    Escape character is '^]'.
    GET /
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>500 Internal Server Error</title>
    </head><body>
    <h1>Internal Server Error</h1>
    <p>The server encountered an internal error or
    misconfiguration and was unable to complete
    your request.</p>
    <p>Please contact the server administrator,
     root@localhost and inform them of the time the error occurred,
    and anything you might have done that may have
    caused the error.</p>
    <p>More information about this error may be available
    in the server error log.</p>
    <hr>
    <address>Apache/2.2.15 (CentOS) Server at www.domain3.org Port 80</address>
    </body></html>
    Connection closed by foreign host.
    Quote Originally Posted by Rubberman
    Anyway, I'll run this problem by some colleagues at work tomorrow who deal with this stuff all the time and see what they say.
    Oh if you would do that, cool!! I assume this 'problem' is just a misconfiguration on my part and could be bleedin' obvious to someone more experienced.
    Can't tell an OS by it's GUI

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •