Apache proxy over port 443

Printable View

01-29-2012
Freston

Apache proxy over port 443

I want to be able to redirect http and https traffic coming in to my central server to different virtual servers.

I have a host (the central server) and four different guests. Each guest hosts a website for a different domain. Each domain name resolves to my host server from outside. And on my host I configured Apache to use VirtualHosts and ProxyPass (& ProxyPassReverse) to redirect requests for port 80 to the correct corresponding guest. This works correctly. Joy :D

But two of the domains also have ssl configured and are also listening on port 443. And here is where it goes wrong. I get ssl certificate errors, and I'm at a loss how to fix these.

Code:

NameVirtualHost 192.168.1.1:80 <VirtualHost 192.168.1.1:80> ServerName www.domain1.nl ProxyPreserveHost On ProxyPass / http://www.domain1.nl/ ProxyPassReverse / http://www.domain1.nl/ ErrorLog logs/domain1-error_log CustomLog logs/domain1-access_log combined </VirtualHost> <VirtualHost 192.168.1.1:80> ServerName www.domain2.net ProxyPreserveHost On ProxyPass / http://www.domain2.net/ ProxyPassReverse / http://www.domain2.net/ ErrorLog logs/domain2-error_log CustomLog logs/domain2-access_log combined </VirtualHost> <VirtualHost 192.168.1.1:80> ServerName www.domain3.org ProxyPreserveHost On ProxyPass / http://www.domain3.org/ ProxyPassReverse / http://www.domain3.org/ ErrorLog logs/domain3-error_log CustomLog logs/doman3-access_log combined </VirtualHost> NameVirtualHost 192.168.1.1:443 <VirtualHost 192.168.1.1:443> ServerName www.domain2.net ProxyPreserveHost On ProxyPass / https://www.domain2.net ProxyPassReverse / https://www.domain2.net ErrorLog logs/domain2-error_log CustomLog logs/domain2-access_log combined </VirtualHost> <VirtualHost 192.168.1.1:443> ServerName www.domain3.org ProxyPreserveHost On ProxyPass / https://www.domain3.org/ ProxyPassReverse / https://www.domain3.org/ ErrorLog logs/domain3-error_log CustomLog logs/domain3-access_log combined </VirtualHost>

As I said, the normal port 80 requests get routed to the correct server just the way I want them. But requests on port 443 lead to a:

Code:

ssl_error_rx_record_too_long

Now I tried some things I found on the internet such as adding:
SSLProxyEngine On
SSLProxyCheckPeerCN on
But this either had no effect or made matters worst.

Any thoughts?

_____
My stop-gap fix for now is to redirect port 443 traffic using iptables on the host and then it works correctly for one domain. But the downside of that is that I cannot choose between https://domain2 and https://domain3 based on url. In iptables it's either domain2 or domain3.
01-29-2012
amlife

hmmm I know this might sound silly, but what does the access and error logs says when you get ssl certificate erros
01-30-2012
Rubberman

Well, you say you get this error, "ssl_error_rx_record_too_long". Are you sure that only https requests are going to port 443? Anyway, I'll run this problem by some colleagues at work tomorrow who deal with this stuff all the time and see what they say.
01-30-2012
Freston

Quote:

Originally Posted by amlife

hmmm I know this might sound silly, but what does the access and error logs says when you get ssl certificate erros

Not silly at all. I should have mentioned. Below... (192.168.1.28 is my laptop)

On the host error log:

Code:

[Mon Jan 30 09:06:30 2012] [error] [client 192.168.1.28] invalid request-URI [Mon Jan 30 09:06:30 2012] [error] [client 192.168.1.28] Invalid URI in request \x16\x03\x01

On the host access log:

Code:

192.168.1.28 - - [30/Jan/2012:09:06:30 +0100] "\x16\x03\x01" 400 308 "-" "-"

On the guests, the logs are silent when https is requested, and http gets handled correctly.

Quote:

Originally Posted by Rubberman

Well, you say you get this error, "ssl_error_rx_record_too_long". Are you sure that only https requests are going to port 443?

I am rather sure, yes. Because http requests get handled correctly and this only happens for https. But, if I catch off port 443 traffic with iptables and forward it directly to either guest then the error disappears.
But then, only one of the guests works correctly of course and I have to choose which one in iptables on the host, whereas I want both guests to be reachable based on url like it works with http traffic.

I know the "ssl_error_rx_record_too_long" mainly from misconfigured VirtualHosts (the error message is a bit cryptic) and I've long fiddled with the settings on the host VirtualHost directives.

If I try this:

Code:

me@laptop# telnet 192.168.1.1 443 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. GET / <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.</p> <p>More information about this error may be available in the server error log.</p> <hr> <address>Apache/2.2.15 (CentOS) Server at www.domain3.org Port 80</address> </body></html> Connection closed by foreign host.

Quote:

Originally Posted by Rubberman

Anyway, I'll run this problem by some colleagues at work tomorrow who deal with this stuff all the time and see what they say.

Oh if you would do that, cool!! I assume this 'problem' is just a misconfiguration on my part and could be bleedin' obvious to someone more experienced.