httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jérémie G <acesl...@gmail.com>
Subject Re: [users@httpd] reverse proxy with apache 1.3 and apache 2.2
Date Mon, 21 Dec 2009 16:13:00 GMT
After several tests, I have isolated the error and it's related to
mod_ssl : take the exact same configuration, the exact same customer
proxy server and remove any reverse proxy mechanism and ...

with debian sarge, apache-ssl 1.3.33-6sarge3, this is working :
Customer => Customer proxy => *Internet* => httpd 1.3.33 server (proto https)

with debian etch, apache -ssl 1.3.34-4.1+etch1, this is *not* working ;
Customer => Customer proxy => *Internet* => httpd 1.3.34 server (proto = https)

I really have no clue how to solve this, my configuration files are
exactly the same for both servers and it's working when there is no
proxy between the customer and Internet !

The vhost file for both server is very simple :
<VirtualHost *>
        DocumentRoot /var/www/testpage-ssl/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/testpage-ssl/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        LogLevel warn
        SSLCertificateFile    /etc/apache-ssl/ssl/ip.crt
        SSLCertificateKeyFile /etc/apache-ssl/ssl/ip.key
</VirtualHost>

This looks like a bug on the ssl implementation of httpd, a pretty big
one if there is no way to solve it as several of our customers have
the same issue, using different proxy software. I really can't believe
that this issue is not known.

Does any one know of a configuration tweak that solve this issue ?

Regards,
Jeremie



2009/12/21 Jérémie G <aceslash@gmail.com>:
> Hello,
>
> Unfortunately, there is no restriction of any sort on intra-8.lan. I
> can access the website with links2 on the proxy server and remember
> that when someone is browsing this proxy from Internet without a
> proxy, it's working. To clarify :
>
> This is working with apache 2.2 and apache 1.3 :
> Customer => *Internet* => httpd reverse proxy => intranet web server
>
> This is only working with apache 1.3 :
> Customer => Customer proxy server => *Internet* => httpd reverse proxy
> => Intranet web server
>
> Also remember that the httpd reverse proxy is serving https while the
> Intranet web server is serving http (reverse proxy http from http is
> working, but it's not an option for me).
>
> Regards,
> Jeremie
>
> 2009/12/21 Devraj Mukherjee <devraj@gmail.com>:
>> At first guess it seems like your server intra-8.lan is dropping
>> connections for the new server.
>>
>> Does intra-8.lan restrict connections from certain IPs?
>>
>> On Thu, Dec 17, 2009 at 11:54 PM, Jérémie G <aceslash@gmail.com> wrote:
>>> Hello,
>>>
>>> I have to migrate a working reverse proxy from apache-ssl
>>> 1.3.33-6sarge3 to apache2 2.2.9-10+lenny6 with ssl but I encounter a
>>> critical issue : when I try to access the website from behind a proxy,
>>> it's working with apache 1.3 but not with apache 2.2 (without proxy,
>>> it's working fine for both version).
>>>
>>> The error displayed in the error.log is : [error] (104)Connection
>>> reset by peer: proxy: prefetch request body failed to 192.168.20.8
>>> (intra-8.lan) from a.b.c.d ()
>>>
>>> Both server have IP address in the same subnet and have only this
>>> virtual host enabled.
>>>
>>> I have tried some tweak in the configuration but I'm clueless to find
>>> any parameter correcting this behavior. Bellow is the apache-ssl 1.3
>>> config vhost file :
>>> <VirtualHost *>
>>>        ServerName extranet.enterprise.com
>>>        ServerAdmin support@enterprise.com
>>>        SSLCertificateFile    /etc/apache-ssl/ssl/ip-13.crt
>>>        SSLCertificateKeyFile /etc/apache-ssl/ssl/ip-13.key
>>>        ProxyPass / http://intra-8.lan/
>>>        ProxyPassReverse / http://intra-8.lan/
>>> </VirtualHost>
>>>
>>> An here is the apache 2.2 config file :
>>> <IfModule mod_ssl.c>
>>> <VirtualHost xx.xx.xx.xx:443>
>>>        ServerName extranet-new.enterprise.com
>>>        ServerAdmin support@enterprise.com
>>>        SSLEngine On
>>>        SSLCertificateFile    /etc/apache2/ssl/ip-14.crt
>>>        SSLCertificateKeyFile /etc/apache2/ssl/ip-14.key
>>>        ProxyRequests Off
>>>        <Proxy *>
>>>                Order Deny,Allow
>>>                Allow from all
>>>        </Proxy>
>>>        ProxyPass / http://intra-8.lan/
>>>        ProxyPassReverse / http://intra-8.lan/
>>> </VirtualHost>
>>> </IfModule>
>>>
>>> I really need to migrate this website to the new server, any idea ?
>>>
>>> Jeremie
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>>
>> --
>> "The secret impresses no-one, the trick you use it for is everything"
>> - Alfred Borden (The Prestiege)
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message