httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 吴昊 <wu...@7500.com.cn>
Subject [users@httpd] 答复: [users@httpd] Example Apache reverse proxy configuration for HTTPS frontend and several HTTP backends
Date Tue, 10 Mar 2015 01:32:27 GMT
Hello experts,

pls correct me if im wrong. Im still a noob on apache http

I think the main reason causing vhost overlap on port 443 error is that ssl vhost is ip-based
if you don’t enabled sni (means no --with-ssl during compile) that makes you have to use
different ip or port on each and every ssl vhosts. and these two ssl cconfig in httpd.conf,
you have to add SSLCertificateFile SSLCertificateKeyFile and maybe need another certificate
chin directive. You cannot use mod_ssl without certificates

about the name-base ssl: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

Tks & b.rgds
--
Chris

发件人: Igor Cicimov [mailto:icicimov@gmail.com]
发送时间: Monday, March 09, 2015 5:56 PM
收件人: users
主题: Re: [users@httpd] Example Apache reverse proxy configuration for HTTPS frontend and
several HTTP backends


On 09/03/2015 8:01 PM, "A M" <amm.priv2@gmail.com<mailto:amm.priv2@gmail.com>>
wrote:
>
>
> Hello Jeff,
>
> this is what happens:
>
> [root@www httpd]# service httpd start
> Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module headers_module is already loaded,
skipping
> [Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already loaded, skipping
> [Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already loaded, skipping
> [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port 443, the first
has precedence
> [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port 443, the first
has precedence
>                                                            [FAILED]
>

First looks like you have same configuration included twice somewhere.

> And then there is only one line in the error log:
>
> [Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has no certificate
configured [Hint: SSLCertificateFile] ((null):0)
>
> "apachectl configtest" gives me the same infos as "apachectl -S".
>
> Following the last advice of Igor, I assume that I'll have to generate two other certificates,
> one for appserver1.example.com<http://appserver1.example.com>, and another - for
appserver2.example.com<http://appserver2.example.com>, and then

Or use the same certificate if you were clever enough to generate a wild card one ie *.example.com<http://example.com>
since you need to front multiple subdomains of the same domain ;-)

> add a reference to them in the VirtualHost *443 definition for these two aliased servers.

Correct, also please refer to the ssl vhost section on the apache web site so you fully understand
the subject. It's also recommended you make your self familiar with SNI.

> Will try it later in the day..
>
> Greetings - Andy.
>
>
>
>
>
>
> On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <jeffmonte101@gmail.com<mailto:jeffmonte101@gmail.com>>
wrote:
>>
>> Andy,
>>
>> What do you see in error logs and proxy logs when you try to bring up the web server?
>>
>>
>>
>> On Sun, Mar 8, 2015 at 5:11 PM, A M <amm.priv2@gmail.com<mailto:amm.priv2@gmail.com>>
wrote:
>>>
>>>
>>> Hello Igor, and many thanks for your comment!
>>>
>>> I have followed your advice, but now the server refuses to start at all.
>>>
>>> So now I have in httpd.conf:
>>>
>>> ------------------------------------------------
>>> NameVirtualHost *:80
>>>
>>> <VirtualHost *:80>
>>>      ServerName apachefrontend.example.com<http://apachefrontend.example.com>
>>>      ServerAlias appserver1.example.com<http://appserver1.example.com>
appserver2.example.com<http://appserver2.example.com>
>>>      RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1<https://%25%7bHTTP_HOST%7d/$1>
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>>      ServerName appserver1.example.com<http://appserver1.example.com>
>>>      ProxyRequests Off
>>>      ProxyPass / http://appserver1.backend
>>>      ProxyPassReverse / http://appserver1.backend
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>>      ServerName appserver2.example.com<http://appserver2.example.com>
>>>      ProxyRequests Off
>>>      ProxyPass / http://appserver2.backend
>>>      ProxyPassReverse / http://appserver2.backend
>>> </VirtualHost>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> And these uncommented lines in ssl.conf:
>>>
>>> -----------------------------------------------------------------------
>>>
>>> LoadModule ssl_module modules/mod_ssl.so
>>> Listen 443
>>> SSLPassPhraseDialog  builtin
>>> SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
>>> SSLSessionCacheTimeout  300
>>> SSLMutex default
>>> SSLRandomSeed startup file:/dev/urandom  256
>>> SSLRandomSeed connect builtin
>>> SSLCryptoDevice builtin
>>>
>>> <VirtualHost _default_:443>
>>> ServerName apachefrontend.example.com:443<http://apachefrontend.example.com:443>
>>>
>>> ErrorLog logs/ssl_error_log
>>> TransferLog logs/ssl_access_log
>>> LogLevel warn
>>>
>>> SSLEngine on
>>> SSLProtocol all -SSLv2 -SSLv3
>>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
>>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>>>
>>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>>>     SSLOptions +StdEnvVars
>>> </Files>
>>>
>>> <Directory "/var/www/cgi-bin">
>>>     SSLOptions +StdEnvVars
>>> </Directory>
>>>
>>> SetEnvIf User-Agent ".*MSIE.*" \
>>>          nokeepalive ssl-unclean-shutdown \
>>>          downgrade-1.0 force-response-1.0
>>>
>>> CustomLog logs/ssl_request_log \
>>>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>>
>>> </VirtualHost>
>>>
>>> -----------------------------------------------------------------------------------
>>>
>>> [root@www conf]# apachectl -S
>>>
>>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already loaded, skipping
>>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already loaded,
skipping
>>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded, skipping
>>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port 443,
the first has precedence
>>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port 443,
the first has precedence
>>> VirtualHost configuration:
>>> wildcard NameVirtualHosts and _default_ servers:
>>> _default_:8443         apachefrontend.example.com<http://apachefrontend.example.com>
(/etc/httpd/conf.d/nss.conf:84)
>>> _default_:443          apachefrontend.example.com<http://apachefrontend.example.com>
(/etc/httpd/conf.d/ssl.conf:74)
>>> *:443                  appserver1.backend (/etc/httpd/conf/httpd.conf:1034)
>>> *:443                  appserver2.backend (/etc/httpd/conf/httpd.conf:1041)
>>> *:80                   is a NameVirtualHost
>>>          default server apachefrontend.example.com<http://apachefrontend.example.com>
(/etc/httpd/conf/httpd.conf:1028)
>>>          port 80 namevhost apachefrontend.example.com<http://apachefrontend.example.com>
(/etc/httpd/conf/httpd.conf:1028)
>>>                  alias appserver1.example.com<http://appserver1.example.com>
>>>                  alias appserver2.example.com<http://appserver2.example.com>
>>> Syntax OK
>>>
>>> .. and the server refuses to start at all..
>>>
>>> Playing with NameVirtualHost: *.443 and/or specifying explicitly server names
>>> with ServerName does not help me tp get rid of the overlap on 443.  At most,
I
>>> am receiving the missing SSL support errors for the backend servers (and I
>>> cannot add SSL support for them, they have to remain plain HTTP)..
>>>
>>> If you have any further ideas on what to try, please let me know.
>>>
>>> Thanks again and best regards - Andy.
>>>
>>>
>>>
>>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <icicimov@gmail.com<mailto:icicimov@gmail.com>>
wrote:
>>>>
>>>>
>>>> On 08/03/2015 10:01 AM, "A M" <amm.priv2@gmail.com<mailto:amm.priv2@gmail.com>>
wrote:
>>>> >
>>>> >
>>>> > Hello experts,
>>>> >
>>>> > I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
>>>> > for a couple of plain backend HTTP servers sitting on a backend private
>>>> > network. The plaform is Centos 6, the Apache rpm is httpd-2.2.15-39.el6.centos.
>>>> >
>>>> > I first created three DNS entries, all pointing to the same public IP:
>>>> >
>>>> >          apachefrontend.example.com<http://apachefrontend.example.com>
>>>> >          appserver1.example.com<http://appserver1.example.com>
>>>> >          appserver2.example.com<http://appserver2.example.com>
>>>> >
>>>> > I then generated the SSL cert and key for the frontend host and verified
that
>>>> > SSL config was correct (all settings and key/cert were defined inside
the file
>>>> > /etc/httpd/conf.d/ssl.conf). The URL "https://apachefrontend.example.com"
>>>> > replied OK.
>>>> >
>>>> > I have then set up a forced redirection to port 443 on the mother
>>>> > server and defined two virtual hosts, in this manner:
>>>> >
>>>> > ..
>>>> > NameVirtualHost *:80
>>>> >
>>>>
>>>> First change this:
>>>>
>>>> > <VirtualHost *:80>
>>>> >      ServerName apachefrontend.example.com<http://apachefrontend.example.com>
>>>> >      RedirectMatch ^/(.*)    https://apachefrontend.example.com/$1
>>>> > </VirtualHost>
>>>> >
>>>>
>>>> to:
>>>>
>>>> <VirtualHost *:80>
>>>>      ServerName apachefrontend.example.com<http://apachefrontend.example.com>
>>>>        ServerAlias appserver1.example.com<http://appserver1.example.com>
appserver2.example.com<http://appserver2.example.com>
>>>>
>>>>      RedirectMatch ^/(.*)    https://%{HTTP_HOST}/$1<https://%25%7bHTTP_HOST%7d/$1>
>>>> </VirtualHost>
>>>>
>>>> Then get rid of these two:
>>>>
>>>> > <VirtualHost *:80>
>>>> >      ServerName appserver1.example.com<http://appserver1.example.com>
>>>> >      ProxyRequests Off
>>>> >      ProxyPass / http://appserver1.backend/
>>>> >      ProxyPassReverse / http://appserver1.backend/
>>>> > </VirtualHost>
>>>> >
>>>> > <VirtualHost *:80>
>>>> >      ServerName appserver2.example.com<http://appserver2.example.com>
>>>> >      ProxyRequests Off
>>>> >      ProxyPass / http://appserver2.backend/
>>>> >      ProxyPassReverse / http://appserver2.backend/
>>>> > </VirtualHost>
>>>> > ..
>>>>
>>>> More specific convert them to ssl vhosts:
>>>>
>>>> <VirtualHost *:443>
>>>>      ServerName appserver1.example.com<http://appserver1.example.com>
>>>>      ProxyRequests Off
>>>>      ProxyPass / http://appserver1.backend/
>>>>      ProxyPassReverse / http://appserver1.backend/
>>>> </VirtualHost>
>>>>
>>>> <VirtualHost *:443>
>>>>      ServerName appserver2.example.com<http://appserver2.example.com>
>>>>      ProxyRequests Off
>>>>      ProxyPass / http://appserver2.backend/
>>>>      ProxyPassReverse / http://appserver2.backend/
>>>> </VirtualHost>
>>>>
>>>> which will effectively do what you want which is terminate ssl on the frontend.
>>>>
>>>> > Now,
>>>> >
>>>> > - If I go to "http://apachefrontend.example.com", I am
>>>> > correctly ending up at "https://apachefrontend.example.com";
>>>> >
>>>> > - If I go to "http://appserver1[2].example.com<http://example.com>",
I arrive to
>>>> > the backend servers allright, but only via the port 80.
>>>> >
>>>> > This behaviour is apparently correct, but so far I have not found
>>>> > the right configuration options needed  to enforce the secure
>>>> > connection to the backend servers via the reverse proxy (I may
>>>> > not enable SSL on the backend servers as they are running some
>>>> > privately managed applications and cannot be tweaked).
>>>> >
>>>> > Could someone kindly post an example of working configuration
>>>> > of the same type?
>>>> >
>>>> > Thanks ahead for any advice!
>>>> >
>>>> > Andy.
>>>> >
>>>> >
>>>> >
>>>
>>>
>>
>
Mime
View raw message