httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From A M <amm.pr...@gmail.com>
Subject Re: [users@httpd] Example Apache reverse proxy configuration for HTTPS frontend and several HTTP backends
Date Mon, 09 Mar 2015 09:00:31 GMT
Hello Jeff,

this is what happens:

[root@www httpd]# service httpd start
Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module headers_module is
already loaded, skipping
[Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already
loaded, skipping
[Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already loaded,
skipping
[Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
[Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
                                                           [FAILED]

And then there is only one line in the error log:

[Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has no
certificate configured [Hint: SSLCertificateFile] ((null):0)

"apachectl configtest" gives me the same infos as "apachectl -S".

Following the last advice of Igor, I assume that I'll have to generate two
other certificates,
one for appserver1.example.com, and another - for appserver2.example.com,
and then
add a reference to them in the VirtualHost *443 definition for these two
aliased servers.
Will try it later in the day..

Greetings - Andy.






On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <jeffmonte101@gmail.com>
wrote:

> Andy,
>
> What do you see in error logs and proxy logs when you try to bring up the
> web server?
>
>
>
> On Sun, Mar 8, 2015 at 5:11 PM, A M <amm.priv2@gmail.com> wrote:
>
>>
>> Hello Igor, and many thanks for your comment!
>>
>> I have followed your advice, but now the server refuses to start at all.
>>
>> So now I have in httpd.conf:
>>
>> ------------------------------------------------
>> NameVirtualHost *:80
>>
>> <VirtualHost *:80>
>>      ServerName apachefrontend.example.com
>>      ServerAlias appserver1.example.com appserver2.example.com
>>      RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>> </VirtualHost>
>>
>> <VirtualHost *:443>
>>      ServerName appserver1.example.com
>>      ProxyRequests Off
>>      ProxyPass / http://appserver1.backend
>>      ProxyPassReverse / http://appserver1.backend
>> </VirtualHost>
>>
>> <VirtualHost *:443>
>>      ServerName appserver2.example.com
>>      ProxyRequests Off
>>      ProxyPass / http://appserver2.backend
>>      ProxyPassReverse / http://appserver2.backend
>> </VirtualHost>
>>
>> ------------------------------------------------------------------------
>>
>> And these uncommented lines in ssl.conf:
>>
>> -----------------------------------------------------------------------
>>
>> LoadModule ssl_module modules/mod_ssl.so
>> Listen 443
>> SSLPassPhraseDialog  builtin
>> SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
>> SSLSessionCacheTimeout  300
>> SSLMutex default
>> SSLRandomSeed startup file:/dev/urandom  256
>> SSLRandomSeed connect builtin
>> SSLCryptoDevice builtin
>>
>> <VirtualHost _default_:443>
>> ServerName apachefrontend.example.com:443
>>
>> ErrorLog logs/ssl_error_log
>> TransferLog logs/ssl_access_log
>> LogLevel warn
>>
>> SSLEngine on
>> SSLProtocol all -SSLv2 -SSLv3
>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>>
>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>>     SSLOptions +StdEnvVars
>> </Files>
>>
>> <Directory "/var/www/cgi-bin">
>>     SSLOptions +StdEnvVars
>> </Directory>
>>
>> SetEnvIf User-Agent ".*MSIE.*" \
>>          nokeepalive ssl-unclean-shutdown \
>>          downgrade-1.0 force-response-1.0
>>
>> CustomLog logs/ssl_request_log \
>>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>
>> </VirtualHost>
>>
>>
>> -----------------------------------------------------------------------------------
>>
>> [root@www conf]# apachectl -S
>>
>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already
>> loaded, skipping
>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already
>> loaded, skipping
>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded,
>> skipping
>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
>> 443, the first has precedence
>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
>> 443, the first has precedence
>> VirtualHost configuration:
>> wildcard NameVirtualHosts and _default_ servers:
>> _default_:8443         apachefrontend.example.com
>> (/etc/httpd/conf.d/nss.conf:84)
>> _default_:443          apachefrontend.example.com
>> (/etc/httpd/conf.d/ssl.conf:74)
>> *:443                  appserver1.backend
>> (/etc/httpd/conf/httpd.conf:1034)
>> *:443                  appserver2.backend
>> (/etc/httpd/conf/httpd.conf:1041)
>> *:80                   is a NameVirtualHost
>>          default server apachefrontend.example.com
>> (/etc/httpd/conf/httpd.conf:1028)
>>          port 80 namevhost apachefrontend.example.com
>> (/etc/httpd/conf/httpd.conf:1028)
>>                  alias appserver1.example.com
>>                  alias appserver2.example.com
>> Syntax OK
>>
>> .. and the server refuses to start at all..
>>
>> Playing with NameVirtualHost: *.443 and/or specifying explicitly server
>> names
>> with ServerName does not help me tp get rid of the overlap on 443.  At
>> most, I
>> am receiving the missing SSL support errors for the backend servers (and
>> I
>> cannot add SSL support for them, they have to remain plain HTTP)..
>>
>> If you have any further ideas on what to try, please let me know.
>>
>> Thanks again and best regards - Andy.
>>
>>
>>
>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <icicimov@gmail.com> wrote:
>>
>>>
>>> On 08/03/2015 10:01 AM, "A M" <amm.priv2@gmail.com> wrote:
>>> >
>>> >
>>> > Hello experts,
>>> >
>>> > I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
>>> > for a couple of plain backend HTTP servers sitting on a backend
>>> private
>>> > network. The plaform is Centos 6, the Apache rpm is
>>> httpd-2.2.15-39.el6.centos.
>>> >
>>> > I first created three DNS entries, all pointing to the same public IP:
>>> >
>>> >          apachefrontend.example.com
>>> >          appserver1.example.com
>>> >          appserver2.example.com
>>> >
>>> > I then generated the SSL cert and key for the frontend host and
>>> verified that
>>> > SSL config was correct (all settings and key/cert were defined inside
>>> the file
>>> > /etc/httpd/conf.d/ssl.conf). The URL "
>>> https://apachefrontend.example.com"
>>> > replied OK.
>>> >
>>> > I have then set up a forced redirection to port 443 on the mother
>>> > server and defined two virtual hosts, in this manner:
>>> >
>>> > ..
>>> > NameVirtualHost *:80
>>> >
>>>
>>> First change this:
>>>
>>> > <VirtualHost *:80>
>>> >      ServerName apachefrontend.example.com
>>> >      RedirectMatch ^/(.*)    https://apachefrontend.example.com/$1
>>> > </VirtualHost>
>>> >
>>>
>>> to:
>>>
>>> <VirtualHost *:80>
>>>      ServerName apachefrontend.example.com
>>>        ServerAlias appserver1.example.com appserver2.example.com
>>>
>>>      RedirectMatch ^/(.*)    https://%{HTTP_HOST}/$1
>>> </VirtualHost>
>>>
>>> Then get rid of these two:
>>>
>>> > <VirtualHost *:80>
>>> >      ServerName appserver1.example.com
>>> >      ProxyRequests Off
>>> >      ProxyPass / http://appserver1.backend/
>>> >      ProxyPassReverse / http://appserver1.backend/
>>> > </VirtualHost>
>>> >
>>> > <VirtualHost *:80>
>>> >      ServerName appserver2.example.com
>>> >      ProxyRequests Off
>>> >      ProxyPass / http://appserver2.backend/
>>> >      ProxyPassReverse / http://appserver2.backend/
>>> > </VirtualHost>
>>> > ..
>>>
>>> More specific convert them to ssl vhosts:
>>>
>>> <VirtualHost *:443>
>>>      ServerName appserver1.example.com
>>>      ProxyRequests Off
>>>      ProxyPass / http://appserver1.backend/
>>>      ProxyPassReverse / http://appserver1.backend/
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>>      ServerName appserver2.example.com
>>>      ProxyRequests Off
>>>      ProxyPass / http://appserver2.backend/
>>>      ProxyPassReverse / http://appserver2.backend/
>>> </VirtualHost>
>>>
>>> which will effectively do what you want which is terminate ssl on the
>>> frontend.
>>>
>>> > Now,
>>> >
>>> > - If I go to "http://apachefrontend.example.com", I am
>>> > correctly ending up at "https://apachefrontend.example.com";
>>> >
>>> > - If I go to "http://appserver1[2].example.com", I arrive to
>>> > the backend servers allright, but only via the port 80.
>>> >
>>> > This behaviour is apparently correct, but so far I have not found
>>> > the right configuration options needed  to enforce the secure
>>> > connection to the backend servers via the reverse proxy (I may
>>> > not enable SSL on the backend servers as they are running some
>>> > privately managed applications and cannot be tweaked).
>>> >
>>> > Could someone kindly post an example of working configuration
>>> > of the same type?
>>> >
>>> > Thanks ahead for any advice!
>>> >
>>> > Andy.
>>> >
>>> >
>>> >
>>>
>>
>>
>

Mime
View raw message