httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jeffmonte101 ." <jeffmonte...@gmail.com>
Subject Re: [users@httpd] Example Apache reverse proxy configuration for HTTPS frontend and several HTTP backends
Date Mon, 09 Mar 2015 04:22:25 GMT
Andy,

What do you see in error logs and proxy logs when you try to bring up the
web server?



On Sun, Mar 8, 2015 at 5:11 PM, A M <amm.priv2@gmail.com> wrote:

>
> Hello Igor, and many thanks for your comment!
>
> I have followed your advice, but now the server refuses to start at all.
>
> So now I have in httpd.conf:
>
> ------------------------------------------------
> NameVirtualHost *:80
>
> <VirtualHost *:80>
>      ServerName apachefrontend.example.com
>      ServerAlias appserver1.example.com appserver2.example.com
>      RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> </VirtualHost>
>
> <VirtualHost *:443>
>      ServerName appserver1.example.com
>      ProxyRequests Off
>      ProxyPass / http://appserver1.backend
>      ProxyPassReverse / http://appserver1.backend
> </VirtualHost>
>
> <VirtualHost *:443>
>      ServerName appserver2.example.com
>      ProxyRequests Off
>      ProxyPass / http://appserver2.backend
>      ProxyPassReverse / http://appserver2.backend
> </VirtualHost>
>
> ------------------------------------------------------------------------
>
> And these uncommented lines in ssl.conf:
>
> -----------------------------------------------------------------------
>
> LoadModule ssl_module modules/mod_ssl.so
> Listen 443
> SSLPassPhraseDialog  builtin
> SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout  300
> SSLMutex default
> SSLRandomSeed startup file:/dev/urandom  256
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> <VirtualHost _default_:443>
> ServerName apachefrontend.example.com:443
>
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> LogLevel warn
>
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>     SSLOptions +StdEnvVars
> </Files>
>
> <Directory "/var/www/cgi-bin">
>     SSLOptions +StdEnvVars
> </Directory>
>
> SetEnvIf User-Agent ".*MSIE.*" \
>          nokeepalive ssl-unclean-shutdown \
>          downgrade-1.0 force-response-1.0
>
> CustomLog logs/ssl_request_log \
>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
>
> -----------------------------------------------------------------------------------
>
> [root@www conf]# apachectl -S
>
> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already loaded,
> skipping
> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already
> loaded, skipping
> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded,
> skipping
> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
> 443, the first has precedence
> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
> 443, the first has precedence
> VirtualHost configuration:
> wildcard NameVirtualHosts and _default_ servers:
> _default_:8443         apachefrontend.example.com
> (/etc/httpd/conf.d/nss.conf:84)
> _default_:443          apachefrontend.example.com
> (/etc/httpd/conf.d/ssl.conf:74)
> *:443                  appserver1.backend (/etc/httpd/conf/httpd.conf:1034)
> *:443                  appserver2.backend (/etc/httpd/conf/httpd.conf:1041)
> *:80                   is a NameVirtualHost
>          default server apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
>          port 80 namevhost apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
>                  alias appserver1.example.com
>                  alias appserver2.example.com
> Syntax OK
>
> .. and the server refuses to start at all..
>
> Playing with NameVirtualHost: *.443 and/or specifying explicitly server
> names
> with ServerName does not help me tp get rid of the overlap on 443.  At
> most, I
> am receiving the missing SSL support errors for the backend servers (and I
> cannot add SSL support for them, they have to remain plain HTTP)..
>
> If you have any further ideas on what to try, please let me know.
>
> Thanks again and best regards - Andy.
>
>
>
> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <icicimov@gmail.com> wrote:
>
>>
>> On 08/03/2015 10:01 AM, "A M" <amm.priv2@gmail.com> wrote:
>> >
>> >
>> > Hello experts,
>> >
>> > I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
>> > for a couple of plain backend HTTP servers sitting on a backend private
>> > network. The plaform is Centos 6, the Apache rpm is
>> httpd-2.2.15-39.el6.centos.
>> >
>> > I first created three DNS entries, all pointing to the same public IP:
>> >
>> >          apachefrontend.example.com
>> >          appserver1.example.com
>> >          appserver2.example.com
>> >
>> > I then generated the SSL cert and key for the frontend host and
>> verified that
>> > SSL config was correct (all settings and key/cert were defined inside
>> the file
>> > /etc/httpd/conf.d/ssl.conf). The URL "
>> https://apachefrontend.example.com"
>> > replied OK.
>> >
>> > I have then set up a forced redirection to port 443 on the mother
>> > server and defined two virtual hosts, in this manner:
>> >
>> > ..
>> > NameVirtualHost *:80
>> >
>>
>> First change this:
>>
>> > <VirtualHost *:80>
>> >      ServerName apachefrontend.example.com
>> >      RedirectMatch ^/(.*)    https://apachefrontend.example.com/$1
>> > </VirtualHost>
>> >
>>
>> to:
>>
>> <VirtualHost *:80>
>>      ServerName apachefrontend.example.com
>>        ServerAlias appserver1.example.com appserver2.example.com
>>
>>      RedirectMatch ^/(.*)    https://%{HTTP_HOST}/$1
>> </VirtualHost>
>>
>> Then get rid of these two:
>>
>> > <VirtualHost *:80>
>> >      ServerName appserver1.example.com
>> >      ProxyRequests Off
>> >      ProxyPass / http://appserver1.backend/
>> >      ProxyPassReverse / http://appserver1.backend/
>> > </VirtualHost>
>> >
>> > <VirtualHost *:80>
>> >      ServerName appserver2.example.com
>> >      ProxyRequests Off
>> >      ProxyPass / http://appserver2.backend/
>> >      ProxyPassReverse / http://appserver2.backend/
>> > </VirtualHost>
>> > ..
>>
>> More specific convert them to ssl vhosts:
>>
>> <VirtualHost *:443>
>>      ServerName appserver1.example.com
>>      ProxyRequests Off
>>      ProxyPass / http://appserver1.backend/
>>      ProxyPassReverse / http://appserver1.backend/
>> </VirtualHost>
>>
>> <VirtualHost *:443>
>>      ServerName appserver2.example.com
>>      ProxyRequests Off
>>      ProxyPass / http://appserver2.backend/
>>      ProxyPassReverse / http://appserver2.backend/
>> </VirtualHost>
>>
>> which will effectively do what you want which is terminate ssl on the
>> frontend.
>>
>> > Now,
>> >
>> > - If I go to "http://apachefrontend.example.com", I am
>> > correctly ending up at "https://apachefrontend.example.com";
>> >
>> > - If I go to "http://appserver1[2].example.com", I arrive to
>> > the backend servers allright, but only via the port 80.
>> >
>> > This behaviour is apparently correct, but so far I have not found
>> > the right configuration options needed  to enforce the secure
>> > connection to the backend servers via the reverse proxy (I may
>> > not enable SSL on the backend servers as they are running some
>> > privately managed applications and cannot be tweaked).
>> >
>> > Could someone kindly post an example of working configuration
>> > of the same type?
>> >
>> > Thanks ahead for any advice!
>> >
>> > Andy.
>> >
>> >
>> >
>>
>
>

Mime
View raw message