httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rose, John B" <jbr...@utk.edu>
Subject Re: [users@httpd] SSL not working for ServerAlias through load balancer
Date Wed, 13 May 2015 18:46:39 GMT
That was a typo. We are using *:443

This is what I perceive to be the significant part of the error_log file
with LogLevel debug. No entries in either of the ssl log files ...

[Wed May 13 11:13:17.158332 2015] [ssl:debug] [pid x:tid x]
ssl_engine_kernel.c(224): [client x] AH02034: Initial (No.1) HTTPS request
received for child 70 (server baseserver.abc.com:443)
[Wed May 13 11:13:17.158412 2015] [authz_core:debug] [pid 31858:tid
140398848632576] mod_authz_core.c(809): [client 10.254.79.196:59301]
AH01626: authorization result of Require all granted: granted
.
.
[Wed May 13 11:13:17.158486 2015] [proxy_fcgi:debug] [pid x:tid x]
mod_proxy_fcgi.c(124): [client x] AH01060: set r->filename to
proxy:fcgi://127.0.0.1:9000/www/docs//index.php
[Wed May 13 11:13:17.158512 2015] [proxy:debug] [pid x:tid x]
mod_proxy.c(1117): [client x] AH01143: Running scheme fcgi handler
(attempt 0)
[Wed May 13 11:13:17.158518 2015] [proxy_ajp:debug] [pid x:tid x]
mod_proxy_ajp.c(713): [client x] AH00894: declining URL
fcgi://127.0.0.1:9000/www/docs//index.php
[Wed May 13 11:13:17.158522 2015] [proxy_fcgi:debug] [pid x:tid x]
mod_proxy_fcgi.c(948): [client x] AH01076: url:
fcgi://127.0.0.1:9000/www/docs//index.php proxyname: (null) proxyport: 0
[Wed May 13 11:13:17.158527 2015] [proxy_fcgi:debug] [pid x:tid x]
mod_proxy_fcgi.c(955): [client x] AH01078: serving URL
fcgi://127.0.0.1:9000/www//index.php
[Wed May 13 11:13:17.158533 2015] [proxy:debug] [pid 31858:tid
140398848632576] proxy_util.c(2200): AH00942: FCGI: has acquired
connection for (127.0.0.1)
[Wed May 13 11:13:17.158538 2015] [proxy:debug] [pid x:tid x]
proxy_util.c(2253): [client x] AH00944: connecting
fcgi://127.0.0.1:9000/www/docs//index.php to 127.0.0.1:9000
[Wed May 13 11:13:17.158545 2015] [proxy:debug] [pid 31858:tid x]
proxy_util.c(2419): [client x] AH00947: connected /www/docs//index.php to
127.0.0.1:9000
[Wed May 13 11:13:17.160089 2015] [proxy:debug] [pid 31858:tid x]
proxy_util.c(2215): AH00943: FCGI: has released connection for (127.0.0.1)
[Wed May 13 11:13:17.162875 2015] [ssl:debug] [pid x:tid x]
ssl_engine_io.c(992): [client x] AH02001: Connection closed to child 70
with standard shutdown (server baseserver.abc.com:443)





On 5/12/15 5:52 PM, "Yann Ylavic" <ylavic.dev@gmail.com> wrote:

>You should then see "activity" with LogLevel debug, where does this leads?
>
>(Note regarding *:443, you indicated *.443 -with a dot- in the
>original message, was that a typo?)
>
>On Tue, May 12, 2015 at 11:32 PM, Rose, John B <jbrose@utk.edu> wrote:
>> We checked netstat -an while attempting the https thru the browser. It
>> seems to be getting to the server.
>>
>> tcp        0      0 xxx.xxx.xxx.xxx:443 yyy.yyy.yyy.yyy:35948
>>TIME_WAIT
>> tcp        0      0 xxx.xxx.xxx.xxx:443       yyy.yyy.yyy.yyy:36375
>> FIN_WAIT2
>> Etc.
>>
>>
>> On 5/12/15 5:13 PM, "Yann Ylavic" <ylavic.dev@gmail.com> wrote:
>>
>>>Can't it be that the LB does not let the connection pass through?
>>>If the LB is not an SSL end point, it may block based on the Server
>>>Name Indication (SNI)?
>>>On the httpd side, maybe you could look at the network level if the
>>>connection with the client is established (netstat, tcpdump, ...).
>>>
>>>On Tue, May 12, 2015 at 11:02 PM, Rose, John B <jbrose@utk.edu> wrote:
>>>> It is not generating an entry in the Apache log files. Unless we have
>>>> missed it. But we believe have looked thru them thoroughly.
>>>>
>>>> On 5/12/15 4:01 PM, "Yann Ylavic" <ylavic.dev@gmail.com> wrote:
>>>>
>>>>>Can you see the connection arrive, somehow timeout, and finally be
>>>>>logged on the Apache server?
>>>>>
>>>>>On Tue, May 12, 2015 at 9:53 PM, Rose, John B <jbrose@utk.edu> wrote:
>>>>>> Yann
>>>>>>
>>>>>> All efforts appreciated.
>>>>>>
>>>>>> First.abc.com goes thru a load balancer
>>>>>>
>>>>>> http://first.abc.com
>>>>>>
>>>>>> Works fine.
>>>>>>
>>>>>> https://first.abc.com
>>>>>>
>>>>>> does not
>>>>>>
>>>>>> If I understand your question correctly.
>>>>>>
>>>>>> John
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 5/12/15 3:40 PM, "Yann Ylavic" <ylavic.dev@gmail.com> wrote:
>>>>>>
>>>>>>>Probably a silly question, but, is first.abc.com accessible (dns,
>>>>>>>route, ...) from the client host?
>>>>>>>
>>>>>>>Regards,
>>>>>>>Yann.
>>>>>>>
>>>>>>>On Tue, May 12, 2015 at 9:12 PM, Rose, John B <jbrose@utk.edu>
>>>>>>>wrote:
>>>>>>>> We gave that a try based on your recommendation, but it did
not
>>>>>>>>change
>>>>>>>>the
>>>>>>>> result.
>>>>>>>>
>>>>>>>> We are still looking for an answer.
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> On 5/12/15 12:03 PM, "Jack Swan" <john.swan@oracle.com>
wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>Occasionally we've had the spinning connecting problem
here during
>>>>>>>>>some
>>>>>>>>>of our development.
>>>>>>>>>You might try clearing/deleting any certificates for that
>>>>>>>>>particular
>>>>>>>>>host
>>>>>>>>>in Firefox.
>>>>>>>>>
>>>>>>>>>Tools->Options - Advanced.  Select View Certificates
and
>>>>>>>>>delete/distruct
>>>>>>>>>the certs for that host.
>>>>>>>>>
>>>>>>>>>Maybe that'll work.  It did for us.
>>>>>>>>>
>>>>>>>>>----- Original Message -----
>>>>>>>>>From: jbrose@utk.edu
>>>>>>>>>To: users@httpd.apache.org
>>>>>>>>>Sent: Tuesday, May 12, 2015 11:47:24 AM GMT -05:00 US/Canada
>>>>>>>>>Eastern
>>>>>>>>>Subject: Re: [users@httpd] SSL not working for ServerAlias
through
>>>>>>>>>load
>>>>>>>>>balancer
>>>>>>>>>
>>>>>>>>>In Firefox we get the spinning "ConnectingŠ" indicator
in the tab,
>>>>>>>>>and
>>>>>>>>>it
>>>>>>>>>never advances any further.
>>>>>>>>>
>>>>>>>>>On 5/12/15 11:27 AM, "Rich Bowen" <rbowen@rcbowen.com>
wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>On 05/12/2015 10:40 AM, Rose, John B wrote:
>>>>>>>>>>> Red Hat 7 Apache 2.4
>>>>>>>>>>>
>>>>>>>>>>> We are using name based virtual hosts SSL configuration.
>>>>>>>>>>>
>>>>>>>>>>> Which is working except not for one of our ServerAlias
that
>>>>>>>>>>>goes
>>>>>>>>>>>thru a
>>>>>>>>>>> load balancer
>>>>>>>>>>>
>>>>>>>>>>> Not using SSL works fine. We can access all these
via the
>>>>>>>>>>>browser Š
>>>>>>>>>>>
>>>>>>>>>>> http://baseserver.sub.abc.com
>>>>>>>>>>> http://first.sub.abc.com
>>>>>>>>>>> http://first.abc.com
>>>>>>>>>>>
>>>>>>>>>>> Using SSL we can go to these successfully Š
>>>>>>>>>>>
>>>>>>>>>>> https://baseserver.sub.abc.com
>>>>>>>>>>> https://First.sub.abc.com
>>>>>>>>>>>
>>>>>>>>>>> But not this Š
>>>>>>>>>>>
>>>>>>>>>>> https://first.abc.com
>>>>>>>>>>>
>>>>>>>>>>> Here is our config Š
>>>>>>>>>>>
>>>>>>>>>>> Have tried these ..
>>>>>>>>>>> <VirtualHost *.443>
>>>>>>>>>>>        and
>>>>>>>>>>> <VirtualHost first.sub.abc.com:443>
>>>>>>>>>>>        and
>>>>>>>>>>> <VirtualHost first.abc.com:443>
>>>>>>>>>>>
>>>>>>>>>>>      ServerName baseserver.sub.abc.com
>>>>>>>>>>>      ServerAlias first.sub.abc.com
>>>>>>>>>>>      ServerAlias first.abc.com
>>>>>>>>>>>
>>>>>>>>>>>      SSLEngine on
>>>>>>>>>>>      DocumentRoot "/www/docs"
>>>>>>>>>>>
>>>>>>>>>>>    <Directory "/www/docs">
>>>>>>>>>>>      Š
>>>>>>>>>>>    </Directory>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>    ProxyPassMatch ^/(.*\.php(/.*)?)$
>>>>>>>>>>>fcgi://127.0.0.1:9000/www/docs/
>>>>>>>>>>>    DirectoryIndex index.php index.html
>>>>>>>>>>>
>>>>>>>>>>> SSL Certificate stuff Š
>>>>>>>>>>>
>>>>>>>>>>> </VirtualHost>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Any suggestions why the Load Balanced  SSL ServerAlias.
>>>>>>>>>>> https://first.abc.com,  is not working?
>>>>>>>>>>
>>>>>>>>>>Can you elaborate on "not working"? What exactly happens?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>--
>>>>>>>>>>Rich Bowen - rbowen@rcbowen.com - @rbowen
>>>>>>>>>>http://apachecon.com/ - @apachecon
>>>>>>>>>>
>>>>>>>>>>-----------------------------------------------------------------
>>>>>>>>>>--
>>>>>>>>>>--
>>>>>>>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>------------------------------------------------------------------
>>>>>>>>>--
>>>>>>>>>-
>>>>>>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>------------------------------------------------------------------
>>>>>>>>>--
>>>>>>>>>-
>>>>>>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>-------------------------------------------------------------------
>>>>>>>>--
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>>
>>>>>>>
>>>>>>>--------------------------------------------------------------------
>>>>>>>-
>>>>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>>>
>>>>>
>>>>>---------------------------------------------------------------------
>>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message