You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Todd Volkert <tv...@gmail.com> on 2009/12/18 03:45:28 UTC
[users@httpd] SSLProxyEngine config help
Ok, hopefully I'm not missing something stupid again... I'm trying to
enable the SSL proxy engine for use in one of my virtual hosts, and though
it seems to accept my SSLProxyMachineCertificateFile upon startup, I get
gobledegook requests when trying to connect over HTTPS:
Here is my server config:
<VirtualHost *:443>
ServerName www.foo.com
ServerAlias localhost foo.com *.foo.com
SSLProxyEngine on
SSLProxyMachineCertificateFile /etc/httpd/conf/proxy.pem
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
</VirtualHost>
Here is the output of the server logs upon startup:
[Thu Dec 17 21:37:42 2009] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Thu Dec 17 21:37:42 2009] [warn] Init: Session Cache is not configured
[hint: SSLSessionCache]
[Thu Dec 17 21:37:42 2009] [notice] Digest: generating secret for digest
authentication ...
[Thu Dec 17 21:37:42 2009] [notice] Digest: done
[Thu Dec 17 21:37:43 2009] [notice] Apache/2.2.9 (Unix) DAV/2 mod_ssl/2.2.9
OpenSSL/0.9.8b configured -- resuming normal operations
Then when I run 'lynx https://localhost/foo.jsp', I get the following in the
httpd logs:
==> /etc/httpd/logs/access_log <==
127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03\x01" 501 1235 "-"
"-"
127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03" 501 1232 "-" "-"
And I get the following in the tomcat access logs:
127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s��� / HTTP/1.1' 501 1229
127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s�� / HTTP/1.1' 501 1226
Ring any bells?
-T
Re: [users@httpd] Re: SSLProxyEngine config help
Posted by Philip Wigg <ph...@philipwigg.co.uk>.
> On Thu, Dec 17, 2009 at 9:45 PM, Todd Volkert <tv...@gmail.com> wrote:
>>
>> Ok, hopefully I'm not missing something stupid again... I'm trying to
>> enable the SSL proxy engine for use in one of my virtual hosts, and though
>> it seems to accept my SSLProxyMachineCertificateFile upon startup, I get
>> gobledegook requests when trying to connect over HTTPS:
>>
>> Here is my server config:
>>
>> <VirtualHost *:443>
>> ServerName www.foo.com
>> ServerAlias localhost foo.com *.foo.com
>>
>> SSLProxyEngine on
>> SSLProxyMachineCertificateFile /etc/httpd/conf/proxy.pem
>> ProxyRequests Off
>>
>> <Proxy *>
>> Order deny,allow
>> Allow from all
>> </Proxy>
>>
>> ProxyPass / https://localhost:8443/
>> ProxyPassReverse / https://localhost:8443/
>> </VirtualHost>
>>
>> Here is the output of the server logs upon startup:
>>
>> [Thu Dec 17 21:37:42 2009] [notice] suEXEC mechanism enabled (wrapper:
>> /usr/sbin/suexec)
>> [Thu Dec 17 21:37:42 2009] [warn] Init: Session Cache is not configured
>> [hint: SSLSessionCache]
>> [Thu Dec 17 21:37:42 2009] [notice] Digest: generating secret for digest
>> authentication ...
>> [Thu Dec 17 21:37:42 2009] [notice] Digest: done
>> [Thu Dec 17 21:37:43 2009] [notice] Apache/2.2.9 (Unix) DAV/2
>> mod_ssl/2.2.9 OpenSSL/0.9.8b configured -- resuming normal operations
>>
>> Then when I run 'lynx https://localhost/foo.jsp', I get the following in
>> the httpd logs:
>>
>> ==> /etc/httpd/logs/access_log <==
>> 127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03\x01" 501 1235
>> "-" "-"
>> 127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03" 501 1232 "-"
>> "-"
>>
>> And I get the following in the tomcat access logs:
>>
>> 127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s / HTTP/1.1' 501 1229
>> 127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s / HTTP/1.1' 501 1226
>>
>> Ring any bells?
Have you tried removing the ServerAlias directive? You can't use
Name-based Virtual Hosting with SSL anyway (without using SNI, which
you aren't) so they're redundant.
Cheers,
Phil.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: SSLProxyEngine config help
Posted by Todd Volkert <tv...@gmail.com>.
Forgot to mention that I generated the proxy.pem file by following the
process listed at https://issues.apache.org/bugzilla/show_bug.cgi?id=31856,
including making sure that I'm using an rsa key (not pkcs8).
-T
On Thu, Dec 17, 2009 at 9:45 PM, Todd Volkert <tv...@gmail.com> wrote:
> Ok, hopefully I'm not missing something stupid again... I'm trying to
> enable the SSL proxy engine for use in one of my virtual hosts, and though
> it seems to accept my SSLProxyMachineCertificateFile upon startup, I get
> gobledegook requests when trying to connect over HTTPS:
>
> Here is my server config:
>
> <VirtualHost *:443>
> ServerName www.foo.com
> ServerAlias localhost foo.com *.foo.com
>
> SSLProxyEngine on
> SSLProxyMachineCertificateFile /etc/httpd/conf/proxy.pem
> ProxyRequests Off
>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
>
> ProxyPass / https://localhost:8443/
> ProxyPassReverse / https://localhost:8443/
> </VirtualHost>
>
> Here is the output of the server logs upon startup:
>
> [Thu Dec 17 21:37:42 2009] [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> [Thu Dec 17 21:37:42 2009] [warn] Init: Session Cache is not configured
> [hint: SSLSessionCache]
> [Thu Dec 17 21:37:42 2009] [notice] Digest: generating secret for digest
> authentication ...
> [Thu Dec 17 21:37:42 2009] [notice] Digest: done
> [Thu Dec 17 21:37:43 2009] [notice] Apache/2.2.9 (Unix) DAV/2 mod_ssl/2.2.9
> OpenSSL/0.9.8b configured -- resuming normal operations
>
> Then when I run 'lynx https://localhost/foo.jsp', I get the following in
> the httpd logs:
>
> ==> /etc/httpd/logs/access_log <==
> 127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03\x01" 501 1235 "-"
> "-"
> 127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03" 501 1232 "-" "-"
>
> And I get the following in the tomcat access logs:
>
> 127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s / HTTP/1.1' 501 1229
> 127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s / HTTP/1.1' 501 1226
>
> Ring any bells?
> -T
>