You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Schettler, Marty L." <Ma...@leidos.com> on 2018/10/12 20:26:44 UTC

[users@httpd] Reverse proxy not sending certificate

My reverse proxy config doesn't work with SSL any more as I try to upgrade from 2.4.29 to 2.4.34.

My config:

SSLProxyEngine On
SSLProxyMachineCertificateFile /path/to/server_crt_and_key.crt
SSLProxyCACertificatePath /etc/cacerts

<Location /proxy>
  ProxyPass https://host01:9443/p
  ProxyPassReverse https://host01:9443/p
  SSLVerifyClient require
</Location>


Again, this works just fine with 2.4.29. However, in 2.4.34 I get a 502 in my browser "Error reading from remote server" and my httpd log file has a warning "AH02268: Proxy client callback: (host01:443) downstream server wanted client certificate but none are configured." Is this possible related to PR 62232? If so, I thought it would have been fixed in 2.4.32.

Any help is greatly appreciated!!

Marty

Re: [users@httpd] Reverse proxy not sending certificate

Posted by Rainer Jung <ra...@kippdata.de>.

Am 18.10.2018 um 17:32 schrieb Schettler, Marty L.:
> Good advice. Thanks! However, I just retested with 2.4.35 and I get the 
> exact same results as with 2.4.34. Any other ideas? I’d welcome a 
> workaround too.

Could well be

http://svn.apache.org/viewvc?rev=1844226&view=rev

which is still missing in 2.4.35. It will be part of the fortcoming 
2.4.37, but you can also easily apply the small change to your 2.4.35 
sources if you build yourself. You only need to add the two lines marked 
with a leading "+" sign here:

http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c?r1=1844226&r2=1844225&pathrev=1844226

Regards,

Rainer

> *From:*William A Rowe Jr [mailto:wrowe@rowe-clan.net]
> *Sent:* Friday, October 12, 2018 6:26 PM
> *To:* users@httpd.apache.org
> *Subject:* Re: [users@httpd] Reverse proxy not sending certificate
> 
> A number of regressions are fixed in 2.4.35, please retest against that 
> version.
> 
> On Fri, Oct 12, 2018, 15:27 Schettler, Marty L. 
> <Martin.L.Schettler@leidos.com <ma...@leidos.com>> 
> wrote:
> 
>     My reverse proxy config doesn’t work with SSL any more as I try to
>     upgrade from 2.4.29 to 2.4.34.
> 
>     My config:
> 
>     SSLProxyEngine On
> 
>     SSLProxyMachineCertificateFile /path/to/server_crt_and_key.crt
> 
>     SSLProxyCACertificatePath /etc/cacerts
> 
>     <Location /proxy>
> 
>        ProxyPass https://host01:9443/p
> 
>        ProxyPassReverse https://host01:9443/p
> 
>        SSLVerifyClient require
> 
>     </Location>
> 
>     Again, this works just fine with 2.4.29. However, in 2.4.34 I get a
>     502 in my browser “Error reading from remote server” and my httpd
>     log file has a warning “AH02268: Proxy client callback: (host01:443)
>     downstream server wanted client certificate but none are
>     configured.” Is this possible related to PR 62232? If so, I thought
>     it would have been fixed in 2.4.32.
> 
>     Any help is greatly appreciated!!
> 
>     Marty

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Reverse proxy not sending certificate

Posted by "Schettler, Marty L." <Ma...@leidos.com>.

Good advice. Thanks! However, I just retested with 2.4.35 and I get the exact same results as with 2.4.34. Any other ideas? I’d welcome a workaround too.

Thanks!

From: William A Rowe Jr [mailto:wrowe@rowe-clan.net]
Sent: Friday, October 12, 2018 6:26 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Reverse proxy not sending certificate

A number of regressions are fixed in 2.4.35, please retest against that version.

On Fri, Oct 12, 2018, 15:27 Schettler, Marty L. <Ma...@leidos.com>> wrote:
My reverse proxy config doesn’t work with SSL any more as I try to upgrade from 2.4.29 to 2.4.34.

My config:

SSLProxyEngine On
SSLProxyMachineCertificateFile /path/to/server_crt_and_key.crt
SSLProxyCACertificatePath /etc/cacerts

<Location /proxy>
  ProxyPass https://host01:9443/p
  ProxyPassReverse https://host01:9443/p
  SSLVerifyClient require
</Location>

Again, this works just fine with 2.4.29. However, in 2.4.34 I get a 502 in my browser “Error reading from remote server” and my httpd log file has a warning “AH02268: Proxy client callback: (host01:443) downstream server wanted client certificate but none are configured.” Is this possible related to PR 62232? If so, I thought it would have been fixed in 2.4.32.

Any help is greatly appreciated!!

Marty

Re: [users@httpd] Reverse proxy not sending certificate

Posted by William A Rowe Jr <wr...@rowe-clan.net>.

A number of regressions are fixed in 2.4.35, please retest against that
version.


On Fri, Oct 12, 2018, 15:27 Schettler, Marty L. <
Martin.L.Schettler@leidos.com> wrote:

> My reverse proxy config doesn’t work with SSL any more as I try to upgrade
> from 2.4.29 to 2.4.34.
>
>
>
> My config:
>
>
>
> SSLProxyEngine On
>
> SSLProxyMachineCertificateFile /path/to/server_crt_and_key.crt
>
> SSLProxyCACertificatePath /etc/cacerts
>
>
>
> <Location /proxy>
>
>   ProxyPass https://host01:9443/p
>
>   ProxyPassReverse https://host01:9443/p
>
>   SSLVerifyClient require
>
> </Location>
>
>
>
>
>
> Again, this works just fine with 2.4.29. However, in 2.4.34 I get a 502 in
> my browser “Error reading from remote server” and my httpd log file has a
> warning “AH02268: Proxy client callback: (host01:443) downstream server
> wanted client certificate but none are configured.” Is this possible
> related to PR 62232? If so, I thought it would have been fixed in 2.4.32.
>
>
>
> Any help is greatly appreciated!!
>
>
>
> Marty
>