You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jan Luca Naumann <ja...@naumannsfamily.de> on 2009/12/08 15:53:03 UTC
[users@httpd] Problems with mod_ssl and mod_proxy
Hallo,
I have a problem with Apache Server (Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k):
I want to set up that the server controll a client-cert and, if it is OK, connect with a ProxyPass to the right server.
The config:
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_alias_module modules/mod_authn_alias.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule dumpio_module modules/mod_dumpio.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
#LoadModule ident_module modules/mod_ident.so
#LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
#LoadModule ldap_module modules/mod_ldap.so
#LoadModule logio_module modules/mod_logio.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
LoadModule ssl_module modules/mod_ssl.so
#LoadModule status_module modules/mod_status.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule unique_id_module modules/mod_unique_id.so
#LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule version_module modules/mod_version.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
<Proxy *>
Order Deny,Allow
Deny from all
</Proxy>
ProxyRequests Off
NameVirtualHost <My IP>:443
<VirtualHost <My IP>:443>
DocumentRoot "C:/Program Files/Webserver/Apache/htdocs"
ServerName <web address>
ServerAlias <My IP, for test>
SSLEngine on
SSLCertificateFile <Path of the cert>
SSLCertificateKeyFile <Path of the key>
SSLCACertificateFile <Path of the CA-cert>
SSLVerifyClient require
SSLVerifyDepth 10
ProxyPreserveHost On
ProxyPass / <end server>
ProxyPassReverse / <end server>
</VirtualHost>
When I connect to the server now, the browser loads some time and then gives me a timeout. What do I wrong?
Viele Grüße
Jan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: AW: [users@httpd] Problems with mod_ssl and mod_proxy
Posted by André Warnier <aw...@ice-sa.com>.
Jan Luca Naumann wrote:
>>
Some additional tips :
You also need a line
Listen <My IP>:443
...
>> NameVirtualHost <My IP>:443
>>
>> <VirtualHost <My IP>:443>
Start Apache.
Open a command window, and enter : netstat -an | more
You should see a line like :
TCP <My IP>:443 0.0.0.0:0 ABHÖREN
do you ?
Is the Windows firewall enabled ?
If yes, does it allow incoming connections on port 443 ?
(or turn off the firewall)
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
AW: [users@httpd] Problems with mod_ssl and mod_proxy
Posted by Jan Luca Naumann <ja...@naumannsfamily.de>.
Hi,
without all SSL stuff I geta timeout, too, but the right webserver is OK.
Viele Grüße
Jan
________________________________________
Von: Boyle Owen [Owen.Boyle@six-group.com]
Gesendet: Dienstag, 8. Dezember 2009 16:51
An: users@httpd.apache.org
Betreff: RE: [users@httpd] Problems with mod_ssl and mod_proxy
> -----Original Message-----
> From: Jan Luca Naumann [mailto:jan@naumannsfamily.de]
> Sent: Tuesday, December 08, 2009 3:53 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Problems with mod_ssl and mod_proxy
>
> Hallo,
>
> I have a problem with Apache Server (Apache/2.2.14 (Win32)
> mod_ssl/2.2.14 OpenSSL/0.9.8k):
>
> I want to set up that the server controll a client-cert and,
> if it is OK, connect with a ProxyPass to the right server.
>
> ...
>
> <Proxy *>
> Order Deny,Allow
> Deny from all
> </Proxy>
>
> ProxyRequests Off
>
> NameVirtualHost <My IP>:443
>
> <VirtualHost <My IP>:443>
> DocumentRoot "C:/Program Files/Webserver/Apache/htdocs"
> ServerName <web address>
> ServerAlias <My IP, for test>
>
> SSLEngine on
> SSLCertificateFile <Path of the cert>
> SSLCertificateKeyFile <Path of the key>
> SSLCACertificateFile <Path of the CA-cert>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> ProxyPreserveHost On
> ProxyPass / <end server>
> ProxyPassReverse / <end server>
> </VirtualHost>
>
>
> When I connect to the server now, the browser loads some time
> and then gives me a timeout. What do I wrong?
Break the problem into two parts and get the ProxyPass working before worrying about the SSL client verification. What happens if you comment out all the SSL stuff and try to get to the back-end server with a plain HTTP virtual host?
If that times out, what happens if you try to access the back-end directly (from a client that has TCP/IP access, obviously)?
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>
> Viele Grüße
> Jan
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communications through their networks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Problems with mod_ssl and mod_proxy
Posted by Boyle Owen <Ow...@six-group.com>.
> -----Original Message-----
> From: Jan Luca Naumann [mailto:jan@naumannsfamily.de]
> Sent: Tuesday, December 08, 2009 3:53 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Problems with mod_ssl and mod_proxy
>
> Hallo,
>
> I have a problem with Apache Server (Apache/2.2.14 (Win32)
> mod_ssl/2.2.14 OpenSSL/0.9.8k):
>
> I want to set up that the server controll a client-cert and,
> if it is OK, connect with a ProxyPass to the right server.
>
> ...
>
> <Proxy *>
> Order Deny,Allow
> Deny from all
> </Proxy>
>
> ProxyRequests Off
>
> NameVirtualHost <My IP>:443
>
> <VirtualHost <My IP>:443>
> DocumentRoot "C:/Program Files/Webserver/Apache/htdocs"
> ServerName <web address>
> ServerAlias <My IP, for test>
>
> SSLEngine on
> SSLCertificateFile <Path of the cert>
> SSLCertificateKeyFile <Path of the key>
> SSLCACertificateFile <Path of the CA-cert>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> ProxyPreserveHost On
> ProxyPass / <end server>
> ProxyPassReverse / <end server>
> </VirtualHost>
>
>
> When I connect to the server now, the browser loads some time
> and then gives me a timeout. What do I wrong?
Break the problem into two parts and get the ProxyPass working before worrying about the SSL client verification. What happens if you comment out all the SSL stuff and try to get to the back-end server with a plain HTTP virtual host?
If that times out, what happens if you try to access the back-end directly (from a client that has TCP/IP access, obviously)?
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>
> Viele Grüße
> Jan
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communications through their networks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org