You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Cahya Wirawan <cw...@email.archlab.tuwien.ac.at> on 2003/06/17 11:23:39 UTC
[users@httpd] mod_proxy with ssl is very unstable
I use mod_proxy for reverse proxy https connection, it is running fine
with apache 2.0.43 , but when I upgrade it to 2.0.46, more than 50% of the
https connetions will fail, httpd child process is just died.
2.0.44 and 2.0.45 have the same problem, their child process is just died in
more than 50% https connections. I tried also to upgrade openssl
to the latest version 0.9.7b, and recompile apache, but it doesn't help,
since maybe it is not openssl's bug. and this behaviour is resproducible in
another server, I tried it here with redhat 7.0 and gentoo 1.4. both of them
have the same problem with apache 2.0.44,2.0.45 and 2.0.46 no mater which
openssl version and have a stable connection with 2.0.43.
here is my config:
NameVirtualHost xxx.5.131.41:443
SSLProxyEngine on
<VirtualHost xxx.5.131.41:443>
ServerName iniskp.mydomain.org
ProxyPass / https://iniskp.mydomain.org/
ProxyPassReverse / https://iniskp.mydomain.org/
LogLevel debug
SSLEngine on
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
</VirtualHost>
And here is the error log when the connections failed:
.....
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1462):
+-------------------------------------------------------------------------+
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(109): proxy: HTTP:
canonicalising URL //iniskp.mydomain.org/
[Fri Jun 13 18:18:52 2003] [debug] mod_proxy.c(459): Trying to run scheme_handler
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(1076): proxy: HTTP: serving URL
https://iniskp.mydomain.org/
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(221): proxy: HTTP connecting
https://iniskp.mydomain.org/ to iniskp.mydomain.org:443
[Fri Jun 13 18:18:52 2003] [debug] proxy_util.c(1203): proxy: HTTP: fam 2 socket
created to connect to iniskp.mydomain.org
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(370): proxy: socket is connected
[Fri Jun 13 18:18:52 2003] [debug] proxy_http.c(404): proxy: connection complete to xxx.5.67.95:443 (iniskp.mydomain.org)
[Fri Jun 13 18:18:52 2003] [info] Connection to child 3 established (server iniskp.mydomain.org:443, client xxx.5.67.95)
[Fri Jun 13 18:18:52 2003] [info] Seeding PRNG with 136 bytes of entropy
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL: Handshake: start
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: before/connect initialization
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv2/v3 write client hello A
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1484): OpenSSL: read 0/7 bytes from BIO#8194ea0 [mem: 81a1c98] (BIO dump follows)
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1431): +-------------------------------------------------------------------------+
[Fri Jun 13 18:18:52 2003] [debug] ssl_engine_io.c(1462): +-------------------------------------------------------------------------+
[Fri Jun 13 18:18:52 2003] [info] SSL Proxy connect failed
[Fri Jun 13 18:18:52 2003] [info] Connection to child 3 closed with abortive
shutdown(server iniskp.mydomain.org:443, client xxx.5.67.95)
.....
And here is a successfull connection right after above connection:
.....
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(109): proxy: HTTP: canonicalising URL //iniskp.mydomain.org/
[Fri Jun 13 18:18:53 2003] [debug] mod_proxy.c(459): Trying to run scheme_handler
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(1076): proxy: HTTP: serving URL https://iniskp.mydomain.org/
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(221): proxy: HTTP connecting https://iniskp.mydomain.org/ to iniskp.mydomain.org:443
[Fri Jun 13 18:18:53 2003] [debug] proxy_util.c(1203): proxy: HTTP: fam 2 socket created to connect to iniskp.mydomain.org
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(370): proxy: socket is connected
[Fri Jun 13 18:18:53 2003] [debug] proxy_http.c(404): proxy: connection complete to 161.5.67.95:443 (iniskp.mydomain.org)
[Fri Jun 13 18:18:53 2003] [info] Connection to child 5 established (server iniskp.mydomain.org:443, client xxx.5.67.95)
[Fri Jun 13 18:18:53 2003] [info] Seeding PRNG with 136 bytes of entropy
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL: Handshake: start
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: before/connect initialization
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv2/v3 write client hello A
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1484): OpenSSL: read 7/7 bytes from BIO#8194ea0 [mem: 81a3ca0] (BIO dump follows)
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1431): +-------------------------------------------------------------------------+
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1456): | 0000: 16 03 01 03 68 02 ....h. |
[Fri Jun 13 18:18:53 2003] [debug] ssl_engine_io.c(1460): | 0007 - <SPACES/NULS>
.....
The difference is in "ssl_engine_io() : OpenSSL: read 0/7 bytes from ..." if it
is failed and "ssl_engine_io() : OpenSSL: read 7/7 bytes from ..." if it is
successfull.
so, have someone the same problem with https reverse proxy?
thanks,
cahya.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] SIGTERM in 2.0.46 on RH7.3
Posted by dan frost <da...@danfrost.co.uk>.
Dear all,
I've just upgraded out server to Apache 2.0.46 in response to a DoS attack.
Over the weekend the server shutdown - here's the access_log:
[--SNIP--]
61.144.xxx.xxx - - [13/Jun/2003:16:46:43 +0100] "GET
http://www.alltheweb.com/ HTTP/1.1 200 1607
207.78.xxx.xxx - - [14/Jun/2003:00:32:54 +0100] "SEARCH / HTTP/1.1" 501 218
156.17.xxx.xxx - - [14/Jun/2003:19:27:35 +0100] "SEARCH / HTTP/1.1" 501 218
62.229.xxx.xxx - - [15/Jun/2003:00:29:35 +0100] "HEAD / HTTP/1.1" 501 218
[--SNIP--]
Here's the error_log:
[--snip--]
[Sat Jun 14 00:32:54 2003] [error] [client 207.78.xxx.xxx] Invalid
method in request SEARCH / HTTP/1.1
[Sat Jun 14 04:25:19 2003] [notice] caught SIGTERM, shutting down
[Sat Jun 14 04:25:35 2003] [notice] Apache/2.0.46 (Unic)
mod_perl/1.99_08 Perlv5.6.1 PHP/4.3.2. configured -- resuming normal
operations
[Sat Jun 14 19:27:35 2003] [error] [client 156.17.xxx.xxx] Invalid
method in request SEARCH / HTTP/1.1
[Sun Jun 15 02:55:31 2003] [notice] caught SIGTERM, shutting down
[Sun Jun 15 02:56:07 2003] [notice] Apache/2.0.46 (Unix)
mod_perl/1.99_08 Perlv5.6.1 PHP/4.3.2. configured -- resuming normal
operations
[Sun Jun 15 05:05:34 2003] [notice] caught SIGTERM, shutting down
[--snip--]
...and didn't resume normal operations until I started it.
The O/S is RH7.2. PHP and Perl versions are in the logs.
The server is using heartbeat high-availability software, and is the
primary server.
Any help is gratefully received.
Dan
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_proxy with ssl is very unstable
Posted by Cahya Wirawan <cw...@email.archlab.tuwien.ac.at>.
Hi Jeff,
the configuration you suggested :
> NameVirtualHost xxx.5.131.41:443
> <VirtualHost xxx.5.131.41:443>
> ServerName iniskp.mydomain.org
> ProxyPass / https://iniskp.mydomain.org/
> SSLProxyEngine on
> </VirtualHost>
would not work because <VirtualHost xxx.5.131.41:443> need
SSLEngine to be enabled and its certificates.
but it is not the problem even if I do:
NameVirtualHost xxx.5.131.41:80
<VirtualHost xxx.5.131.41:80>
ServerName iniskp.mydomain.org
ProxyPass / https://iniskp.mydomain.org/
SSLProxyEngine on
</VirtualHost>
the connection will not be stable.
and I think the bug is in mod_ssl module because 2.0.44 - 2.0.46
will work stable if I replace every files in modules/ssl directory
with the files from 2.0.43 version.
cahya.
On Wed, Jun 18, 2003 at 08:51:59AM -0400, Jeff Cohen wrote:
> I would suggest to test it, I have it running almost 6 months that way.
>
> Jeff Cohen
> Support@GEJ-IT.com
> Tel. (416) 917-2324
> www.GEJ-IT.com
> GEJ-IT Networks!
>
>
>
> > -----Original Message-----
> > From: Cahya Wirawan [mailto:cwirawan@email.archlab.tuwien.ac.at]
> > Sent: Wednesday, June 18, 2003 3:36 AM
> > To: users@httpd.apache.org
> > Subject: Re: [users@httpd] mod_proxy with ssl is very unstable
> >
> > Hi Jeff, thanks for the answer, but the problem is not the configuration
> > file, my config file is working since 2 years and till apache 2.0.43.
> > Just if I use a newer version (2.0.44/45/46) it becomes unstable, more
> > than 50% of the connectin will fail and the server child process will
> > also die.
> >
> > cahya.
> >
> > On Tue, Jun 17, 2003 at 10:57:02PM -0400, Jeff Cohen wrote:
> > > Here is the configuration for the mod_proxy to connect to a SSL site:
> > >
> > > NameVirtualHost xxx.5.131.41:443
> > >
> > > <VirtualHost xxx.5.131.41:443>
> > > ServerName iniskp.mydomain.org
> > > ProxyPass / https://iniskp.mydomain.org/
> > > SSLProxyEngine on
> > > </VirtualHost>
> > >
> > > About the SSL from the server farther on to the web client, I'm not
> really
> > > know how to do that, so I would suggest to read more about SSL itself.
> > >
> >
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] mod_proxy with ssl is very unstable
Posted by Jeff Cohen <su...@gej-it.com>.
I would suggest to test it, I have it running almost 6 months that way.
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Cahya Wirawan [mailto:cwirawan@email.archlab.tuwien.ac.at]
> Sent: Wednesday, June 18, 2003 3:36 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] mod_proxy with ssl is very unstable
>
> Hi Jeff, thanks for the answer, but the problem is not the configuration
> file, my config file is working since 2 years and till apache 2.0.43.
> Just if I use a newer version (2.0.44/45/46) it becomes unstable, more
> than 50% of the connectin will fail and the server child process will
> also die.
>
> cahya.
>
> On Tue, Jun 17, 2003 at 10:57:02PM -0400, Jeff Cohen wrote:
> > Here is the configuration for the mod_proxy to connect to a SSL site:
> >
> > NameVirtualHost xxx.5.131.41:443
> >
> > <VirtualHost xxx.5.131.41:443>
> > ServerName iniskp.mydomain.org
> > ProxyPass / https://iniskp.mydomain.org/
> > SSLProxyEngine on
> > </VirtualHost>
> >
> > About the SSL from the server farther on to the web client, I'm not
really
> > know how to do that, so I would suggest to read more about SSL itself.
> >
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_proxy with ssl is very unstable
Posted by Cahya Wirawan <cw...@email.archlab.tuwien.ac.at>.
Hi Jeff, thanks for the answer, but the problem is not the configuration
file, my config file is working since 2 years and till apache 2.0.43.
Just if I use a newer version (2.0.44/45/46) it becomes unstable, more
than 50% of the connectin will fail and the server child process will
also die.
cahya.
On Tue, Jun 17, 2003 at 10:57:02PM -0400, Jeff Cohen wrote:
> Here is the configuration for the mod_proxy to connect to a SSL site:
>
> NameVirtualHost xxx.5.131.41:443
>
> <VirtualHost xxx.5.131.41:443>
> ServerName iniskp.mydomain.org
> ProxyPass / https://iniskp.mydomain.org/
> SSLProxyEngine on
> </VirtualHost>
>
> About the SSL from the server farther on to the web client, I'm not really
> know how to do that, so I would suggest to read more about SSL itself.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] mod_proxy with ssl is very unstable
Posted by Jeff Cohen <su...@gej-it.com>.
Here is the configuration for the mod_proxy to connect to a SSL site:
NameVirtualHost xxx.5.131.41:443
<VirtualHost xxx.5.131.41:443>
ServerName iniskp.mydomain.org
ProxyPass / https://iniskp.mydomain.org/
SSLProxyEngine on
</VirtualHost>
About the SSL from the server farther on to the web client, I'm not really
know how to do that, so I would suggest to read more about SSL itself.
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Cahya Wirawan [mailto:cwirawan@email.archlab.tuwien.ac.at]
> I use mod_proxy for reverse proxy https connection, it is running fine
> with apache 2.0.43 , but when I upgrade it to 2.0.46, more than 50% of the
> https connetions will fail, httpd child process is just died.
> 2.0.44 and 2.0.45 have the same problem, their child process is just died
in
> more than 50% https connections. I tried also to upgrade openssl
> to the latest version 0.9.7b, and recompile apache, but it doesn't help,
> since maybe it is not openssl's bug. and this behaviour is resproducible
in
> another server, I tried it here with redhat 7.0 and gentoo 1.4. both of
them
> have the same problem with apache 2.0.44,2.0.45 and 2.0.46 no mater which
> openssl version and have a stable connection with 2.0.43.
>
> here is my config:
>
> NameVirtualHost xxx.5.131.41:443
> SSLProxyEngine on
> <VirtualHost xxx.5.131.41:443>
> ServerName iniskp.mydomain.org
> ProxyPass / https://iniskp.mydomain.org/
> ProxyPassReverse / https://iniskp.mydomain.org/
> LogLevel debug
> SSLEngine on
> SSLCertificateFile conf/ssl/server.crt
> SSLCertificateKeyFile conf/ssl/server.key
> </VirtualHost>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org