You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by TED SPRADLEY <te...@gmail.com> on 2017/06/29 17:40:38 UTC
502 Proxy Error
I've worked on this for three days and at this point am not sure where to
begin debugging.
I don't know if this is a SSL Cert issue, an Apache Reverse Proxy issue, a
Tomcat Connector issue or a Tomcat import of the SSL Cert issue.
Any feedback is much appreciated.
Thank you in advance,
Ted S.
Server version: Apache Tomcat/7.0.68
Server built: Feb 8 2016 20:25:54 UTC
Server number: 7.0.68.0
OS Name: Linux
OS Version: 3.10.0-327.3.1.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_91-b14
JVM Vendor: Oracle Corporation
Important Points:
1. Apache was unable to be restarted without reboot.
2. After reboot requests to https://example.com/somecontext receive "502
Proxy Error"
3. I rekeyed SSL Certs and re-imported into Tomcat (command below)
4. Requests to https://example.com/somecontext still receive "502 Proxy
Error"
4. I suspect one problem may be with contents of the <VirtualHost
_default_:443> element
After a recent reboot I encountered the following issue.
Issue: Requests via browser client to https://example.com/somecontext
return -
-- begin browser page
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /.
Reason: Error reading from remote server
-- end browser page
Unexpected Observed Behavior: Requests via browser client to
https://www.example.com/ return the default index.html for the server.
Requests via command line client curl https://www.example.com/ return "502
Proxy Error"
This server has been in production for seven months correctly responding
to requests on ports 80 & 443 (with secure content). I updated content and
wanted to change to redirecting incoming requests from port 80 to port 443.
When I attempted to restart Apache, Apache failed to kill the running
process. I issued 'kill'. Then tried to start. Apache failed to start. I
restored the <VirtualHost *:80> container to the state listed below, then
tried to start Apache. Apache failed to start. I rebooted the server, then
started Apache.
Then any request via browser behaved as above. I then rekeyed the SSL Cert
and re-imported the cert into Tomcat with:
$ openssl pkcs12 -export -in /etc/pki/tls/certs/example.com.crt -inkey
/etc/pki/
tls/private/example.key -out examplecert.p12 -name tomcat -CAfile
/etc/pki/tls/certs/ca_bundle.crt -caname root -chain
Configuration files content:
-- begin virtualhost.conf
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com *.example.com
ProxyRequests off
ProxyPreserveHost on
ProxyPass / http://example.com:8081/
ProxyPassReverse / http://example.com:8081/
ProxyPass /somecontext http://example.com:8081/somecontext
ProxyPassReverse /somecontext http://example.com:8081/somecontext
</VirtualHost>
<VirtualHost *:80>
ServerName www.exampledefaultdomain.com
ServerAlias exampledefaultdomain.com *.exampledefaultdomain.com
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.com
ServerAlias example.com *.example.com
ProxyRequests off
ProxyPreserveHost on
CustomLog "/etc/httpd/logs/examplessl.log" "%h %l %u %t \"%r\" %>s %b"
ErrorLog "/etc/httpd/logs/examplessl_error.log"
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /path/to/certs/example.com.crt
SSLCertificateKeyFile /path/to/keys/example.key
SSLCertificateChainFile /path/to/certs/ca_bundle.crt
ProxyPass / http://example.com:8443/
ProxyPassReverse / http://example.com:8443/
ProxyPass /somecontext http://example.com:8443/somecontext
ProxyPassReverse /somecontext http://example.com:8443/somecontext
</VirtualHost>
-- end virtualhost.conf
-- begin ssl.conf -
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /path/to/certs/example.com.crt
SSLCertificateKeyFile /path/to/keys/example.key
SSLCACertificateFile /path/to/certs/ca_bundle.crt
</VirtualHost>
-- end ssl.conf -
-- begin Tomcat server.xml Connector:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
proxyName="www.example.com"
proxyPort="443"
keystoreFile="conf/.keystore"
clientAuth="false"
sslProtocol="TLS"
xpoweredBy="false"
server="Apache TomEE" />
-- end Tomcat server.xml Connector:
$ openssl x509 -in /etc/pki/tls/certs/example.com.crt -noout -subject
subject= /OU=Domain Control Validated/CN=example.com
$ apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server www.example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:35)
alias example.com
wild alias *.example.com
*:80 is a NameVirtualHost
default server www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:13)
port 80 namevhost www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:13)
alias example.com
wild alias *.example.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: 502 Proxy Error
Posted by Mark Thomas <ma...@apache.org>.
On 29/06/17 18:40, TED SPRADLEY wrote:
> I've worked on this for three days and at this point am not sure where to
> begin debugging.
>
> I don't know if this is a SSL Cert issue, an Apache Reverse Proxy issue, a
> Tomcat Connector issue or a Tomcat import of the SSL Cert issue.
>
> Any feedback is much appreciated.
<snip/>
> Configuration files content:
>
> -- begin virtualhost.conf
> <VirtualHost *:80>
> ServerName www.example.com
> ServerAlias example.com *.example.com
> ProxyRequests off
> ProxyPreserveHost on
> ProxyPass / http://example.com:8081/
> ProxyPassReverse / http://example.com:8081/
> ProxyPass /somecontext http://example.com:8081/somecontext
> ProxyPassReverse /somecontext http://example.com:8081/somecontext
The above two lines are unnecessary. The previous ProxyPass proxies all
content to Tomcat.
> </VirtualHost>
>
> <VirtualHost *:80>
> ServerName www.exampledefaultdomain.com
> ServerAlias exampledefaultdomain.com *.exampledefaultdomain.com
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName www.example.com
> ServerAlias example.com *.example.com
> ProxyRequests off
> ProxyPreserveHost on
> CustomLog "/etc/httpd/logs/examplessl.log" "%h %l %u %t \"%r\" %>s %b"
> ErrorLog "/etc/httpd/logs/examplessl_error.log"
> SSLEngine on
> SSLProxyEngine on
> SSLCertificateFile /path/to/certs/example.com.crt
> SSLCertificateKeyFile /path/to/keys/example.key
> SSLCertificateChainFile /path/to/certs/ca_bundle.crt
> ProxyPass / http://example.com:8443/
> ProxyPassReverse / http://example.com:8443/
> ProxyPass /somecontext http://example.com:8443/somecontext
> ProxyPassReverse /somecontext http://example.com:8443/somecontext
The above two lines are unnecessary. The previous ProxyPass proxies all
content to Tomcat.
And here appears to be the problem.
If you are proxying to a secure port on Tomcat then the scheme needs to
be https, not http. i.e.:
ProxyPass / https://example.com:8443/
ProxyPassReverse / https://example.com:8443/
Well done for proxying http and https separately. Many users proxy them
to the same Tomcat connector and create a bunch of security issues
(which can be avoided with very careful configuration but that often
gets overlooked).
> </VirtualHost>
> -- end virtualhost.conf
>
> -- begin ssl.conf -
> <VirtualHost _default_:443>
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> LogLevel warn
> SSLEngine on
> SSLProtocol all -SSLv2
> SSLCertificateFile /path/to/certs/example.com.crt
> SSLCertificateKeyFile /path/to/keys/example.key
> SSLCACertificateFile /path/to/certs/ca_bundle.crt
> </VirtualHost>
> -- end ssl.conf -
>
> -- begin Tomcat server.xml Connector:
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> proxyName="www.example.com"
> proxyPort="443"
> keystoreFile="conf/.keystore"
> clientAuth="false"
> sslProtocol="TLS"
> xpoweredBy="false"
> server="Apache TomEE" />> -- end Tomcat server.xml Connector:
That looks OK on the face of it.
It would have been nice to see the config for the 8001 connector but
that doesn't appear to be relevant to the problem at this point.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org