You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Todd Volkert <tv...@gmail.com> on 2009/12/18 03:49:19 UTC
[users@httpd] Re: SSLProxyEngine config help
Forgot to mention that I generated the proxy.pem file by following the
process listed at https://issues.apache.org/bugzilla/show_bug.cgi?id=31856,
including making sure that I'm using an rsa key (not pkcs8).
-T
On Thu, Dec 17, 2009 at 9:45 PM, Todd Volkert <tv...@gmail.com> wrote:
> Ok, hopefully I'm not missing something stupid again... I'm trying to
> enable the SSL proxy engine for use in one of my virtual hosts, and though
> it seems to accept my SSLProxyMachineCertificateFile upon startup, I get
> gobledegook requests when trying to connect over HTTPS:
>
> Here is my server config:
>
> <VirtualHost *:443>
> ServerName www.foo.com
> ServerAlias localhost foo.com *.foo.com
>
> SSLProxyEngine on
> SSLProxyMachineCertificateFile /etc/httpd/conf/proxy.pem
> ProxyRequests Off
>
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
>
> ProxyPass / https://localhost:8443/
> ProxyPassReverse / https://localhost:8443/
> </VirtualHost>
>
> Here is the output of the server logs upon startup:
>
> [Thu Dec 17 21:37:42 2009] [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> [Thu Dec 17 21:37:42 2009] [warn] Init: Session Cache is not configured
> [hint: SSLSessionCache]
> [Thu Dec 17 21:37:42 2009] [notice] Digest: generating secret for digest
> authentication ...
> [Thu Dec 17 21:37:42 2009] [notice] Digest: done
> [Thu Dec 17 21:37:43 2009] [notice] Apache/2.2.9 (Unix) DAV/2 mod_ssl/2.2.9
> OpenSSL/0.9.8b configured -- resuming normal operations
>
> Then when I run 'lynx https://localhost/foo.jsp', I get the following in
> the httpd logs:
>
> ==> /etc/httpd/logs/access_log <==
> 127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03\x01" 501 1235 "-"
> "-"
> 127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03" 501 1232 "-" "-"
>
> And I get the following in the tomcat access logs:
>
> 127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s / HTTP/1.1' 501 1229
> 127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s / HTTP/1.1' 501 1226
>
> Ring any bells?
> -T
>
Re: [users@httpd] Re: SSLProxyEngine config help
Posted by Philip Wigg <ph...@philipwigg.co.uk>.
> On Thu, Dec 17, 2009 at 9:45 PM, Todd Volkert <tv...@gmail.com> wrote:
>>
>> Ok, hopefully I'm not missing something stupid again... I'm trying to
>> enable the SSL proxy engine for use in one of my virtual hosts, and though
>> it seems to accept my SSLProxyMachineCertificateFile upon startup, I get
>> gobledegook requests when trying to connect over HTTPS:
>>
>> Here is my server config:
>>
>> <VirtualHost *:443>
>> ServerName www.foo.com
>> ServerAlias localhost foo.com *.foo.com
>>
>> SSLProxyEngine on
>> SSLProxyMachineCertificateFile /etc/httpd/conf/proxy.pem
>> ProxyRequests Off
>>
>> <Proxy *>
>> Order deny,allow
>> Allow from all
>> </Proxy>
>>
>> ProxyPass / https://localhost:8443/
>> ProxyPassReverse / https://localhost:8443/
>> </VirtualHost>
>>
>> Here is the output of the server logs upon startup:
>>
>> [Thu Dec 17 21:37:42 2009] [notice] suEXEC mechanism enabled (wrapper:
>> /usr/sbin/suexec)
>> [Thu Dec 17 21:37:42 2009] [warn] Init: Session Cache is not configured
>> [hint: SSLSessionCache]
>> [Thu Dec 17 21:37:42 2009] [notice] Digest: generating secret for digest
>> authentication ...
>> [Thu Dec 17 21:37:42 2009] [notice] Digest: done
>> [Thu Dec 17 21:37:43 2009] [notice] Apache/2.2.9 (Unix) DAV/2
>> mod_ssl/2.2.9 OpenSSL/0.9.8b configured -- resuming normal operations
>>
>> Then when I run 'lynx https://localhost/foo.jsp', I get the following in
>> the httpd logs:
>>
>> ==> /etc/httpd/logs/access_log <==
>> 127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03\x01" 501 1235
>> "-" "-"
>> 127.0.0.1 - - [17/Dec/2009:21:38:52 -0500] "\x80s\x01\x03" 501 1232 "-"
>> "-"
>>
>> And I get the following in the tomcat access logs:
>>
>> 127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s / HTTP/1.1' 501 1229
>> 127.0.0.1 [17/Dec/2009:21:38:52 -0500] 8443 '?s / HTTP/1.1' 501 1226
>>
>> Ring any bells?
Have you tried removing the ServerAlias directive? You can't use
Name-based Virtual Hosting with SSL anyway (without using SNI, which
you aren't) so they're redundant.
Cheers,
Phil.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org