You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Chris Arnold <ca...@electrichendrix.com> on 2012/03/06 21:56:54 UTC
[users@httpd] Reverse proxy
I am trying to config reverse proxy on a server (private ip 192.168.123.3) that will forward https://teknerds.net/ifolder to a different server (private ip 192.168.123.4). Using apache 2.2.12. According to localhost/server-info i have mod_proxy and mod_proxy_http loaded. Here are snippets from the vhost.conf for teknerds.net:
RewriteEngine On
RewriteRule ^/ifolder(.*) https://%{HTTP_HOST}/ifolder/ [L]
RewriteRule ^/admin(.*) https://%{HTTP_HOST}/admin/ [L]
to rewrite http://teknerds.net/ifolder to https://teknerds.net/ifolder
Snippet from vhost-ssl.conf:
SSLProxyEngine On
ProxyPass /ifolder https://192.168.123.4/ifolder
ProxyPassReverse /ifolder https://192.168.123.4/ifolder
ProxyPass /admin https://192.168.123.4/admin
ProxyPassReverse /admin https://192.168.123.4/admin
ProxyPass /nds https://192.168.123.4/nds
ProxyPassReverse /nds https://192.168.123.4/nds
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
When i tail the *error_log and access http://teknerds.net/ifolder, nothing in the logs. Nothing in the logs when i access http://teknerds.net/ifolder/ or https://teknerds.net/ifolder.
What am i doing wrong?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy
Posted by Chris Arnold <ca...@electrichendrix.com>.
On Tue, Mar 6, 2012 at 6:04 PM, Chri < carnold@electrichendrix.com > wrote:
>>When putting SSL in the server flags line, apache does not restart: [Tue Mar 06 17:59:45 2012] >>[error] Init: Unable to read server certificate from file /etc/apache2/ssl.crt/server.crt
>>[Tue Mar 06 17:59:45 2012] [error] SSL Library Error: 218542222 error:0D06B08E:asn1 encoding >>routines:ASN1_D2I_READ_BIO:not enough data
>>>Because you don't actually have certificates defined.
>>>There is a script you can run (I think it is /usr/bin/gensslcert ) to generate placeholder >>>certificates.
Thank you Yehuda and apache group, things are working again!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Tue, Mar 6, 2012 at 6:04 PM, Chris Arnold <ca...@electrichendrix.com>wrote:
> When putting SSL in the server flags line, apache does not restart:
> [Tue Mar 06 17:59:45 2012] [error] Init: Unable to read server certificate
> from file /etc/apache2/ssl.crt/server.crt
> [Tue Mar 06 17:59:45 2012] [error] SSL Library Error: 218542222
> error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
Because you don't actually have certificates defined.
There is a script you can run (I think it is /usr/bin/gensslcert) to
generate placeholder certificates.
- Y
Re: [users@httpd] Reverse proxy
Posted by Chris Arnold <ca...@electrichendrix.com>.
On Tue, Mar 6, 2012 at 5:07 PM, Chris Arnold < carnold@electrichendrix.com > wrote:
On Tue, Mar 6, 2012 at 4:49 PM, Chris Arnold < carnold@electrichendrix.com > wrote:
>>In /etc/sysconfig/apache2 find the 'Define' line and make sure SSL is in it and NOSSL is not in it >>(should be below the modules list).
>>(Or you can either comment out the IfDefine directives, but I don't recommend that because it might >>not stay if you ever upgrade.)
>>>I do not see a define line nor NOSSL in apache2 file. The heading that mentions SSL is found here:
>>>APACHE_SERVER_FLAGS=""
>>>>Yes, that's the line.
When putting SSL in the server flags line, apache does not restart:
[Tue Mar 06 17:59:45 2012] [error] Init: Unable to read server certificate from file /etc/apache2/ssl.crt/server.crt
[Tue Mar 06 17:59:45 2012] [error] SSL Library Error: 218542222 error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy
Posted by Chris Arnold <ca...@electrichendrix.com>.
On Tue, Mar 6, 2012 at 5:07 PM, Chris Arnold < carnold@electrichendrix.com > wrote:
On Tue, Mar 6, 2012 at 4:49 PM, Chris Arnold < carnold@electrichendrix.com > wrote:
>>In /etc/sysconfig/apache2 find the 'Define' line and make sure SSL is in it and NOSSL is not in it >>(should be below the modules >>list).
>>(Or you can either comment out the IfDefine directives, but I don't recommend that because it might >>not stay if you ever upgrade.)
>>I do not see a define line nor NOSSL in apache2 file. The heading that mentions SSL is found here:
>>APACHE_SERVER_FLAGS=""
>>>Yes, that's the line.
I put SSL in the quotes, save the file and restart apache. Netstat shows it is not listening (do i leave listen 443 in the listen.conf file?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Tue, Mar 6, 2012 at 5:07 PM, Chris Arnold <ca...@electrichendrix.com>wrote:
> On Tue, Mar 6, 2012 at 4:49 PM, Chris Arnold < carnold@electrichendrix.com> wrote:
> >>In /etc/sysconfig/apache2 find the 'Define' line and make sure SSL is in
> it and NOSSL is not in it >>(should be below the modules list).
> >>(Or you can either comment out the IfDefine directives, but I don't
> recommend that because it might >>not stay if you ever upgrade.)
> I do not see a define line nor NOSSL in apache2 file. The heading that
> mentions SSL is found here:
> APACHE_SERVER_FLAGS=""
Yes, that's the line.
- Y
Re: [users@httpd] Reverse proxy
Posted by Chris Arnold <ca...@electrichendrix.com>.
On Tue, Mar 6, 2012 at 4:49 PM, Chris Arnold < carnold@electrichendrix.com > wrote:
>>In /etc/sysconfig/apache2 find the 'Define' line and make sure SSL is in it and NOSSL is not in it >>(should be below the modules list).
>>(Or you can either comment out the IfDefine directives, but I don't recommend that because it might >>not stay if you ever upgrade.)
I do not see a define line nor NOSSL in apache2 file. The heading that mentions SSL is found here:
APACHE_SERVER_FLAGS=""
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Tue, Mar 6, 2012 at 4:49 PM, Chris Arnold <ca...@electrichendrix.com>wrote:
> =>>It looks like the server is not listening on port 443. I can get to
> https://192.168.123.4/ifolder and login with no problems so i know it is
> listening on 443.
> >>192.168.123.3 is not listening on port 443.
> Snippet from listen.conf:
> <IfDefine SSL>
> <IfDefine !NOSSL>
> <IfModule mod_ssl.c>
>
> Listen 443
>
> </IfModule>
> </IfDefine>
> </IfDefine>
In /etc/sysconfig/apache2 find the 'Define' line and make sure SSL is in it
and NOSSL is not in it (should be below the modules list).
(Or you can either comment out the IfDefine directives, but I don't
recommend that because it might not stay if you ever upgrade.)
Re: [users@httpd] Reverse proxy
Posted by Chris Arnold <ca...@electrichendrix.com>.
On Tue, Mar 6, 2012 at 4:40 PM, Chris Arnold < carnold@electrichendrix.com > wrote:
>>It looks like the server is not listening on port 443. I can get to https://192.168.123.4/ifolder >>and login with no problems so i know it is listening on 443.
>>192.168.123.3 is not listening on port 443.
Now it is listening on 443 (listen 443 in listen.conf). However, now i get this in the error_log:
[Tue Mar 06 16:53:01 2012] [error] [client 192.168.123.165] invalid request-URI
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy
Posted by Chris Arnold <ca...@electrichendrix.com>.
On Tue, Mar 6, 2012 at 4:40 PM, Chris Arnold < carnold@electrichendrix.com > wrote:
>>It looks like the server is not listening on port 443. I can get to https://192.168.123.4/ifolder and login with no problems so i know it is listening on 443.
>>192.168.123.3 is not listening on port 443.
Snippet from listen.conf:
<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>
Listen 443
</IfModule>
</IfDefine>
</IfDefine>
https://teknerds.net/ifolder/
In Chrome: Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Tue, Mar 6, 2012 at 4:40 PM, Chris Arnold <ca...@electrichendrix.com>wrote:
> >>It looks like the server is not listening on port 443.
> I can get to https://192.168.123.4/ifolder and login with no problems so
> i know it is listening on 443.
192.168.123.3 is not listening on port 443.
https://teknerds.net/ifolder/
In Chrome: Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the
connection.
Re: [users@httpd] Reverse proxy
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Tue, Mar 6, 2012 at 4:13 PM, Yehuda Katz <ye...@ymkatz.net> wrote:
> On Tuesday, March 6, 2012, Chris Arnold <ca...@electrichendrix.com>
> wrote:
> > Nothing in the logs when i access http://teknerds.net/ifolder/ or
> https://teknerds.net/ifolder.
> > What am i doing wrong?
>
> First, the rewrite rules in the non-ssl ghost are working fine.
> It looks like the server is not listening on port 443.
>
Sent from a gizmo with a very small keyboard and hyper-active auto-correct.
Of course, it should have said VHOST...
Re: [users@httpd] Reverse proxy
Posted by Chris Arnold <ca...@electrichendrix.com>.
On Tuesday, March 6, 2012, Chris Arnold < carnold@electrichendrix.com > wrote:
> Nothing in the logs when i access http://teknerds.net/ifolder/ or https://teknerds.net/ifolder .
> What am i doing wrong?
>>First, the rewrite rules in the non-ssl ghost are working fine.
I was using my phone to check this and it cuts off the https:// to where all i see is teknerds.net/ifolder and gives me the message cannot connect to server. So i was assuming it was dying at the frontend server. My mistake.
>>It looks like the server is not listening on port 443.
I can get to https://192.168.123.4/ifolder and login with no problems so i know it is listening on 443.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Reverse proxy
Posted by Yehuda Katz <ye...@ymkatz.net>.
On Tuesday, March 6, 2012, Chris Arnold <ca...@electrichendrix.com> wrote:
> Nothing in the logs when i access http://teknerds.net/ifolder/ or
https://teknerds.net/ifolder.
> What am i doing wrong?
First, the rewrite rules in the non-ssl ghost are working fine.
It looks like the server is not listening on port 443.
- Y
--
Sent from a gizmo with a very small keyboard and hyper-active auto-correct.
Re: [users@httpd] Reverse proxy
Posted by Mathijs <ma...@gmail.com>.
On Tue, Mar 6, 2012 at 10:06 PM, Mathijs <ma...@gmail.com> wrote:
> %{HTTP_HOST} is not a valid part of a substitution, its only valid when
> used with a RewriteCond directive. See
> http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule for
> valid uses of RewriteRule.
>
Apologies, I am misreading the docs myself, apparently it can be used in a
RewriteRule. The following solution still stands though:
>
> In this case, you don't need mod_rewrite at all. Instead set both
> redirects with "RedirectMatch ^/(ifolder|admin)$ https://teknerds.net/$1"
>
Re: [users@httpd] Reverse proxy
Posted by Mathijs <ma...@gmail.com>.
On Tue, Mar 6, 2012 at 9:56 PM, Chris Arnold <ca...@electrichendrix.com>wrote:
> I am trying to config reverse proxy on a server (private ip 192.168.123.3)
> that will forward https://teknerds.net/ifolder to a different server
> (private ip 192.168.123.4). Using apache 2.2.12. According to
> localhost/server-info i have mod_proxy and mod_proxy_http loaded. Here are
> snippets from the vhost.conf for teknerds.net:
> RewriteEngine On
> RewriteRule ^/ifolder(.*) https://%{HTTP_HOST}/ifolder/ [L]
> RewriteRule ^/admin(.*) https://%{HTTP_HOST}/admin/ [L]
> to rewrite http://teknerds.net/ifolder to https://teknerds.net/ifolder
%{HTTP_HOST} is not a valid part of a substitution, its only valid when
used with a RewriteCond directive. See
http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule for
valid uses of RewriteRule.
In this case, you don't need mod_rewrite at all. Instead set both redirects
with "RedirectMatch ^/(ifolder|admin)$ https://teknerds.net/$1"
>
> Snippet from vhost-ssl.conf:
> SSLProxyEngine On
> ProxyPass /ifolder https://192.168.123.4/ifolder
> ProxyPassReverse /ifolder https://192.168.123.4/ifolder
> ProxyPass /admin https://192.168.123.4/admin
> ProxyPassReverse /admin https://192.168.123.4/admin
> ProxyPass /nds https://192.168.123.4/nds
> ProxyPassReverse /nds https://192.168.123.4/nds
> <Proxy *>
> Order allow,deny
> Allow from all
> </Proxy>
>
> When i tail the *error_log and access http://teknerds.net/ifolder,
> nothing in the logs. Nothing in the logs when i access
> http://teknerds.net/ifolder/ or https://teknerds.net/ifolder.
> What am i doing wrong?
>
When asking this question, please tell us exactly what you are doing, what
you expect to happen, and what is happening instead.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Kind regards,
Mathijs