You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Guillaume Rousse <Gu...@inria.fr> on 2008/02/25 10:25:30 UTC
[users@httpd] Trouble using mod_proxy with mod_gnutls
Hello list.
With the following configuration, mod_proxy works perfectly in the
non-ssl vhost, but not in the ssl one. The client hangs a long
time for an answer, which finally comes as "Site error" message, with a
"404 858" error status in the logs. The waiting time before the error
occurs is superior to mod_proxy timeout configuration.
<VirtualHost *:80>
Servername foo.domain.com
ProxyPass / http://127.0.0.1:8080/
</VirtualHost>
<VirtualHost *:443>
Servername foo.domain.com
ProxyPass / http://127.0.0.1:8080/
GnuTLSEnable on
GnuTLSPriorities NORMAL
GnuTLSCertificateFile /etc/pki/tls/certs/foo.crt
GnuTLSKeyFile /etc/pki/tls/private/foo.key
</VirtualHost>
Using debug log level, here is the log trace of successfule proxy
connection:
[Fri Feb 22 15:26:28 2008] [debug] mod_cache.c(131): Adding CACHE_SAVE
filter for /
[Fri Feb 22 15:26:28 2008] [debug] mod_cache.c(138): Adding
CACHE_REMOVE_URL filter for /
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(54): proxy: HTTP:
canonicalising URL //www.msr-inria.inria.fr/
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1412): [client
195.83.212.52] proxy: http: found worker http://www.msr-inria.inria.fr/
for http://www.msr-inria.inria.fr/
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy.c(819): Running scheme http
handler (attempt 0)
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(1693): proxy: HTTP:
serving URL http://www.msr-inria.inria.fr/
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1852): proxy: HTTP: has
acquired connection for (www.msr-inria.inria.fr)
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1913): proxy: connecting
http://www.msr-inria.inria.fr/ to www.msr-inria.inria.fr:80
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(2012): proxy: connected
/ to www.msr-inria.inria.fr:80
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(2169): proxy: HTTP: fam
2 socket created to connect to www.msr-inria.inria.fr
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(2266): proxy: HTTP:
connection complete to 193.55.250.161:80 (www.msr-inria.inria.fr)
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(1478): proxy: start
body send
[Fri Feb 22 15:26:28 2008] [debug] mod_cache.c(528): cache: / not
cached. Reason: Expires header already expired, not cacheable
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(1567): proxy: end
body send
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1870): proxy: HTTP: has
released connection for (www.msr-inria.inria.fr)
Here is an unsucessful one. The 'GnuTLS: Handshake Failed' make me think
than mod_gnutls tries to cypher outgoing connection too, and fails:
[Fri Feb 22 15:33:15 2008] [debug] mod_cache.c(131): Adding CACHE_SAVE
filter for /
[Fri Feb 22 15:33:15 2008] [debug] mod_cache.c(138): Adding
CACHE_REMOVE_URL filter for /
[Fri Feb 22 15:33:15 2008] [debug] mod_proxy_http.c(54): proxy: HTTP:
canonicalising URL //www.msr-inria.inria.fr/
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(1412): [client
195.83.212.52] proxy: http: found worker http://www.msr-inria.inria.fr/
for http://www.msr-inria.inria.fr/
[Fri Feb 22 15:33:15 2008] [debug] mod_proxy.c(819): Running scheme http
handler (attempt 0)
[Fri Feb 22 15:33:15 2008] [debug] mod_proxy_http.c(1693): proxy: HTTP:
serving URL http://www.msr-inria.inria.fr/
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(1852): proxy: HTTP: has
acquired connection for (www.msr-inria.inria.fr)
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(1913): proxy: connecting
http://www.msr-inria.inria.fr/ to www.msr-inria.inria.fr:80
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(2012): proxy: connected
/ to www.msr-inria.inria.fr:80
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(2169): proxy: HTTP: fam
2 socket created to connect to www.msr-inria.inria.fr
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(2266): proxy: HTTP:
connection complete to 193.55.250.161:80 (www.msr-inria.inria.fr)
[Fri Feb 22 15:34:56 2008] [error] [client 193.55.250.161] GnuTLS:
Handshake Failed. Hit Maximum Attempts
[Fri Feb 22 15:34:56 2008] [error] [client 193.55.250.161] GnuTLS:
Handshake Failed. Hit Maximum Attempts
[Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52]
(104)Connection reset by peer: proxy: error reading status line from
remote server www.msr-inria.inria.fr
[Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52]
(104)Connection reset by peer: proxy: error reading status line from
remote server www.msr-inria.inria.fr
[Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52] proxy: Error
reading from remote server returned by /error/HTTP_BAD_GATEWAY.html.var
[Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52] proxy: Error
reading from remote server returned by /error/HTTP_BAD_GATEWAY.html.var
[Fri Feb 22 15:34:56 2008] [debug] proxy_util.c(1870): proxy: HTTP: has
released connection for (*)
[Fri Feb 22 15:34:56 2008] [debug] proxy_util.c(1870): proxy: HTTP: has
released connection for (*)
The same configuration worked perfectly with mod_ssl (we switched for
SNI support). I reported the issue to mod_gnutls author
(http://lists.outoforder.cc/pipermail/modules/2008-February/000097.html),
but he me to look for mod_proxy maintainer help, as he didn't knew this
module enough himself. I had a quick look at apache bugzilla, but most
issues I found were related to proxying ssl connections explicitely (as
http://issues.apache.org/bugzilla/show_bug.cgi?id=29744), whereas my
problem seem rather with proxying a non-ssl connection from a ssl one.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Trouble using mod_proxy with mod_gnutls
Posted by Guillaume Rousse <Gu...@inria.fr>.
Guillaume Rousse a écrit :
> Guillaume Rousse a écrit :
>> Hello list.
>>
>> With the following configuration, mod_proxy works perfectly in the
>> non-ssl vhost, but not in the ssl one. The client hangs a long
>> time for an answer, which finally comes as "Site error" message, with a
>> "404 858" error status in the logs. The waiting time before the error
>> occurs is superior to mod_proxy timeout configuration.
> I forgot: this is happening under Linux, with apache 2.2.3 and 2.2.6.
Here are more informations.
The first one is a tcpdump capture of a successful connection on non-ssl
vhost (out1), and another capture of an unsuccessful one on ssl host (out2).
195.83.212.55 is the client
193.55.250.2 is the frontal web server
193.55.250.161 is the proxied web server
In the unsuccessful case, the frontal web server initiate TCP connection
with the proxied one, and then doesn't send anything, whereas it
immediatly send a GET request when everything works.
The second piece of information is gdb output when process is hanging.
it seems an error handler is invoked in mod_proxy, making mod_gnutls
wait infinitely on a socket
#0 0xffffe410 in __kernel_vsyscall ()
#1 0xb7b2248b in poll () from /lib/i686/libc.so.6
#2 0xb7bd9a4c in apr_wait_for_io_or_timeout () from /usr/lib/libapr-1.so.0
#3 0xb7bd4100 in apr_socket_recv () from /usr/lib/libapr-1.so.0
#4 0xb7f40042 in apr_dso_error () from /usr/lib/libaprutil-1.so.0
#5 0x08075103 in ap_core_input_filter ()
#6 0xb754ec33 in mgs_transport_read () from
/etc/httpd/extramodules/mod_gnutls.so
#7 0xb747f557 in apr_dso_error () from /usr/lib/libgnutls.so.26
#8 0xb747fa37 in _gnutls_io_read_buffered () from /usr/lib/libgnutls.so.26
#9 0xb747cabb in _gnutls_recv_int () from /usr/lib/libgnutls.so.26
#10 0xb747ffa6 in _gnutls_handshake_io_recv_int () from
/usr/lib/libgnutls.so.26
#11 0xb7484ab4 in _gnutls_recv_handshake () from /usr/lib/libgnutls.so.26
#12 0xb7485bd4 in _gnutls_handshake_server () from /usr/lib/libgnutls.so.26
#13 0xb74860ff in gnutls_handshake () from /usr/lib/libgnutls.so.26
#14 0xb754ed9b in apr_dso_error () from
/etc/httpd/extramodules/mod_gnutls.so
#15 0xb754f238 in mgs_filter_output () from
/etc/httpd/extramodules/mod_gnutls.so
#16 0xb79b9cdc in apr_dso_error () from /etc/httpd/modules/mod_proxy_http.so
#17 0xb79bbbee in apr_dso_error () from /etc/httpd/modules/mod_proxy_http.so
#18 0xb79c2413 in proxy_run_scheme_handler () from
/etc/httpd/modules/mod_proxy.so
#19 0xb79c6028 in apr_dso_error () from /etc/httpd/modules/mod_proxy.so
#20 0x080756a6 in ap_run_handler ()
#21 0x08078b97 in ap_invoke_handler ()
#22 0x08083d40 in ap_process_request ()
#23 0x0808111a in ?? ()
#24 0x0807ccb6 in ap_run_process_connection ()
#25 0x08087e41 in ?? ()
#26 0x080881b8 in ?? ()
#27 0x08088274 in ?? ()
#28 0x08088e50 in ap_mpm_run ()
#29 0x08062d02 in main ()
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Trouble using mod_proxy with mod_gnutls
Posted by Guillaume Rousse <Gu...@inria.fr>.
Guillaume Rousse a écrit :
> Hello list.
>
> With the following configuration, mod_proxy works perfectly in the
> non-ssl vhost, but not in the ssl one. The client hangs a long
> time for an answer, which finally comes as "Site error" message, with a
> "404 858" error status in the logs. The waiting time before the error
> occurs is superior to mod_proxy timeout configuration.
I forgot: this is happening under Linux, with apache 2.2.3 and 2.2.6.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org