You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Santosh Kondapuram <SK...@vitechinc.com.INVALID> on 2019/09/13 23:13:38 UTC
[users@httpd] RE: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse
proxy load balancing
Can you try adding the following Apache directive setting it to none: SSLProxyVerify none
Thanks,
Santosh.
-----Original Message-----
From: Antony Stone <An...@apache.open.source.it>
Sent: Friday, September 13, 2019 6:15 PM
To: users@httpd.apache.org
Subject: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse proxy load balancing
Hi.
I am trying to set up reverse proxy load balancing using Apache.
I've read https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html and https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html and https://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html
What I want to achieve is:
HTTPS connection to my load balancer (which has an appropriate SSL certificate for its own URL) forwarding requests on to (currently two) HTTPS back-end servers (each of which also has an appropriate SSL certificate for its distinct URL).
I can get things working fine if I use HTTP for the "proxy to backend"
connection.
As soon as I use HTTPS, I get "All workers are in error state".
Here is my (sanitised) configuration:
--------
ProxyHCExpr ok200 {%{REQUEST_STATUS} =~ /^200/}
<Proxy balancer://url.mydomain.net>
BalancerMember https://first.server.net route=first.server.net hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
BalancerMember https://second.server.net route=second.server.net hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
ProxySet lbmethod=bytraffic
</Proxy>
<VirtualHost 198.51.100.222:443>
ServerName url.mydomain.net
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/url.mydomain.net.crt
SSLCertificateKeyFile /etc/url.mydomain.net.key
ProxyPass / balancer://url.mydomain.net/
ProxyPassReverse / balancer://url.mydomain.net/ </VirtualHost>
--------
What happens is that every 10 seconds I get the following entries in
/var/log/apache2/error.log:
[Fri Sep 13 02:50:07.600652 2019] [ssl:error] [pid 8628:tid 140240740148992] [remote 203.0.113.223:443] AH01961: SSL Proxy requested for
my.local.host.name:80 but not enabled [Hint: SSLProxyEngine] [Fri Sep 13 02:50:07.600703 2019] [proxy:error] [pid 8628:tid 140240740148992]
AH00961: HCOH: failed to enable ssl support for 203.0.13.223:443
(first.server.net)
Plus the same thing for second.server.net
Now, I can see the "Hint: SSLProxyEngine", but I already have that in my VirtualHost definition, so I don't know what this hint is trying to hint at.
What I also do not understand is the "SSL Proxy requested for my.local.host.name:80" part. I have completely disabled port 80 on this machine. Apache is not listening on port 80, I do not need to use standard HTTP, and a packet capture shows that nothing is being sent to, or received on, port 80, anywhere.
If I change the BalancerMember URLs to use HTTP instead of HTTPS, the backend workers become available and I can proxy requests to them, but this is not how the eventual system is required to work. I have to point at HTTPS-only backend servers.
So, what am I doing wrong, and/or what do I need to change in order to get BalancerMembers using HTTPS to become available for use?
Happy to supply any further details needed if people ask.
Thanks,
Antony.
--
All generalisations are inaccurate.
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
This e-mail message and any files transmitted with it may contain confidential and proprietary information and are intended solely for the use of the individual or entity to which they are addressed. Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you have received this e-mail in error please notify the sender by reply email and destroy all copies of the original message. Thank you for your cooperation.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse proxy load balancing
Posted by Antony Stone <An...@apache.open.source.it>.
On Saturday 14 September 2019 at 01:13:38, Santosh Kondapuram wrote:
> Can you try adding the following Apache directive setting it to none:
> SSLProxyVerify none
No, I'm not trying to reduce the security of the system, and all certificates
are real, so they do verify correctly.
Antony.
> -----Original Message-----
> From: Antony Stone <An...@apache.open.source.it>
> Sent: Friday, September 13, 2019 6:15 PM
> To: users@httpd.apache.org
> Subject: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse
> proxy load balancing
>
> Hi.
>
> I am trying to set up reverse proxy load balancing using Apache.
>
> I've read https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html and
> https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html and
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html
>
> What I want to achieve is:
>
> HTTPS connection to my load balancer (which has an appropriate SSL
> certificate for its own URL) forwarding requests on to (currently two)
> HTTPS back-end servers (each of which also has an appropriate SSL
> certificate for its distinct URL).
>
> I can get things working fine if I use HTTP for the "proxy to backend"
> connection.
>
> As soon as I use HTTPS, I get "All workers are in error state".
>
> Here is my (sanitised) configuration:
>
> --------
> ProxyHCExpr ok200 {%{REQUEST_STATUS} =~ /^200/}
>
> <Proxy balancer://url.mydomain.net>
> BalancerMember https://first.server.net route=first.server.net
> hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10 BalancerMember
> https://second.server.net route=second.server.net hcmethod=GET
> hcuri=/isalive hcexpr=ok200 hcinterval=10 ProxySet lbmethod=bytraffic
> </Proxy>
>
> <VirtualHost 198.51.100.222:443>
> ServerName url.mydomain.net
> SSLEngine On
> SSLProxyEngine On
> SSLCertificateFile /etc/url.mydomain.net.crt
> SSLCertificateKeyFile /etc/url.mydomain.net.key
> ProxyPass / balancer://url.mydomain.net/
> ProxyPassReverse / balancer://url.mydomain.net/ </VirtualHost>
> --------
>
>
> What happens is that every 10 seconds I get the following entries in
> /var/log/apache2/error.log:
>
> [Fri Sep 13 02:50:07.600652 2019] [ssl:error] [pid 8628:tid
> 140240740148992] [remote 203.0.113.223:443] AH01961: SSL Proxy requested
> for my.local.host.name:80 but not enabled [Hint: SSLProxyEngine] [Fri Sep
> 13 02:50:07.600703 2019] [proxy:error] [pid 8628:tid 140240740148992]
> AH00961: HCOH: failed to enable ssl support for 203.0.13.223:443
> (first.server.net)
>
> Plus the same thing for second.server.net
>
> Now, I can see the "Hint: SSLProxyEngine", but I already have that in my
> VirtualHost definition, so I don't know what this hint is trying to hint
> at.
>
> What I also do not understand is the "SSL Proxy requested for
> my.local.host.name:80" part. I have completely disabled port 80 on this
> machine. Apache is not listening on port 80, I do not need to use
> standard HTTP, and a packet capture shows that nothing is being sent to,
> or received on, port 80, anywhere.
>
>
> If I change the BalancerMember URLs to use HTTP instead of HTTPS, the
> backend workers become available and I can proxy requests to them, but
> this is not how the eventual system is required to work. I have to point
> at HTTPS-only backend servers.
>
>
> So, what am I doing wrong, and/or what do I need to change in order to get
> BalancerMembers using HTTPS to become available for use?
>
>
> Happy to supply any further details needed if people ask.
>
>
> Thanks,
>
>
> Antony.
>
> --
> All generalisations are inaccurate.
>
> Please reply to the
> list; please *don't* CC me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> This e-mail message and any files transmitted with it may contain
> confidential and proprietary information and are intended solely for the
> use of the individual or entity to which they are addressed. Any
> unauthorized review, use, disclosure or distribution is strictly
> prohibited. If you have received this e-mail in error please notify the
> sender by reply email and destroy all copies of the original message.
> Thank you for your cooperation.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
--
I want to build a machine that will be proud of me.
- Danny Hillis, creator of The Connection Machine
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE: [EXT] [users@httpd] Apache 2.4.25 (Debian
Stretch 9.11) reverse proxy load balancing
Posted by Daniel Ferradal <df...@apache.org>.
My bad, I really meant, put the directive in the same context the
proxy were made, since you clearly painted outside of virtualhost it
should be server config. Glad you figured it out.
El sáb., 14 sept. 2019 a las 11:03, Antony Stone
(<An...@apache.open.source.it>) escribió:
>
> On Saturday 14 September 2019 at 10:45:34, Antony Stone wrote:
>
> > On Saturday 14 September 2019 at 02:10:26, Daniel Ferradal wrote:
> > > Sslproxyengine on must be defined where the balancer is defined due to
> > > its members being ssl, try that or move the balancer definition inside
> > > the virtual host.
> >
> > Putting "SSLProxyEngine On" in the Balancer definition gives
> > "SSLProxyEngine not allowed here".
>
> I just found
> https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine which
> says the directive is valid in server config, virtual host, and proxy section,
> but that "The proxy section context is allowed in httpd 2.4.30 and later".
>
> I have 2.4.25.
>
> So, I tried SSLProxyEngine On at the server config level instead, and it now
> appears to be working :)
>
> So, thanks for the pointer / suggestion - it got me to a better place than I
> was :)
>
>
> Antony.
>
> --
> A user interface is like a joke.
> If you have to explain it, it means it doesn't work.
>
> Please reply to the list;
> please *don't* CC me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Daniel Ferradal
HTTPD Project
#httpd help at Freenode
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse proxy load balancing
Posted by Antony Stone <An...@apache.open.source.it>.
On Saturday 14 September 2019 at 10:45:34, Antony Stone wrote:
> On Saturday 14 September 2019 at 02:10:26, Daniel Ferradal wrote:
> > Sslproxyengine on must be defined where the balancer is defined due to
> > its members being ssl, try that or move the balancer definition inside
> > the virtual host.
>
> Putting "SSLProxyEngine On" in the Balancer definition gives
> "SSLProxyEngine not allowed here".
I just found
https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyengine which
says the directive is valid in server config, virtual host, and proxy section,
but that "The proxy section context is allowed in httpd 2.4.30 and later".
I have 2.4.25.
So, I tried SSLProxyEngine On at the server config level instead, and it now
appears to be working :)
So, thanks for the pointer / suggestion - it got me to a better place than I
was :)
Antony.
--
A user interface is like a joke.
If you have to explain it, it means it doesn't work.
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse proxy load balancing
Posted by Antony Stone <An...@apache.open.source.it>.
On Saturday 14 September 2019 at 02:10:26, Daniel Ferradal wrote:
> Sslproxyengine on must be defined where the balancer is defined due to its
> members being ssl, try that or move the balancer definition inside the
> virtual host.
Putting "SSLProxyEngine On" in the Balancer definition gives "SSLProxyEngine
not allowed here".
Putting ther Balancer definition inside the VirtualHost in fact results in a
segmentation fault. I assume you meant:
--------
<VirtualHost 198.51.100.222:443>
ServerName url.mydomain.net
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/url.mydomain.net.crt
<Proxy balancer://url.mydomain.net>
BalancerMember https://first.server.net route=first.server.net
hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
BalancerMember https://second.server.net route=second.server.net
hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
ProxySet lbmethod=bytraffic
</Proxy>
SSLCertificateKeyFile /etc/url.mydomain.net.key
ProxyPass / balancer://url.mydomain.net/
ProxyPassReverse / balancer://url.mydomain.net/
</VirtualHost>
--------
That gives me:
# /etc/init.d/apache2 restart
[FAIL] Restarting Apache httpd web server: apache2 failed!
[warn] The apache2 configtest failed. ... (warning).
Output of config test was:
Segmentation fault
Action 'configtest' failed.
The Apache error log may have more information.
and nothing in /var/log/apache2/error.log :(
(I also tried it with the Proxy Balancer stanza at the very top of the Virtual
Host stanza, no difference).
Thanks for the help, but any other ideas?
Antony.
> > -----Original Message-----
> > From: Antony Stone <An...@apache.open.source.it>
> > Sent: Friday, September 13, 2019 6:15 PM
> > To: users@httpd.apache.org
> > Subject: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse
> > proxy load balancing
> >
> > Hi.
> >
> > I am trying to set up reverse proxy load balancing using Apache.
> >
> > I've read https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html and
> > https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html and
> > https://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html
> >
> > What I want to achieve is:
> >
> > HTTPS connection to my load balancer (which has an appropriate SSL
> > certificate for its own URL) forwarding requests on to (currently two)
> > HTTPS back-end servers (each of which also has an appropriate SSL
> > certificate for its distinct URL).
> >
> > I can get things working fine if I use HTTP for the "proxy to backend"
> > connection.
> >
> > As soon as I use HTTPS, I get "All workers are in error state".
> >
> > Here is my (sanitised) configuration:
> >
> > --------
> > ProxyHCExpr ok200 {%{REQUEST_STATUS} =~ /^200/}
> >
> > <Proxy balancer://url.mydomain.net>
> >
> > BalancerMember https://first.server.net route=first.server.net
> >
> > hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
> >
> > BalancerMember https://second.server.net route=second.server.net
> >
> > hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
> >
> > ProxySet lbmethod=bytraffic
> >
> > </Proxy>
> >
> > <VirtualHost 198.51.100.222:443>
> >
> > ServerName url.mydomain.net
> > SSLEngine On
> > SSLProxyEngine On
> > SSLCertificateFile /etc/url.mydomain.net.crt
> > SSLCertificateKeyFile /etc/url.mydomain.net.key
> > ProxyPass / balancer://url.mydomain.net/
> > ProxyPassReverse / balancer://url.mydomain.net/ </VirtualHost>
> >
> > --------
> >
> >
> > What happens is that every 10 seconds I get the following entries in
> > /var/log/apache2/error.log:
> >
> > [Fri Sep 13 02:50:07.600652 2019] [ssl:error] [pid 8628:tid
> > 140240740148992] [remote 203.0.113.223:443] AH01961: SSL Proxy requested
> > for
> > my.local.host.name:80 but not enabled [Hint: SSLProxyEngine] [Fri Sep 13
> > 02:50:07.600703 2019] [proxy:error] [pid 8628:tid 140240740148992]
> > AH00961: HCOH: failed to enable ssl support for 203.0.13.223:443
> > (first.server.net)
> >
> > Plus the same thing for second.server.net
> >
> > Now, I can see the "Hint: SSLProxyEngine", but I already have that in my
> > VirtualHost definition, so I don't know what this hint is trying to hint
> > at.
> >
> > What I also do not understand is the "SSL Proxy requested for
> > my.local.host.name:80" part. I have completely disabled port 80 on this
> > machine. Apache is not listening on port 80, I do not need to use
> > standard HTTP, and a packet capture shows that nothing is being sent to,
> > or received on, port 80, anywhere.
> >
> >
> > If I change the BalancerMember URLs to use HTTP instead of HTTPS, the
> > backend workers become available and I can proxy requests to them, but
> > this is not how the eventual system is required to work. I have to
> > point at HTTPS-only backend servers.
> >
> >
> > So, what am I doing wrong, and/or what do I need to change in order to
> > get BalancerMembers using HTTPS to become available for use?
> >
> >
> > Happy to supply any further details needed if people ask.
--
Anything that improbable is effectively impossible.
- Murray Gell-Mann, Nobel Prizewinner in Physics
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] RE: [EXT] [users@httpd] Apache 2.4.25 (Debian
Stretch 9.11) reverse proxy load balancing
Posted by Daniel Ferradal <df...@apache.org>.
Sslproxyengine on must be defined where the balancer is defined due to its
members being ssl, try that or move the balancer definition inside the
virtual host.
El sáb., 14 sept. 2019 1:14, Santosh Kondapuram
<SK...@vitechinc.com.invalid> escribió:
> Can you try adding the following Apache directive setting it to none:
> SSLProxyVerify none
>
> Thanks,
> Santosh.
>
> -----Original Message-----
> From: Antony Stone <An...@apache.open.source.it>
> Sent: Friday, September 13, 2019 6:15 PM
> To: users@httpd.apache.org
> Subject: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse
> proxy load balancing
>
> Hi.
>
> I am trying to set up reverse proxy load balancing using Apache.
>
> I've read https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html and
> https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html and
> https://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html
>
> What I want to achieve is:
>
> HTTPS connection to my load balancer (which has an appropriate SSL
> certificate for its own URL) forwarding requests on to (currently two)
> HTTPS back-end servers (each of which also has an appropriate SSL
> certificate for its distinct URL).
>
> I can get things working fine if I use HTTP for the "proxy to backend"
> connection.
>
> As soon as I use HTTPS, I get "All workers are in error state".
>
> Here is my (sanitised) configuration:
>
> --------
> ProxyHCExpr ok200 {%{REQUEST_STATUS} =~ /^200/}
>
> <Proxy balancer://url.mydomain.net>
> BalancerMember https://first.server.net route=first.server.net
> hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
> BalancerMember https://second.server.net route=second.server.net
> hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
> ProxySet lbmethod=bytraffic
> </Proxy>
>
> <VirtualHost 198.51.100.222:443>
> ServerName url.mydomain.net
> SSLEngine On
> SSLProxyEngine On
> SSLCertificateFile /etc/url.mydomain.net.crt
> SSLCertificateKeyFile /etc/url.mydomain.net.key
> ProxyPass / balancer://url.mydomain.net/
> ProxyPassReverse / balancer://url.mydomain.net/ </VirtualHost>
> --------
>
>
> What happens is that every 10 seconds I get the following entries in
> /var/log/apache2/error.log:
>
> [Fri Sep 13 02:50:07.600652 2019] [ssl:error] [pid 8628:tid
> 140240740148992] [remote 203.0.113.223:443] AH01961: SSL Proxy requested
> for
> my.local.host.name:80 but not enabled [Hint: SSLProxyEngine] [Fri Sep 13
> 02:50:07.600703 2019] [proxy:error] [pid 8628:tid 140240740148992]
> AH00961: HCOH: failed to enable ssl support for 203.0.13.223:443
> (first.server.net)
>
> Plus the same thing for second.server.net
>
> Now, I can see the "Hint: SSLProxyEngine", but I already have that in my
> VirtualHost definition, so I don't know what this hint is trying to hint at.
>
> What I also do not understand is the "SSL Proxy requested for
> my.local.host.name:80" part. I have completely disabled port 80 on this
> machine. Apache is not listening on port 80, I do not need to use standard
> HTTP, and a packet capture shows that nothing is being sent to, or received
> on, port 80, anywhere.
>
>
> If I change the BalancerMember URLs to use HTTP instead of HTTPS, the
> backend workers become available and I can proxy requests to them, but this
> is not how the eventual system is required to work. I have to point at
> HTTPS-only backend servers.
>
>
> So, what am I doing wrong, and/or what do I need to change in order to get
> BalancerMembers using HTTPS to become available for use?
>
>
> Happy to supply any further details needed if people ask.
>
>
> Thanks,
>
>
> Antony.
>
> --
> All generalisations are inaccurate.
>
> Please reply to the
> list;
> please *don't* CC
> me.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> This e-mail message and any files transmitted with it may contain
> confidential and proprietary information and are intended solely for the
> use of the individual or entity to which they are addressed. Any
> unauthorized review, use, disclosure or distribution is strictly
> prohibited. If you have received this e-mail in error please notify the
> sender by reply email and destroy all copies of the original message. Thank
> you for your cooperation.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>