Bug 1029787

Summary: proxy setup not working with mod_ssl
Product: Red Hat Enterprise Linux 7 Reporter: Kaleem <ksiddiqu>
Component: doc-Migration_Planning_GuideAssignee: Laura Bailey <lbailey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: high    
Version: 7.0CC: jgalipea, jorton, ksiddiqu, lmiksik, mharmsen, nsoman, rcritten
Target Milestone: rcKeywords: Documentation, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-09 12:11:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
config and log files none

Description Kaleem 2013-11-13 08:33:59 UTC 
Created attachment 823291 [details]
config and log files

Description of problem:
I add a proxy setup for mod_ssl and it does not seems to working.

Version-Release number of selected component (if applicable):
[root@rhel70-modnss ~]# rpm -q mod_ssl httpd
mod_ssl-2.4.6-7.el7.x86_64
httpd-2.4.6-7.el7.x86_64
[root@rhel70-modnss ~]#

How reproducible:
Always

Steps to Reproduce:
1.install mod_ssl compoent and configure a proxy for this.

Actual results:
proxy setup does not works

[root@rhel70-modnss ~]# curl https://localhost:443/ -k
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request <em><a href="/">GET&nbsp;/</a></em>.<p>
Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
</body></html>
[root@rhel70-modnss ~]#

Expected results:
proxy setup should work.

Additional info:
(1)Please find the attached ssl and ssl_proxy config files. Also ssl_proxy_log has been attached.

(2)ssl configurations is working.
 
[root@rhel70-modnss ~]# curl https://localhost:10443/ -k
<html>
<body>
<b>
<font size="+5">Using '<font color="blue">mod_ssl</font>' . . .</font>
</b>
</body>
</html>
[root@rhel70-modnss ~]#

(3)Same setup is working fine on RHEL-6.5
Comment 2 Joe Orton 2013-11-13 09:18:37 UTC 
This is probably the relevant error:

[Wed Nov 13 13:50:10.048409 2013] [ssl:info] [pid 27219] [remote ::1:10443] AH02411: SSL Proxy: Peer certificate does not match for hostname localhost

Either set "SSLProxyVerify off" or use SSLProxyMachineCertificateFile to trust the CA which signs the backend server's certificate.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxyverify
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile

Please let us know if that doesn't work.
Comment 3 Kaleem 2013-11-13 11:17:33 UTC 
I did tried above parameters which did not worked.

But when i changed the "localhost" string with "hostname of machine" in ssl_proxy.conf, it works now.

ssl_proxy.conf with "localhost" worked on RHEL-6.5 but not working on RHEL-7.0.

I think this behaviour change for ssl_proxy.conf should be documented.
Comment 4 Joe Orton 2013-11-13 12:49:01 UTC 
Sorry... it is "SSLProxyCheckPeerName on" which should fix this, my mistake.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername

Yes it should go into the migration guide.
Comment 5 Jenny Severance 2013-11-13 15:21:16 UTC 
reopening the bug and targeting Documenation
Comment 7 Laura Bailey 2014-05-07 01:01:02 UTC 
This bug was not in the correct component and did not come to my attention until after work for RHEL 7.0 was already complete.

I've moved it to the correct component and added a flag to propose this change for the RHEL 7.1 documentation. Hopefully this is not too great an inconvenience.

Cheers,
Laura B