Bug 1029787 - proxy setup not working with mod_ssl
proxy setup not working with mod_ssl
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Migration_Planning_Guide (Show other bugs)
7.0
Unspecified Unspecified
high Severity unspecified
: rc
: ---
Assigned To: Laura Bailey
ecs-bugs
: Documentation, Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-13 03:33 EST by Kaleem
Modified: 2015-03-09 08:11 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-09 08:11:39 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
config and log files (20.00 KB, application/x-tar)
2013-11-13 03:33 EST, Kaleem
no flags Details

  None (edit)
Description Kaleem 2013-11-13 03:33:59 EST
Created attachment 823291 [details]
config and log files

Description of problem:
I add a proxy setup for mod_ssl and it does not seems to working.

Version-Release number of selected component (if applicable):
[root@rhel70-modnss ~]# rpm -q mod_ssl httpd
mod_ssl-2.4.6-7.el7.x86_64
httpd-2.4.6-7.el7.x86_64
[root@rhel70-modnss ~]#

How reproducible:
Always

Steps to Reproduce:
1.install mod_ssl compoent and configure a proxy for this.

Actual results:
proxy setup does not works

[root@rhel70-modnss ~]# curl https://localhost:443/ -k
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request <em><a href="/">GET&nbsp;/</a></em>.<p>
Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
</body></html>
[root@rhel70-modnss ~]#

Expected results:
proxy setup should work.

Additional info:
(1)Please find the attached ssl and ssl_proxy config files. Also ssl_proxy_log has been attached.

(2)ssl configurations is working.
 
[root@rhel70-modnss ~]# curl https://localhost:10443/ -k
<html>
<body>
<b>
<font size="+5">Using '<font color="blue">mod_ssl</font>' . . .</font>
</b>
</body>
</html>
[root@rhel70-modnss ~]#

(3)Same setup is working fine on RHEL-6.5
Comment 2 Joe Orton 2013-11-13 04:18:37 EST
This is probably the relevant error:

[Wed Nov 13 13:50:10.048409 2013] [ssl:info] [pid 27219] [remote ::1:10443] AH02411: SSL Proxy: Peer certificate does not match for hostname localhost

Either set "SSLProxyVerify off" or use SSLProxyMachineCertificateFile to trust the CA which signs the backend server's certificate.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxyverify
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile

Please let us know if that doesn't work.
Comment 3 Kaleem 2013-11-13 06:17:33 EST
I did tried above parameters which did not worked.

But when i changed the "localhost" string with "hostname of machine" in ssl_proxy.conf, it works now.

ssl_proxy.conf with "localhost" worked on RHEL-6.5 but not working on RHEL-7.0.

I think this behaviour change for ssl_proxy.conf should be documented.
Comment 4 Joe Orton 2013-11-13 07:49:01 EST
Sorry... it is "SSLProxyCheckPeerName on" which should fix this, my mistake.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername

Yes it should go into the migration guide.
Comment 5 Jenny Galipeau 2013-11-13 10:21:16 EST
reopening the bug and targeting Documenation
Comment 7 Laura Bailey 2014-05-06 21:01:02 EDT
This bug was not in the correct component and did not come to my attention until after work for RHEL 7.0 was already complete.

I've moved it to the correct component and added a flag to propose this change for the RHEL 7.1 documentation. Hopefully this is not too great an inconvenience.

Cheers,
Laura B

Note You need to log in before you can comment on or make changes to this bug.