1029787 – proxy setup not working with mod_ssl

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1029787 - proxy setup not working with mod_ssl

Summary: proxy setup not working with mod_ssl

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	doc-Migration_Planning_Guide
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Laura Bailey
QA Contact:	ecs-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-13 08:33 UTC by Kaleem
Modified:	2019-03-06 00:59 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-09 12:11:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
config and log files (20.00 KB, application/x-tar) 2013-11-13 08:33 UTC, Kaleem	no flags	Details
View All

Description Kaleem 2013-11-13 08:33:59 UTC

Created attachment 823291 [details]
config and log files

Description of problem:
I add a proxy setup for mod_ssl and it does not seems to working.

Version-Release number of selected component (if applicable):
[root@rhel70-modnss ~]# rpm -q mod_ssl httpd
mod_ssl-2.4.6-7.el7.x86_64
httpd-2.4.6-7.el7.x86_64
[root@rhel70-modnss ~]#

How reproducible:
Always

Steps to Reproduce:
1.install mod_ssl compoent and configure a proxy for this.

Actual results:
proxy setup does not works

[root@rhel70-modnss ~]# curl https://localhost:443/ -k
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request <em><a href="/">GET&nbsp;/</a></em>.<p>
Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
</body></html>
[root@rhel70-modnss ~]#

Expected results:
proxy setup should work.

Additional info:
(1)Please find the attached ssl and ssl_proxy config files. Also ssl_proxy_log has been attached.

(2)ssl configurations is working.
 
[root@rhel70-modnss ~]# curl https://localhost:10443/ -k
<html>
<body>
<b>
<font size="+5">Using '<font color="blue">mod_ssl</font>' . . .</font>
</b>
</body>
</html>
[root@rhel70-modnss ~]#

(3)Same setup is working fine on RHEL-6.5

Comment 2 Joe Orton 2013-11-13 09:18:37 UTC

This is probably the relevant error:

[Wed Nov 13 13:50:10.048409 2013] [ssl:info] [pid 27219] [remote ::1:10443] AH02411: SSL Proxy: Peer certificate does not match for hostname localhost

Either set "SSLProxyVerify off" or use SSLProxyMachineCertificateFile to trust the CA which signs the backend server's certificate.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxyverify
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile

Please let us know if that doesn't work.

Comment 3 Kaleem 2013-11-13 11:17:33 UTC

I did tried above parameters which did not worked.

But when i changed the "localhost" string with "hostname of machine" in ssl_proxy.conf, it works now.

ssl_proxy.conf with "localhost" worked on RHEL-6.5 but not working on RHEL-7.0.

I think this behaviour change for ssl_proxy.conf should be documented.

Comment 4 Joe Orton 2013-11-13 12:49:01 UTC

Sorry... it is "SSLProxyCheckPeerName on" which should fix this, my mistake.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername

Yes it should go into the migration guide.

Comment 5 Jenny Severance 2013-11-13 15:21:16 UTC

reopening the bug and targeting Documenation

Comment 7 Laura Bailey 2014-05-07 01:01:02 UTC

This bug was not in the correct component and did not come to my attention until after work for RHEL 7.0 was already complete.

I've moved it to the correct component and added a flag to propose this change for the RHEL 7.1 documentation. Hopefully this is not too great an inconvenience.

Cheers,
Laura B

Note You need to log in before you can comment on or make changes to this bug.