Bug 1029787 - proxy setup not working with mod_ssl
Summary: proxy setup not working with mod_ssl
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Migration_Planning_Guide
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Laura Bailey
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-13 08:33 UTC by Kaleem
Modified: 2019-03-06 00:59 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-09 12:11:39 UTC
Target Upstream Version:

Attachments (Terms of Use)
config and log files (20.00 KB, application/x-tar)
2013-11-13 08:33 UTC, Kaleem 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Kaleem 2013-11-13 08:33:59 UTC 
Created attachment 823291 [details]
config and log files

Description of problem:
I add a proxy setup for mod_ssl and it does not seems to working.

Version-Release number of selected component (if applicable):
[root@rhel70-modnss ~]# rpm -q mod_ssl httpd
mod_ssl-2.4.6-7.el7.x86_64
httpd-2.4.6-7.el7.x86_64
[root@rhel70-modnss ~]#

How reproducible:
Always

Steps to Reproduce:
1.install mod_ssl compoent and configure a proxy for this.

Actual results:
proxy setup does not works

[root@rhel70-modnss ~]# curl https://localhost:443/ -k
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Proxy Error</title>
</head><body>
<h1>Proxy Error</h1>
The proxy server could not handle the request <em><a href="/">GET&nbsp;/</a></em>.<p>
Reason: <strong>Error during SSL Handshake with remote server</strong></p><p />
</body></html>
[root@rhel70-modnss ~]#

Expected results:
proxy setup should work.

Additional info:
(1)Please find the attached ssl and ssl_proxy config files. Also ssl_proxy_log has been attached.

(2)ssl configurations is working.
 
[root@rhel70-modnss ~]# curl https://localhost:10443/ -k
<html>
<body>
<b>
<font size="+5">Using '<font color="blue">mod_ssl</font>' . . .</font>
</b>
</body>
</html>
[root@rhel70-modnss ~]#

(3)Same setup is working fine on RHEL-6.5
Comment 2 Joe Orton 2013-11-13 09:18:37 UTC 
This is probably the relevant error:

[Wed Nov 13 13:50:10.048409 2013] [ssl:info] [pid 27219] [remote ::1:10443] AH02411: SSL Proxy: Peer certificate does not match for hostname localhost

Either set "SSLProxyVerify off" or use SSLProxyMachineCertificateFile to trust the CA which signs the backend server's certificate.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxyverify
http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxymachinecertificatefile

Please let us know if that doesn't work.
Comment 3 Kaleem 2013-11-13 11:17:33 UTC 
I did tried above parameters which did not worked.

But when i changed the "localhost" string with "hostname of machine" in ssl_proxy.conf, it works now.

ssl_proxy.conf with "localhost" worked on RHEL-6.5 but not working on RHEL-7.0.

I think this behaviour change for ssl_proxy.conf should be documented.
Comment 4 Joe Orton 2013-11-13 12:49:01 UTC 
Sorry... it is "SSLProxyCheckPeerName on" which should fix this, my mistake.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername

Yes it should go into the migration guide.
Comment 5 Jenny Severance 2013-11-13 15:21:16 UTC 
reopening the bug and targeting Documenation
Comment 7 Laura Bailey 2014-05-07 01:01:02 UTC 
This bug was not in the correct component and did not come to my attention until after work for RHEL 7.0 was already complete.

I've moved it to the correct component and added a flag to propose this change for the RHEL 7.1 documentation. Hopefully this is not too great an inconvenience.

Cheers,
Laura B
Note You need to log in before you can comment on or make changes to this bug.