Andy, What do you see in error logs and proxy logs when you try to bring up the web server?
On Sun, Mar 8, 2015 at 5:11 PM, A M <amm.pr...@gmail.com> wrote: > > Hello Igor, and many thanks for your comment! > > I have followed your advice, but now the server refuses to start at all. > > So now I have in httpd.conf: > > ------------------------------------------------ > NameVirtualHost *:80 > > <VirtualHost *:80> > ServerName apachefrontend.example.com > ServerAlias appserver1.example.com appserver2.example.com > RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1 > </VirtualHost> > > <VirtualHost *:443> > ServerName appserver1.example.com > ProxyRequests Off > ProxyPass / http://appserver1.backend > ProxyPassReverse / http://appserver1.backend > </VirtualHost> > > <VirtualHost *:443> > ServerName appserver2.example.com > ProxyRequests Off > ProxyPass / http://appserver2.backend > ProxyPassReverse / http://appserver2.backend > </VirtualHost> > > ------------------------------------------------------------------------ > > And these uncommented lines in ssl.conf: > > ----------------------------------------------------------------------- > > LoadModule ssl_module modules/mod_ssl.so > Listen 443 > SSLPassPhraseDialog builtin > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) > SSLSessionCacheTimeout 300 > SSLMutex default > SSLRandomSeed startup file:/dev/urandom 256 > SSLRandomSeed connect builtin > SSLCryptoDevice builtin > > <VirtualHost _default_:443> > ServerName apachefrontend.example.com:443 > > ErrorLog logs/ssl_error_log > TransferLog logs/ssl_access_log > LogLevel warn > > SSLEngine on > SSLProtocol all -SSLv2 -SSLv3 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > SSLCertificateFile /etc/pki/tls/certs/localhost.crt > SSLCertificateKeyFile /etc/pki/tls/private/localhost.key > > <Files ~ "\.(cgi|shtml|phtml|php3?)$"> > SSLOptions +StdEnvVars > </Files> > > <Directory "/var/www/cgi-bin"> > SSLOptions +StdEnvVars > </Directory> > > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > CustomLog logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > </VirtualHost> > > > ----------------------------------------------------------------------------------- > > [root@www conf]# apachectl -S > > [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already loaded, > skipping > [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already > loaded, skipping > [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded, > skipping > [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port > 443, the first has precedence > [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port > 443, the first has precedence > VirtualHost configuration: > wildcard NameVirtualHosts and _default_ servers: > _default_:8443 apachefrontend.example.com > (/etc/httpd/conf.d/nss.conf:84) > _default_:443 apachefrontend.example.com > (/etc/httpd/conf.d/ssl.conf:74) > *:443 appserver1.backend (/etc/httpd/conf/httpd.conf:1034) > *:443 appserver2.backend (/etc/httpd/conf/httpd.conf:1041) > *:80 is a NameVirtualHost > default server apachefrontend.example.com > (/etc/httpd/conf/httpd.conf:1028) > port 80 namevhost apachefrontend.example.com > (/etc/httpd/conf/httpd.conf:1028) > alias appserver1.example.com > alias appserver2.example.com > Syntax OK > > .. and the server refuses to start at all.. > > Playing with NameVirtualHost: *.443 and/or specifying explicitly server > names > with ServerName does not help me tp get rid of the overlap on 443. At > most, I > am receiving the missing SSL support errors for the backend servers (and I > cannot add SSL support for them, they have to remain plain HTTP).. > > If you have any further ideas on what to try, please let me know. > > Thanks again and best regards - Andy. > > > > On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <icici...@gmail.com> wrote: > >> >> On 08/03/2015 10:01 AM, "A M" <amm.pr...@gmail.com> wrote: >> > >> > >> > Hello experts, >> > >> > I am trying to set up a classical frontend HTTPS Apache Reverse Proxy >> > for a couple of plain backend HTTP servers sitting on a backend private >> > network. The plaform is Centos 6, the Apache rpm is >> httpd-2.2.15-39.el6.centos. >> > >> > I first created three DNS entries, all pointing to the same public IP: >> > >> > apachefrontend.example.com >> > appserver1.example.com >> > appserver2.example.com >> > >> > I then generated the SSL cert and key for the frontend host and >> verified that >> > SSL config was correct (all settings and key/cert were defined inside >> the file >> > /etc/httpd/conf.d/ssl.conf). The URL " >> https://apachefrontend.example.com"; >> > replied OK. >> > >> > I have then set up a forced redirection to port 443 on the mother >> > server and defined two virtual hosts, in this manner: >> > >> > .. >> > NameVirtualHost *:80 >> > >> >> First change this: >> >> > <VirtualHost *:80> >> > ServerName apachefrontend.example.com >> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1 >> > </VirtualHost> >> > >> >> to: >> >> <VirtualHost *:80> >> ServerName apachefrontend.example.com >> ServerAlias appserver1.example.com appserver2.example.com >> >> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1 >> </VirtualHost> >> >> Then get rid of these two: >> >> > <VirtualHost *:80> >> > ServerName appserver1.example.com >> > ProxyRequests Off >> > ProxyPass / http://appserver1.backend/ >> > ProxyPassReverse / http://appserver1.backend/ >> > </VirtualHost> >> > >> > <VirtualHost *:80> >> > ServerName appserver2.example.com >> > ProxyRequests Off >> > ProxyPass / http://appserver2.backend/ >> > ProxyPassReverse / http://appserver2.backend/ >> > </VirtualHost> >> > .. >> >> More specific convert them to ssl vhosts: >> >> <VirtualHost *:443> >> ServerName appserver1.example.com >> ProxyRequests Off >> ProxyPass / http://appserver1.backend/ >> ProxyPassReverse / http://appserver1.backend/ >> </VirtualHost> >> >> <VirtualHost *:443> >> ServerName appserver2.example.com >> ProxyRequests Off >> ProxyPass / http://appserver2.backend/ >> ProxyPassReverse / http://appserver2.backend/ >> </VirtualHost> >> >> which will effectively do what you want which is terminate ssl on the >> frontend. >> >> > Now, >> > >> > - If I go to "http://apachefrontend.example.com";, I am >> > correctly ending up at "https://apachefrontend.example.com";; >> > >> > - If I go to "http://appserver1[2].example.com";, I arrive to >> > the backend servers allright, but only via the port 80. >> > >> > This behaviour is apparently correct, but so far I have not found >> > the right configuration options needed to enforce the secure >> > connection to the backend servers via the reverse proxy (I may >> > not enable SSL on the backend servers as they are running some >> > privately managed applications and cannot be tweaked). >> > >> > Could someone kindly post an example of working configuration >> > of the same type? >> > >> > Thanks ahead for any advice! >> > >> > Andy. >> > >> > >> > >> > >
