Hello Jeff,
this is what happens:
[root@www httpd]# service httpd start
Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module headers_module is
already loaded, skipping
[Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already
loaded, skipping
[Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already loaded,
skipping
[Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
[Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
[FAILED]
And then there is only one line in the error log:
[Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has no
certificate configured [Hint: SSLCertificateFile] ((null):0)
"apachectl configtest" gives me the same infos as "apachectl -S".
Following the last advice of Igor, I assume that I'll have to generate two
other certificates,
one for appserver1.example.com, and another - for appserver2.example.com,
and then
add a reference to them in the VirtualHost *443 definition for these two
aliased servers.
Will try it later in the day..
Greetings - Andy.
On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <jeffmonte...@gmail.com>
wrote:
> Andy,
>
> What do you see in error logs and proxy logs when you try to bring up the
> web server?
>
>
>
> On Sun, Mar 8, 2015 at 5:11 PM, A M <amm.pr...@gmail.com> wrote:
>
>>
>> Hello Igor, and many thanks for your comment!
>>
>> I have followed your advice, but now the server refuses to start at all.
>>
>> So now I have in httpd.conf:
>>
>> ------------------------------------------------
>> NameVirtualHost *:80
>>
>> <VirtualHost *:80>
>> ServerName apachefrontend.example.com
>> ServerAlias appserver1.example.com appserver2.example.com
>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>> </VirtualHost>
>>
>> <VirtualHost *:443>
>> ServerName appserver1.example.com
>> ProxyRequests Off
>> ProxyPass / http://appserver1.backend
>> ProxyPassReverse / http://appserver1.backend
>> </VirtualHost>
>>
>> <VirtualHost *:443>
>> ServerName appserver2.example.com
>> ProxyRequests Off
>> ProxyPass / http://appserver2.backend
>> ProxyPassReverse / http://appserver2.backend
>> </VirtualHost>
>>
>> ------------------------------------------------------------------------
>>
>> And these uncommented lines in ssl.conf:
>>
>> -----------------------------------------------------------------------
>>
>> LoadModule ssl_module modules/mod_ssl.so
>> Listen 443
>> SSLPassPhraseDialog builtin
>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
>> SSLSessionCacheTimeout 300
>> SSLMutex default
>> SSLRandomSeed startup file:/dev/urandom 256
>> SSLRandomSeed connect builtin
>> SSLCryptoDevice builtin
>>
>> <VirtualHost _default_:443>
>> ServerName apachefrontend.example.com:443
>>
>> ErrorLog logs/ssl_error_log
>> TransferLog logs/ssl_access_log
>> LogLevel warn
>>
>> SSLEngine on
>> SSLProtocol all -SSLv2 -SSLv3
>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>>
>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>> SSLOptions +StdEnvVars
>> </Files>
>>
>> <Directory "/var/www/cgi-bin">
>> SSLOptions +StdEnvVars
>> </Directory>
>>
>> SetEnvIf User-Agent ".*MSIE.*" \
>> nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>>
>> CustomLog logs/ssl_request_log \
>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>
>> </VirtualHost>
>>
>>
>> -----------------------------------------------------------------------------------
>>
>> [root@www conf]# apachectl -S
>>
>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already
>> loaded, skipping
>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already
>> loaded, skipping
>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded,
>> skipping
>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
>> 443, the first has precedence
>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
>> 443, the first has precedence
>> VirtualHost configuration:
>> wildcard NameVirtualHosts and _default_ servers:
>> _default_:8443 apachefrontend.example.com
>> (/etc/httpd/conf.d/nss.conf:84)
>> _default_:443 apachefrontend.example.com
>> (/etc/httpd/conf.d/ssl.conf:74)
>> *:443 appserver1.backend
>> (/etc/httpd/conf/httpd.conf:1034)
>> *:443 appserver2.backend
>> (/etc/httpd/conf/httpd.conf:1041)
>> *:80 is a NameVirtualHost
>> default server apachefrontend.example.com
>> (/etc/httpd/conf/httpd.conf:1028)
>> port 80 namevhost apachefrontend.example.com
>> (/etc/httpd/conf/httpd.conf:1028)
>> alias appserver1.example.com
>> alias appserver2.example.com
>> Syntax OK
>>
>> .. and the server refuses to start at all..
>>
>> Playing with NameVirtualHost: *.443 and/or specifying explicitly server
>> names
>> with ServerName does not help me tp get rid of the overlap on 443. At
>> most, I
>> am receiving the missing SSL support errors for the backend servers (and
>> I
>> cannot add SSL support for them, they have to remain plain HTTP)..
>>
>> If you have any further ideas on what to try, please let me know.
>>
>> Thanks again and best regards - Andy.
>>
>>
>>
>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <icici...@gmail.com> wrote:
>>
>>>
>>> On 08/03/2015 10:01 AM, "A M" <amm.pr...@gmail.com> wrote:
>>> >
>>> >
>>> > Hello experts,
>>> >
>>> > I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
>>> > for a couple of plain backend HTTP servers sitting on a backend
>>> private
>>> > network. The plaform is Centos 6, the Apache rpm is
>>> httpd-2.2.15-39.el6.centos.
>>> >
>>> > I first created three DNS entries, all pointing to the same public IP:
>>> >
>>> > apachefrontend.example.com
>>> > appserver1.example.com
>>> > appserver2.example.com
>>> >
>>> > I then generated the SSL cert and key for the frontend host and
>>> verified that
>>> > SSL config was correct (all settings and key/cert were defined inside
>>> the file
>>> > /etc/httpd/conf.d/ssl.conf). The URL "
>>> https://apachefrontend.example.com";
>>> > replied OK.
>>> >
>>> > I have then set up a forced redirection to port 443 on the mother
>>> > server and defined two virtual hosts, in this manner:
>>> >
>>> > ..
>>> > NameVirtualHost *:80
>>> >
>>>
>>> First change this:
>>>
>>> > <VirtualHost *:80>
>>> > ServerName apachefrontend.example.com
>>> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
>>> > </VirtualHost>
>>> >
>>>
>>> to:
>>>
>>> <VirtualHost *:80>
>>> ServerName apachefrontend.example.com
>>> ServerAlias appserver1.example.com appserver2.example.com
>>>
>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>>> </VirtualHost>
>>>
>>> Then get rid of these two:
>>>
>>> > <VirtualHost *:80>
>>> > ServerName appserver1.example.com
>>> > ProxyRequests Off
>>> > ProxyPass / http://appserver1.backend/
>>> > ProxyPassReverse / http://appserver1.backend/
>>> > </VirtualHost>
>>> >
>>> > <VirtualHost *:80>
>>> > ServerName appserver2.example.com
>>> > ProxyRequests Off
>>> > ProxyPass / http://appserver2.backend/
>>> > ProxyPassReverse / http://appserver2.backend/
>>> > </VirtualHost>
>>> > ..
>>>
>>> More specific convert them to ssl vhosts:
>>>
>>> <VirtualHost *:443>
>>> ServerName appserver1.example.com
>>> ProxyRequests Off
>>> ProxyPass / http://appserver1.backend/
>>> ProxyPassReverse / http://appserver1.backend/
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>> ServerName appserver2.example.com
>>> ProxyRequests Off
>>> ProxyPass / http://appserver2.backend/
>>> ProxyPassReverse / http://appserver2.backend/
>>> </VirtualHost>
>>>
>>> which will effectively do what you want which is terminate ssl on the
>>> frontend.
>>>
>>> > Now,
>>> >
>>> > - If I go to "http://apachefrontend.example.com";, I am
>>> > correctly ending up at "https://apachefrontend.example.com";;
>>> >
>>> > - If I go to "http://appserver1[2].example.com";, I arrive to
>>> > the backend servers allright, but only via the port 80.
>>> >
>>> > This behaviour is apparently correct, but so far I have not found
>>> > the right configuration options needed to enforce the secure
>>> > connection to the backend servers via the reverse proxy (I may
>>> > not enable SSL on the backend servers as they are running some
>>> > privately managed applications and cannot be tweaked).
>>> >
>>> > Could someone kindly post an example of working configuration
>>> > of the same type?
>>> >
>>> > Thanks ahead for any advice!
>>> >
>>> > Andy.
>>> >
>>> >
>>> >
>>>
>>
>>
>
