Thanks again Igor. Yesterday I have in fact posted a summary, it is available at this URL:
http://mail-archives.apache.org/mod_mbox/httpd-users/201503.mbox/browser On Mon, Mar 9, 2015 at 10:42 PM, Igor Cicimov <icici...@gmail.com> wrote: > > On 10/03/2015 4:13 AM, "A M" <amm.pr...@gmail.com> wrote: > > > > > > Hello, > > > > thanks to the comments of Igor, I was able to overcome the HTTPS > redirection > > to the initial page of the right backend server, with one modification: > > > > Igor's recipe included advice on how to set up the correct VirtualHost > blocks > > using the wildcard *.example.com key/cert pair. This worked. He also > suggested > > to use the following redirection method: > > > > > > <VirtualHost *:80> > > ServerName apachefrontend.example.com > > ServerAlias appserver1.example.com appserver2.example.com > > RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1 > > </VirtualHost> > > > > This did not work, when trying to reach the server, the request is > > being redirected to https://%25{http_host}/.. > > > > Instead, I have achieved the goal with the help of RewriteEngine: > > > > <VirtualHost *:80> > > RewriteEngine On > > RewriteCond %{HTTPS} off > > RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} > > </VirtualHost> > > > > > > This change, together with the correct VirtualHost blocks had brought > > me finally to the front page of the backend servers via HTTPS. However, > when > > trying to navigate inside them, I am being forwarded to: > > > > http://appserverX.backend/Something > > > > instead of > > > > https://apachefrontend.example.com/Something > > > > That is correct. Now I suggest we stop here and you tell us what exactly > you want to achieve. You need reverse proxy for multiple backend servers > (domains) running different apps or you just need frontend load balancer > for backend servers running same apps? Or you are just testing some > scenarios and learning apache? > > > and the site becomes unusable. I assume that to conclude the rev. proxy > > configuration task I have to add further rewrite rules. Could someone > > comment on this? The current (working) httpd.conf is quoted below. > > > > Thanks ahead! > > > > Andy. > > > > > > .... > > # Proxy-related load pack > > LoadModule headers_module modules/mod_headers.so > > LoadFile /usr/lib64/libxml2.so > > LoadModule proxy_module modules/mod_proxy.so > > LoadModule proxy_http_module modules/mod_proxy_http.so > > LoadModule proxy_html_module modules/mod_proxy_html.so > > LoadModule proxy_balancer_module modules/mod_proxy_balancer.so > > LoadModule proxy_ajp_module modules/mod_proxy_ajp.so > > #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so > > #LoadModule proxy_connect_module modules/mod_proxy_connect.so > > > > # General SSL options transferred from ssl.conf for better viewing > > Listen 443 > > SSLPassPhraseDialog builtin > > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) > > SSLSessionCacheTimeout 300 > > SSLMutex default > > SSLRandomSeed startup file:/dev/urandom 256 > > SSLRandomSeed connect builtin > > SSLCryptoDevice builtin > > > > NameVirtualHost *:80 > > NameVirtualHost *:443 > > > > # Decide which virtual host to address and enforce usage of port 443 on > the right proxy host > > <VirtualHost *:80> > > RewriteEngine On > > RewriteCond %{HTTPS} off > > RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} > > </VirtualHost> > > > > > > # Our "Mother host", apachefrontend.example.com, is still available for > hosting of some web site > > <VirtualHost *:443> > > ServerName apachefrontend.example.com > > > > ErrorLog logs/ssl_error_log > > TransferLog logs/ssl_access_log > > LogLevel warn > > SSLEngine on > > SSLProtocol all -SSLv2 -SSLv3 > > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > > SSLCertificateFile /etc/pki/tls/certs/localhost.crt > > SSLCertificateKeyFile /etc/pki/tls/private/localhost.key > > <Files ~ "\.(cgi|shtml|phtml|php3?)$"> > > SSLOptions +StdEnvVars > > </Files> > > <Directory "/var/www/cgi-bin"> > > SSLOptions +StdEnvVars > > </Directory> > > SetEnvIf User-Agent ".*MSIE.*" \ > > nokeepalive ssl-unclean-shutdown \ > > downgrade-1.0 force-response-1.0 > > CustomLog logs/ssl_request_log \ > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > </VirtualHost> > > > > > > # Appserver 1 > > > > <VirtualHost *:443> > > ServerName appserver1.example.com > > ErrorLog logs/ssl_error_log > > TransferLog logs/ssl_access_log > > LogLevel warn > > SSLEngine on > > SSLProtocol all -SSLv2 -SSLv3 > > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > > SSLCertificateFile /etc/pki/tls/certs/localhost.crt > > SSLCertificateKeyFile /etc/pki/tls/private/localhost.key > > > > ProxyRequests Off > > ProxyPass / http://appserver1.backend/ > > ProxyPassReverse / http://appserver1.backend/ > > > > </VirtualHost> > > > > > > # Appserver 2 > > > > <VirtualHost *:443> > > ServerName appserver2.example.com > > ErrorLog logs/ssl_error_log > > TransferLog logs/ssl_access_log > > LogLevel warn > > SSLEngine on > > SSLProtocol all -SSLv2 -SSLv3 > > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > > SSLCertificateFile /etc/pki/tls/certs/localhost.crt > > SSLCertificateKeyFile /etc/pki/tls/private/localhost.key > > > > ProxyRequests Off > > ProxyPass / http://appserver2.backend/ > > ProxyPassReverse / http://appserver2.backend/ > > > > </VirtualHost> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mon, Mar 9, 2015 at 10:55 AM, Igor Cicimov <icici...@gmail.com> > wrote: > >> > >> > >> On 09/03/2015 8:01 PM, "A M" <amm.pr...@gmail.com> wrote: > >> > > >> > > >> > Hello Jeff, > >> > > >> > this is what happens: > >> > > >> > [root@www httpd]# service httpd start > >> > Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module > headers_module is already loaded, skipping > >> > [Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already > loaded, skipping > >> > [Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already > loaded, skipping > >> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on > port 443, the first has precedence > >> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on > port 443, the first has precedence > >> > [FAILED] > >> > > >> > >> First looks like you have same configuration included twice somewhere. > >> > >> > And then there is only one line in the error log: > >> > > >> > [Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has > no certificate configured [Hint: SSLCertificateFile] ((null):0) > >> > > >> > "apachectl configtest" gives me the same infos as "apachectl -S". > >> > > >> > Following the last advice of Igor, I assume that I'll have to > generate two other certificates, > >> > one for appserver1.example.com, and another - for > appserver2.example.com, and then > >> > >> Or use the same certificate if you were clever enough to generate a > wild card one ie *.example.com since you need to front multiple > subdomains of the same domain ;-) > >> > >> > add a reference to them in the VirtualHost *443 definition for these > two aliased servers. > >> > >> Correct, also please refer to the ssl vhost section on the apache web > site so you fully understand the subject. It's also recommended you make > your self familiar with SNI. > >> > >> > Will try it later in the day.. > >> > > >> > Greetings - Andy. > >> > > >> > > >> > > >> > > >> > > >> > > >> > On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . < > jeffmonte...@gmail.com> wrote: > >> >> > >> >> Andy, > >> >> > >> >> What do you see in error logs and proxy logs when you try to bring > up the web server? > >> >> > >> >> > >> >> > >> >> On Sun, Mar 8, 2015 at 5:11 PM, A M <amm.pr...@gmail.com> wrote: > >> >>> > >> >>> > >> >>> Hello Igor, and many thanks for your comment! > >> >>> > >> >>> I have followed your advice, but now the server refuses to start at > all. > >> >>> > >> >>> So now I have in httpd.conf: > >> >>> > >> >>> ------------------------------------------------ > >> >>> NameVirtualHost *:80 > >> >>> > >> >>> <VirtualHost *:80> > >> >>> ServerName apachefrontend.example.com > >> >>> ServerAlias appserver1.example.com appserver2.example.com > >> >>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1 > >> >>> </VirtualHost> > >> >>> > >> >>> <VirtualHost *:443> > >> >>> ServerName appserver1.example.com > >> >>> ProxyRequests Off > >> >>> ProxyPass / http://appserver1.backend > >> >>> ProxyPassReverse / http://appserver1.backend > >> >>> </VirtualHost> > >> >>> > >> >>> <VirtualHost *:443> > >> >>> ServerName appserver2.example.com > >> >>> ProxyRequests Off > >> >>> ProxyPass / http://appserver2.backend > >> >>> ProxyPassReverse / http://appserver2.backend > >> >>> </VirtualHost> > >> >>> > >> >>> > ------------------------------------------------------------------------ > >> >>> > >> >>> And these uncommented lines in ssl.conf: > >> >>> > >> >>> > ----------------------------------------------------------------------- > >> >>> > >> >>> LoadModule ssl_module modules/mod_ssl.so > >> >>> Listen 443 > >> >>> SSLPassPhraseDialog builtin > >> >>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) > >> >>> SSLSessionCacheTimeout 300 > >> >>> SSLMutex default > >> >>> SSLRandomSeed startup file:/dev/urandom 256 > >> >>> SSLRandomSeed connect builtin > >> >>> SSLCryptoDevice builtin > >> >>> > >> >>> <VirtualHost _default_:443> > >> >>> ServerName apachefrontend.example.com:443 > >> >>> > >> >>> ErrorLog logs/ssl_error_log > >> >>> TransferLog logs/ssl_access_log > >> >>> LogLevel warn > >> >>> > >> >>> SSLEngine on > >> >>> SSLProtocol all -SSLv2 -SSLv3 > >> >>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > >> >>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt > >> >>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key > >> >>> > >> >>> <Files ~ "\.(cgi|shtml|phtml|php3?)$"> > >> >>> SSLOptions +StdEnvVars > >> >>> </Files> > >> >>> > >> >>> <Directory "/var/www/cgi-bin"> > >> >>> SSLOptions +StdEnvVars > >> >>> </Directory> > >> >>> > >> >>> SetEnvIf User-Agent ".*MSIE.*" \ > >> >>> nokeepalive ssl-unclean-shutdown \ > >> >>> downgrade-1.0 force-response-1.0 > >> >>> > >> >>> CustomLog logs/ssl_request_log \ > >> >>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > >> >>> > >> >>> </VirtualHost> > >> >>> > >> >>> > ----------------------------------------------------------------------------------- > >> >>> > >> >>> [root@www conf]# apachectl -S > >> >>> > >> >>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already > loaded, skipping > >> >>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is > already loaded, skipping > >> >>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already > loaded, skipping > >> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on > port 443, the first has precedence > >> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on > port 443, the first has precedence > >> >>> VirtualHost configuration: > >> >>> wildcard NameVirtualHosts and _default_ servers: > >> >>> _default_:8443 apachefrontend.example.com > (/etc/httpd/conf.d/nss.conf:84) > >> >>> _default_:443 apachefrontend.example.com > (/etc/httpd/conf.d/ssl.conf:74) > >> >>> *:443 appserver1.backend > (/etc/httpd/conf/httpd.conf:1034) > >> >>> *:443 appserver2.backend > (/etc/httpd/conf/httpd.conf:1041) > >> >>> *:80 is a NameVirtualHost > >> >>> default server apachefrontend.example.com > (/etc/httpd/conf/httpd.conf:1028) > >> >>> port 80 namevhost apachefrontend.example.com > (/etc/httpd/conf/httpd.conf:1028) > >> >>> alias appserver1.example.com > >> >>> alias appserver2.example.com > >> >>> Syntax OK > >> >>> > >> >>> .. and the server refuses to start at all.. > >> >>> > >> >>> Playing with NameVirtualHost: *.443 and/or specifying explicitly > server names > >> >>> with ServerName does not help me tp get rid of the overlap on 443. > At most, I > >> >>> am receiving the missing SSL support errors for the backend servers > (and I > >> >>> cannot add SSL support for them, they have to remain plain HTTP).. > >> >>> > >> >>> If you have any further ideas on what to try, please let me know. > >> >>> > >> >>> Thanks again and best regards - Andy. > >> >>> > >> >>> > >> >>> > >> >>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <icici...@gmail.com> > wrote: > >> >>>> > >> >>>> > >> >>>> On 08/03/2015 10:01 AM, "A M" <amm.pr...@gmail.com> wrote: > >> >>>> > > >> >>>> > > >> >>>> > Hello experts, > >> >>>> > > >> >>>> > I am trying to set up a classical frontend HTTPS Apache Reverse > Proxy > >> >>>> > for a couple of plain backend HTTP servers sitting on a backend > private > >> >>>> > network. The plaform is Centos 6, the Apache rpm is > httpd-2.2.15-39.el6.centos. > >> >>>> > > >> >>>> > I first created three DNS entries, all pointing to the same > public IP: > >> >>>> > > >> >>>> > apachefrontend.example.com > >> >>>> > appserver1.example.com > >> >>>> > appserver2.example.com > >> >>>> > > >> >>>> > I then generated the SSL cert and key for the frontend host and > verified that > >> >>>> > SSL config was correct (all settings and key/cert were defined > inside the file > >> >>>> > /etc/httpd/conf.d/ssl.conf). The URL " > https://apachefrontend.example.com"; > >> >>>> > replied OK. > >> >>>> > > >> >>>> > I have then set up a forced redirection to port 443 on the mother > >> >>>> > server and defined two virtual hosts, in this manner: > >> >>>> > > >> >>>> > .. > >> >>>> > NameVirtualHost *:80 > >> >>>> > > >> >>>> > >> >>>> First change this: > >> >>>> > >> >>>> > <VirtualHost *:80> > >> >>>> > ServerName apachefrontend.example.com > >> >>>> > RedirectMatch ^/(.*) > https://apachefrontend.example.com/$1 > >> >>>> > </VirtualHost> > >> >>>> > > >> >>>> > >> >>>> to: > >> >>>> > >> >>>> <VirtualHost *:80> > >> >>>> ServerName apachefrontend.example.com > >> >>>> ServerAlias appserver1.example.com appserver2.example.com > >> >>>> > >> >>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1 > >> >>>> </VirtualHost> > >> >>>> > >> >>>> Then get rid of these two: > >> >>>> > >> >>>> > <VirtualHost *:80> > >> >>>> > ServerName appserver1.example.com > >> >>>> > ProxyRequests Off > >> >>>> > ProxyPass / http://appserver1.backend/ > >> >>>> > ProxyPassReverse / http://appserver1.backend/ > >> >>>> > </VirtualHost> > >> >>>> > > >> >>>> > <VirtualHost *:80> > >> >>>> > ServerName appserver2.example.com > >> >>>> > ProxyRequests Off > >> >>>> > ProxyPass / http://appserver2.backend/ > >> >>>> > ProxyPassReverse / http://appserver2.backend/ > >> >>>> > </VirtualHost> > >> >>>> > .. > >> >>>> > >> >>>> More specific convert them to ssl vhosts: > >> >>>> > >> >>>> <VirtualHost *:443> > >> >>>> ServerName appserver1.example.com > >> >>>> ProxyRequests Off > >> >>>> ProxyPass / http://appserver1.backend/ > >> >>>> ProxyPassReverse / http://appserver1.backend/ > >> >>>> </VirtualHost> > >> >>>> > >> >>>> <VirtualHost *:443> > >> >>>> ServerName appserver2.example.com > >> >>>> ProxyRequests Off > >> >>>> ProxyPass / http://appserver2.backend/ > >> >>>> ProxyPassReverse / http://appserver2.backend/ > >> >>>> </VirtualHost> > >> >>>> > >> >>>> which will effectively do what you want which is terminate ssl on > the frontend. > >> >>>> > >> >>>> > Now, > >> >>>> > > >> >>>> > - If I go to "http://apachefrontend.example.com";, I am > >> >>>> > correctly ending up at "https://apachefrontend.example.com";; > >> >>>> > > >> >>>> > - If I go to "http://appserver1[2].example.com";, I arrive to > >> >>>> > the backend servers allright, but only via the port 80. > >> >>>> > > >> >>>> > This behaviour is apparently correct, but so far I have not found > >> >>>> > the right configuration options needed to enforce the secure > >> >>>> > connection to the backend servers via the reverse proxy (I may > >> >>>> > not enable SSL on the backend servers as they are running some > >> >>>> > privately managed applications and cannot be tweaked). > >> >>>> > > >> >>>> > Could someone kindly post an example of working configuration > >> >>>> > of the same type? > >> >>>> > > >> >>>> > Thanks ahead for any advice! > >> >>>> > > >> >>>> > Andy. > >> >>>> > > >> >>>> > > >> >>>> > > >> >>> > >> >>> > >> >> > >> > > > > > >
