Hi Luca, Just thought you would like to know the Vendor changed his end on CloudFront and this has addressed the issue.. I don’t have any details from the vendor but thank you for your advice..
Cheers Reid > On 8/06/2017, at 9:43 PM, Luca Toscano <toscano.l...@gmail.com> wrote: > > Hi Reid, > > while re-reading the logs I noticed one thing: > > 2017-06-07 2:42 GMT+02:00 Reid Watson <reid.wat...@auckland.ac.nz>: > > [Wed Jun 07 11:54:28.887001 2017] [ssl:trace3] [pid 9177:tid 140532624602880] > ssl_engine_io.c(1086): [remote 54.230.144.17:443] SNI extension for SSL Proxy > request set to 'Internal-site.test.com' > [Wed Jun 07 11:54:28.887011 2017] [ssl:trace3] [pid 9177:tid 140532624602880] > ssl_engine_kernel.c(1788): [remote 54.230.144.17:443] OpenSSL: Handshake: > start > [..] > [Wed Jun 07 11:54:29.302044 2017] [proxy_http:trace3] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1424): [client 10.0.0.1:19478] Status from > backend: 403 > [Wed Jun 07 11:54:29.302056 2017] [proxy_http:trace4] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1099): [client 10.0.0.1:19478] Headers > received from backend: > [Wed Jun 07 11:54:29.302063 2017] [proxy_http:trace4] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] Server: > CloudFront > [Wed Jun 07 11:54:29.302068 2017] [proxy_http:trace4] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] Date: Tue, > 06 Jun 2017 23:54:29 GMT > [Wed Jun 07 11:54:29.302075 2017] [proxy_http:trace4] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] > Content-Type: text/html > [Wed Jun 07 11:54:29.302078 2017] [proxy_http:trace4] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] > Content-Length: 555 > [Wed Jun 07 11:54:29.302082 2017] [proxy_http:trace4] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] Connection: > close > [Wed Jun 07 11:54:29.302085 2017] [proxy_http:trace4] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] X-Cache: > Error from cloudfront > [Wed Jun 07 11:54:29.302089 2017] [proxy_http:trace4] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] Via: 1.1 > 515297ac55a7ae01bf8c7d03df4fecb1.cloudfront.net (CloudFront) > [Wed Jun 07 11:54:29.302092 2017] [proxy_http:trace4] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1101): [client 10.0.0.1:19478] X-Amz-Cf-Id: > xxxxxxxx > [Wed Jun 07 11:54:29.302103 2017] [proxy_http:trace3] [pid 9177:tid > 140532624602880] mod_proxy_http.c(1687): [client 10.0.0.1:19478] start body > send > > There is a clear indication that the SNI is wrong: > > SNI extension for SSL Proxy request set to 'Internal-site.test.com' > > So my understanding is that you perform correctly the TLS handshake to Amazon > Cloudfront (used as CDN), but since the SNI is wrong you get a 403 from the > backend. Can you try to replace your Rewrite rules with mod_proxy_http and > ProxyPass (https://httpd.apache.org/docs/2.4/mod/mod_proxy.html) and see if > anything changes (namely if the SNI is set to the one that you expect) ? > > Luca > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
