Home > Software design >  How to make Apache httpd proxy to backend https service use TLSv1.2 instead of TLSv1
How to make Apache httpd proxy to backend https service use TLSv1.2 instead of TLSv1

Time:01-12

ssl.conf:

SSLEngine on
SSLProxyEngine On
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

someproxy.conf:

ProxyPass /x https://x:8443
ProxyPassReverse /x https://x:8443
AllowCONNECT 8443

When issuing request via proxy: curl -k -v -XGET https://localhost/x/y

Getting in the log:

[Thu Jan 05 12:31:40.599913 2023] [proxy_http:error] [pid 14] (103)Software caused connection abort: [client 172.18.0.1:59228] AH01102: error reading status line from remote server x:8443
[Thu Jan 05 12:31:40.599951 2023] [proxy:error] [pid 14] [client 172.18.0.1:59228] AH00898: Error reading from remote server returned by /x/y
172.18.0.1 - - [05/Jan/2023:12:31:40  0000] "GET /x/y HTTP/1.1" 502 461 "-" "curl/7.68.0" 837 4435

And looking at wireshark packets:

1470438 8882.445761230  172.18.0.13 172.18.0.15 TLSv1   280 Client Hello

Expecting to get TLSv1.2 handshake and not TLSv1 handshake request... Any suggestions? Some configuration issue?

docker, Centos7, httpd 2.4.6, mod_ssl 2.4.6, openssl 1.0.2k

Tried limiting SSLProxyProtocol to only TLSv1.2 - no change Tried modifying openssl.cnf to MinProtocol = TLSv1.2 - no change, probably did something wrong... Tried lowering minimal protocol on backend to TLSv1 - works but not a valid solution...

CodePudding user response:

[Thu Jan 05 12:31:40.599913 2023] [proxy_http:error] [pid 14] (103)Software caused connection abort: [client 172.18.0.1:59228] AH01102: error reading status line from remote server x:8443

This error is due to a race condition that happens in some situations where the connection is reused. As the mod_http documentation states, it is

caused by the race condition that the backend server closed the pooled connection after the connection check by the proxy and before data sent by the proxy reached the backend

and can be prevented by setting proxy-initial-not-pooled in httpd.conf.

CodePudding user response:

For now implemented an ugly workaround...

starting nginx inside httpd container

server {
listen      8080;
server_name api-https-bridge;

location /x/ {
    resolver 127.0.0.11 valid=30s;
    proxy_pass                    https://x:8443/;

    proxy_ssl_protocols           TLSv1.2 TLSv1.3;
    proxy_ssl_ciphers             HIGH:!aNULL:!MD5;

    proxy_ssl_trusted_certificate /etc/ssl/server-ca.crt;
    proxy_ssl_verify        on;
    proxy_ssl_verify_depth  2;

    proxy_ssl_session_reuse on;
}

and updated the httpd proxy config

ProxyPass /x http://localhost:8080/x

works but adds another proxy hop and not completely stable (nginx runs as background process not monitored for failures and so on...)

If someone have a better idea, i'll gladly try it :-)

Page link:https//www.codepudding.com/Softwaredesign/670256.html

Prev:Error installing and starting Apache Web Server using Gzip Compression
Next:C# multi threaded or multi process?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding