Home > Net >  Apache as Proxy: how to configure TLS on the downstream side?
Apache as Proxy: how to configure TLS on the downstream side?

Time:10-12

We want to use an Apache2 (v2.4.51) as a (reverse) proxy to access a downstream server (running Tomcat). That Tomcat is configured to accept only TLS v1.2 and a very limited set of ciphers (and that's not negotiable).

In the logs I found that our Apache tries to open the connection to that Tomcat using TLS v1.3 which causes the downstream server to immediately terminate the connection and no further communication happens.

How can I configure an Apache server to use a specific TLS version and cipher on an outgoing/ downstream connection? Everything I found re. Apache TLS configuration so far was dealing with the front-side, i.e. what Apache receives and accepts. But in my case I need to adjust the back-end-side, i.e. what Apache uses when it forwards a request.

How/where can one configure that?

Edit: Meanwhile I realized that the terms "upstream" & "downstream" are not always used consistently - so just in case: with "downstream" here I mean the connection (2) as sketched below:

{browsers/internet} --(1)--> [Apache reverse proxy] --(2)--> [Tomcat application server].

Edit 2: In Tomcat's log (catalina.out) I keep getting the below exception which seems to suggest that it is addressed using TLS v1.3 (which it can't handle):

Oct 06, 2022 5:22:06 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions
SEVERE: 
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
    at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
    at sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
    at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
    at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:97)
    at org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:89)
    at org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:71)
    at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:666)
    at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:808)
    at java.lang.Thread.run(Thread.java:750)

javax.net.ssl|FINE|B5|http-nio-8443-Acceptor-0|2022-10-06 17:22:07.539 CEST|HandshakeContext.java:304|No available cipher suite for TLS13
javax.net.ssl|SEVERE|B5|http-nio-8443-Acceptor-0|2022-10-06 17:22:07.540 CEST|TransportContext.java:316|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
    at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
    at sun.security.ssl.ServerHandshakeContext.<init>(ServerHandshakeContext.java:62)
    at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
    at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:97)
    at org.apache.tomcat.util.net.SecureNioChannel.reset(SecureNioChannel.java:89)
    at org.apache.tomcat.util.net.SecureNioChannel.<init>(SecureNioChannel.java:71)
    at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:666)
    at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:808)
    at java.lang.Thread.run(Thread.java:750)}

Edit 3: my /etc/apache2/conf.d/proxy.conf file now reads:

Listen 443

<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile -name-removed-
    SSLProxyEngine On
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLProxyMachineCertificateFile -name-removed-
    ProxyPass /foobar https://-name-removed-:8443/foobar
    ProxyPassReverse /foobar https://-name-removed-:8443/foobar

    SSLProxyProtocol  TLSv1.2
    
    <Proxy "*">
        Require all granted
        SSLProxyProtocol  TLSv1.2
    </Proxy>
    LogLevel debug
    ErrorLog "-name-removed-"
</VirtualHost>

Note: "foobar" and "-name-removed-" represent values that I replaced for privacy.

Edit 4: The nmap response was:

# nmap -sV --script ssl-enum-ciphers -p 8443 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-10 16:12 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).

PORT     STATE SERVICE    VERSION
8443/tcp open  tcpwrapped

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds
#

What does that tell me?

CodePudding user response:

I would suggest running a utility like nmap to assess the SSL capabilities of the backend server (Tomcat) in this instance. nmap nicely prints out the TLS protocols and ciphers that a given TLS server supports. Using this information, we could configure Apache HTTPD to use the same protocols and ciphers for the backend connection using SSLProxyProtocol and SSLProxyCipherSuite directives.

How to use nmap: nmap -sV --script ssl-enum-ciphers -p

CodePudding user response:

The issue has been resolved! I had a typo in the config file! Shame on me and sorry for the bandwidth consumed.

Page link:https//www.codepudding.com/net/572847.html

Prev:Powershell script to check services - start services - return status that it is started
Next:PHP 8.1 on Apache: shell_exec works for shell commands but not other commands
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding