C. L. Martinez
2016-Feb-29 13:19 UTC
[CentOS] Problems with ProxyPass to a local ip (using SSL)
Hi all,
I am trying to setup an apache virtualhost under CentOS 6.7 that needs to
redirects requests from port 444 to port 5100 in its local ip. But I am doing
some mistakes because every time I'm receiving a loop error.
My actual httpd's config for this virtualhost is:
NameVirtualHost 192.168.1.5:444
<VirtualHost 192.168.1.5:444>
ServerName myweb01.local.domain
ErrorLog logs/ssl_error.log
CustomLog logs/ssl_access.log combined
CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x
\"%r\" %b"
LogLevel info
SSLEngine on
SSLProxyEngine On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite
ALL:!ADH:!EXPORT56:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2
SSLCertificateFile /etc/httpd/certs/server.crt
SSLCertificateKeyFile /etc/httpd/certs/server.key
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.1.5:5100/
ProxyPassReverse / http://192.168.1.5:5100/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "444"
RewriteEngine On
RewriteRule ^/(.*) https://myweb01.local.domain:444/$1 [R,L]
</VirtualHost>
As you can see, I need to do a redirection to port 5100 from 444 port and
protect it using ssl.
I've configured iptables rules to drop connections to port 5100 directly:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 444 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Any idea how to accomplish/resolve this?
Thanks.
--
Greetings,
C. L. Martinez
C. L. Martinez
2016-Feb-29 13:33 UTC
[CentOS] Problems with ProxyPass to a local ip (using SSL)
On Mon 29.Feb'16 at 13:19:07 +0000, C. L. Martinez wrote:> Hi all, > > I am trying to setup an apache virtualhost under CentOS 6.7 that needs to redirects requests from port 444 to port 5100 in its local ip. But I am doing some mistakes because every time I'm receiving a loop error. > > My actual httpd's config for this virtualhost is: > > NameVirtualHost 192.168.1.5:444 > <VirtualHost 192.168.1.5:444> > ServerName myweb01.local.domain > ErrorLog logs/ssl_error.log > CustomLog logs/ssl_access.log combined > CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > LogLevel info > SSLEngine on > SSLProxyEngine On > SSLProtocol -ALL +SSLv3 +TLSv1 > SSLCipherSuite ALL:!ADH:!EXPORT56:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2 > SSLCertificateFile /etc/httpd/certs/server.crt > SSLCertificateKeyFile /etc/httpd/certs/server.key > ProxyRequests Off > ProxyPreserveHost On > ProxyPass / http://192.168.1.5:5100/ > ProxyPassReverse / http://192.168.1.5:5100/ > RequestHeader set X-Forwarded-Proto "https" > RequestHeader set X-Forwarded-Port "444" > RewriteEngine On > RewriteRule ^/(.*) https://myweb01.local.domain:444/$1 [R,L] > </VirtualHost> > > As you can see, I need to do a redirection to port 5100 from 444 port and protect it using ssl. > > I've configured iptables rules to drop connections to port 5100 directly: > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 444 -j ACCEPT > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > COMMIT > > Any idea how to accomplish/resolve this? > > Thanks.More info in my ssl_error.log: Mon Feb 29 14:32:06 2016] [info] [client 10.64.118.59] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page [Mon Feb 29 14:32:06 2016] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!? -- Greetings, C. L. Martinez
Gordon Messmer
2016-Feb-29 17:05 UTC
[CentOS] Problems with ProxyPass to a local ip (using SSL)
On 02/29/2016 05:33 AM, C. L. Martinez wrote:> More info in my ssl_error.log: > > Mon Feb 29 14:32:06 2016] [info] [client 10.64.118.59] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page > [Mon Feb 29 14:32:06 2016] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?Well, that just looks like you're making an http request instead of https in your browser. It doesn't tell us anything about what's looping.
Gordon Messmer
2016-Mar-01 18:31 UTC
[CentOS] Problems with ProxyPass to a local ip (using SSL)
On 02/29/2016 05:19 AM, C. L. Martinez wrote:> But I am doing some mistakes because every time I'm receiving a loop error....> <VirtualHost 192.168.1.5:444>...> ProxyPass / http://192.168.1.5:5100/ > ProxyPassReverse / http://192.168.1.5:5100/ > RewriteEngine On > RewriteRule ^/(.*) https://myweb01.local.domain:444/$1 [R,L] > </VirtualHost> > > As you can see, I need to do a redirection to port 5100 from 444 port and protect it using ssl.I think you need to figure out whether you want to proxy those requests or rewrite them. You can't reasonably do both. If you want to keep them SSL protected, then you don't need the rewrite rule at all. Drop it. Right now, you're redirecting clients to the same URL that they loaded to begin with, which is why your client is warning you about a loop.
C. L. Martinez
2016-Mar-03 08:05 UTC
[CentOS] Problems with ProxyPass to a local ip (using SSL)
On Tue 1.Mar'16 at 10:31:43 -0800, Gordon Messmer wrote:> On 02/29/2016 05:19 AM, C. L. Martinez wrote: > >But I am doing some mistakes because every time I'm receiving a loop error. > ... > ><VirtualHost 192.168.1.5:444> > ... > > ProxyPass / http://192.168.1.5:5100/ > > ProxyPassReverse / http://192.168.1.5:5100/ > > RewriteEngine On > > RewriteRule ^/(.*) https://myweb01.local.domain:444/$1 [R,L] > ></VirtualHost> > > > > As you can see, I need to do a redirection to port 5100 from 444 port and protect it using ssl. > > I think you need to figure out whether you want to proxy those requests or > rewrite them. You can't reasonably do both. > > If you want to keep them SSL protected, then you don't need the rewrite rule > at all. Drop it. Right now, you're redirecting clients to the same URL > that they loaded to begin with, which is why your client is warning you > about a loop. > >Ok, problem solved. Finally, redirection needs to go to a tomcat server that use this commercial solution. Changing: ProxyPass / http://192.168.1.5:5100/ ProxyPassReverse / http://192.168.1.5:5100/ to ProxyPass / ajp://192.168.1.5:5100/ ProxyPassReverse / ajp://192.168.1.5:5100/ ... problem solved. Many thanks to all for your help. -- Greetings, C. L. Martinez