1

Some Background:

I am trying to setup reverse proxy for my internal business users for site validation when the external route is down. I am able to setup multiple routes with corresponding virtualhosts entries in httpd.conf for port 80 : anonymous user. Am afraid am stuck at SSL route and unable to make progress. I have been to multiple forums but unable to find a response which assists me in moving further.

Server Details:

Apache version: Apache/2.2.29 (Unix) Linux Version: $ cat /etc/*-release Enterprise Linux Enterprise Linux Server release 5.8 (Carthage) Oracle Linux Server release 5.8 Red Hat Enterprise Linux Server release 5.8 (Tikanga)

Problem:

> When I try to access over SSL (*:443) I get empty response on all 3 browsers (IE/Chrome/Firefox)

Note: I generated self signed certificate following instructions at :

www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html

Troubleshooting So far:

=========== Error Log

[Wed Jul 08 23:16:06 2015] [notice] Digest: generating secret for digest authentication ... [Wed Jul 08 23:16:06 2015] [notice] Digest: done [Wed Jul 08 23:16:06 2015] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x21b6ff0 rmm=0x21b7048 for VHOST: stgwww.cos.agilent.com [Wed Jul 08 23:16:06 2015] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x21b6ff0 rmm=0x21b7048 for VHOST: stgwww.cos.agilent.com [Wed Jul 08 23:16:06 2015] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Wed Jul 08 23:16:06 2015] [info] LDAP: SSL support available [Wed Jul 08 23:16:06 2015] [info] mod_unique_id: using ip addr 127.0.0.1 [Wed Jul 08 23:16:07 2015] [info] Init: Seeding PRNG with 144 bytes of entropy [Wed Jul 08 23:16:07 2015] [info] Loading certificate & private key of SSL-aware server [Wed Jul 08 23:16:07 2015] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required [Wed Jul 08 23:16:07 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Wed Jul 08 23:16:07 2015] [info] Init: Generating temporary DH parameters (512/1024 bits) [Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory [Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(272): for 511920 bytes (512000 including header), recommending 32 subcaches, 133 indexes each [Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow [Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(308): subcache_num = 32 [Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(310): subcache_size = 15992 [Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 3208 [Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 12784 [Wed Jul 08 23:16:07 2015] [debug] ssl_scache_shmcb.c(316): index_num = 133 [Wed Jul 08 23:16:07 2015] [info] Shared memory session cache initialised [Wed Jul 08 23:16:07 2015] [info] Init: Initializing (virtual) servers for SSL [Wed Jul 08 23:16:07 2015] [info] Configuring server for SSL protocol [Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv3, TLSv1) [Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(759): Configuring permitted SSL ciphers [HIGH:MEDIUM:!aNULL:!MD5] [Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(843): Configuring server certificate chain (1 CA certificate) [Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(890): Configuring RSA server certificate [Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(936): Configuring RSA server private key [Wed Jul 08 23:16:07 2015] [debug] ssl_engine_init.c(521): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Wed Jul 08 23:16:07 2015] [info] mod_ssl/2.2.29 compiled against Server: Apache/2.2.29, Library: OpenSSL/0.9.8e-fips-rhel5 [Wed Jul 08 23:16:07 2015] [debug] proxy_util.c(1829): proxy: grabbed scoreboard slot 11 in child 6098 for worker proxy:reverse [Wed Jul 08 23:16:07 2015] [debug] proxy_util.c(1945): proxy: initialized single connection worker 11 in child 6098 for (*) --------- truncated for ease of reading --------- [Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection to child 0 established (server stgwww.cos.agilent.com:443) [Wed Jul 08 23:19:02 2015] [info] Seeding PRNG with 144 bytes of entropy [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 11/11 bytes from BIO#22341b0 [mem: 223b880] (BIO dump follows) [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+ [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1911): | 0000: 43 4f 4e 4e 45 43 54 20-73 74 67 CONNECT stg | [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+ **[Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] SSL library error 1 in handshake (server stgwww.cos.agilent.com:443) [Wed Jul 08 23:19:02 2015] [info] SSL Library Error: 336027803 error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request speaking HTTP to HTTPS port!? [Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection closed to child 0 with abortive shutdown (server stgwww.cos.agilent.com:443)** [Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection to child 1 established (server stgwww.cos.agilent.com:443) [Wed Jul 08 23:19:02 2015] [info] Seeding PRNG with 144 bytes of entropy [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 11/11 bytes from BIO#22341b0 [mem: 223b880] (BIO dump follows) [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+ [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1911): | 0000: 43 4f 4e 4e 45 43 54 20-73 74 67 CONNECT stg | [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+ [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1940): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] SSL library error 1 in handshake (server stgwww.cos.agilent.com:443) [Wed Jul 08 23:19:02 2015] [info] SSL Library Error: 336027803 error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request speaking HTTP to HTTPS port!? [Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection closed to child 1 with abortive shutdown (server stgwww.cos.agilent.com:443) [Wed Jul 08 23:19:02 2015] [info] [client 192.168.244.1] Connection to child 4 established (server stgwww.cos.agilent.com:443) [Wed Jul 08 23:19:02 2015] [info] Seeding PRNG with 144 bytes of entropy [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1903): OpenSSL: Handshake: start [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_kernel.c(1911): OpenSSL: Loop: before/accept initialization [Wed Jul 08 23:19:02 2015] [debug] ssl_engine_io.c(1939): OpenSSL: read 11/11 bytes from BIO#22341b0 [mem: 223b880] (BIO dump follows)

=========== Open SSL Check

[sandeep@atgweb logs]$ openssl s_client -connect 192.168.244.129:443 -state -nbio CONNECTED(00000003) turning on non blocking io SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A **SSL_connect:error in SSLv2/v3 read server hello A write R BLOCK** SSL_connect:SSLv3 read server hello A depth=0 /C=US/ST=California/L=Cupertino/O=Agilent/OU=IT/CN=stgwww.cos.agilent.com/[email protected] **verify error:num=18:self signed certificate** verify return:1 depth=0 /C=US/ST=California/L=Cupertino/O=Agilent/OU=IT/CN=stgwww.cos.agilent.com/[email protected] verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:error in SSLv3 read finished A SSL_connect:error in SSLv3 read finished A read R BLOCK SSL_connect:SSLv3 read finished A read R BLOCK --- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Agilent/OU=IT/CN=stgwww.cos.agilent.com/[email protected] i:/C=US/ST=California/L=Cupertino/O=Agilent/OU=IT/CN=stgwww.cos.agilent.com/[email protected] 1 s:/C=US/ST=California/L=Cupertino/O=Agilent/OU=IT/CN=atgweb.localvm.com/[email protected] i:/C=US/ST=California/L=Cupertino/O=Agilent/OU=IT/CN=atgweb.localvm.com/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIICvTCCAiYCCQDmbgmAHQHTpTANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMC VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCUN1cGVydGlubzEQMA4G A1UEChMHQWdpbGVudDELMAkGA1UECxMCSVQxHzAdBgNVBAMTFnN0Z3d3dy5jb3Mu YWdpbGVudC5jb20xKjAoBgkqhkiG9w0BCQEWG3NhbmRlZXBfcm9oaWxsYUBhZ2ls ZW50LmNvbTAeFw0xNTA3MDgxNzM2MzZaFw0xNjA3MDcxNzM2MzZaMIGiMQswCQYD VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJQ3VwZXJ0aW5v MRAwDgYDVQQKEwdBZ2lsZW50MQswCQYDVQQLEwJJVDEfMB0GA1UEAxMWc3Rnd3d3 LmNvcy5hZ2lsZW50LmNvbTEqMCgGCSqGSIb3DQEJARYbc2FuZGVlcF9yb2hpbGxh QGFnaWxlbnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDET9X5cK3G 5Cgxz6RIo1irZAnqQQg2sMdDZ3nTyGLzOTNp90xhHp1+VC6ud5Hcivv2112+QCsA MVVJIlkUs+bv7gyiPvviFOSyoi5KAiONkmyr5Vyy1XrVfsrCcF/JhYLltoghDl+Q 6ask51K3OUjVka6UrziAunuzgoR5QHavkQIDAQABMA0GCSqGSIb3DQEBBQUAA4GB ABJqn06X+nvN8gZo9e+ywZhUlyhJIkrYeSS3tEpnBS4PRGyHe2egZKeu1oOquI4w Sf1toICVVusCoLnSEw1lScfNEYk4oVdmAZBKGV1dHS8dIM7/UIQuIoRQlBQ6DkJp uq9NHIZrmM0j1Mrj5gxRx0Yqz8U/pYm3XuEAgy7KTmYz -----END CERTIFICATE----- subject=/C=US/ST=California/L=Cupertino/O=Agilent/OU=IT/CN=stgwww.cos.agilent.com/[email protected] issuer=/C=US/ST=California/L=Cupertino/O=Agilent/OU=IT/CN=stgwww.cos.agilent.com/[email protected] --- No client certificate CA names sent --- SSL handshake has read 2509 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: EE96B79CC47110B9A7B242691F1721DE77A3119F001CC88CE3B9BEFB4433D8D1 Session-ID-ctx: Master-Key: 30CB866077089FD7198DBD08EEAD9A98C58E43563A191FA2FA8E7A967963E4A614F53045C8528B0978ABD0285ACC41FE Key-Arg : None Krb5 Principal: None Start Time: 1436378586 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- SSL3 alert read:warning:close notify closed SSL3 alert write:warning:close notify [sandeep@atgweb logs]$ cd .. [sandeep@atgweb apache2]$ cd bin [sandeep@atgweb bin]$ sudo ./apachectl -version Server version: Apache/2.2.29 (Unix) Server built: May 21 2015 21:05:01

=============== HTTPD-SSL.CONF File

# #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 Listen 443 NameVirtualHost *:443 # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/usr/local/apache2/logs/ssl_mutex" ## ## SSL Virtual Host Context ## <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/usr/local/apache2/htdocs" ServerName xxxxx:443 ServerAdmin [email protected] ErrorLog "/usr/local/apache2/logs/error_log" TransferLog "/usr/local/apache2/logs/access_log" # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Protocol support: SSLProtocol all -SSLv2 # SSL Cipher Suite: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 # Server Certificate: SSLCertificateFile "/usr/local/apache2/conf/ssl.crt" # Server Private Key: SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key" # Server Certificate Chain: SSLCertificateChainFile "/home/sandeep/sandeep.crt" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/apache2/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: CustomLog "/usr/local/apache2/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" SSLProxyEngine on SSLProxyVerify none SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ProxyPass / http://www.google.com ProxyPassReverse / http://www.google.com </VirtualHost>

=============== Modules Enabled

LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbd_module modules/mod_authn_dbd.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule file_cache_module modules/mod_file_cache.so LoadModule cache_module modules/mod_cache.so LoadModule disk_cache_module modules/mod_disk_cache.so LoadModule mem_cache_module modules/mod_mem_cache.so LoadModule dbd_module modules/mod_dbd.so LoadModule dumpio_module modules/mod_dumpio.so LoadModule echo_module modules/mod_echo.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule ext_filter_module modules/mod_ext_filter.so LoadModule include_module modules/mod_include.so LoadModule filter_module modules/mod_filter.so LoadModule substitute_module modules/mod_substitute.so LoadModule charset_lite_module modules/mod_charset_lite.so LoadModule deflate_module modules/mod_deflate.so LoadModule ldap_module modules/mod_ldap.so LoadModule log_config_module modules/mod_log_config.so LoadModule log_forensic_module modules/mod_log_forensic.so LoadModule logio_module modules/mod_logio.so LoadModule env_module modules/mod_env.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so LoadModule ident_module modules/mod_ident.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule unique_id_module modules/mod_unique_id.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_scgi_module modules/mod_proxy_scgi.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule ssl_module modules/mod_ssl.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule asis_module modules/mod_asis.so LoadModule info_module modules/mod_info.so LoadModule cgi_module modules/mod_cgi.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule dav_lock_module modules/mod_dav_lock.so LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule imagemap_module modules/mod_imagemap.so LoadModule actions_module modules/mod_actions.so LoadModule speling_module modules/mod_speling.so LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so
#

I will really appreciate help on this. It has been days I have been hitting my head to the wall. Also I am new to this, if I have missed something basic my apologies.

Cheers, Sandeep

Improve this question

1 Answer 1

Reset to default
0 
Your SSL Library Error: 336027803 error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request speaking HTTP to HTTPS port!?

due to

ProxyPass / http://www.google.com ProxyPassReverse / http://www.google.com

You should try

ProxyPass / https://www.google.com ProxyPassReverse / https://www.google.com
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.