2

The Goal: set up a server that can receive https and http requests from a domain, and forwarded to the rails app running on the server. The rails app is running on localhost:3002, and all attempts to connect to the server are made from a different machine on the internet.

I followed this guide: http://hints.macworld.com/article.php?story=20041129143420344

Here is my virtual host definition

NameVirtualHost *:80
<VirtualHost *:80>
    DocumentRoot "/Users/me/projects/myproject/public"
    ServerName ssl.mydomain.com
    ServerAlias *.ssl.mydomain.com
    ProxyPass / http://localhost:3002/ # the rails app forwards all http requests to https
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLProxyEngine On
    RequestHeader set Front-End-Https "On"
    CacheDisable *
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    DocumentRoot "/Users/me/projects/myproject/public"
    ServerName ssl.mydomain.com
    ServerAlias *.ssl.mydomain.com
    SSLCertificateKeyFile "/private/etc/apache2/certs/webserver.nopass.key"
    SSLCertificateFile "/private/etc/apache2/certs/newcert.pem"
    SSLCACertificateFile "/private/etc/apache2/certs/demoCA/cacert.pem"
    SSLCARevocationPath "/private/etc/apache2/certs/demoCA/crl"
    ErrorLog "/Users/me/Desktop/ssl.log"

    ProxyPass / https://localhost:3002/
    ProxyPreserveHost on    
</VirtualHost>

And when I try connecting to the sevre viov the web browser, I get this error:

[Thu Feb 02 16:50:40 2012] [error] (502)Unknown error: 502: proxy: pass request body failed to 127.0.0.1:3002 (localhost)
[Thu Feb 02 16:50:40 2012] [error] [client 96.11.81.39] proxy: Error during SSL Handshake with remote server returned by /session/new
[Thu Feb 02 16:50:40 2012] [error] proxy: pass request body failed to 127.0.0.1:3002 (localhost) from 96.11.81.39 ()

how do I debug / fix this?

EDIT: the web browser error: ( This error occurred on a remote machine (relative to the server) )

the url I typed in was https://ssl.mydomain.com enter image description here

EDIT 2: the error that rails throws at me:

Filter chain halted as [:ensure_proper_protocol] rendered_or_redirected.
Completed in 0ms (DB: 0) | 302 Found [http://ssl.devtinderbox.com/]
[2012-02-03 10:20:45] ERROR bad Request-Line `?p\001\003\001\000W\000\000\000\020\000\0009\000\0008\000\0005\000\000\026\000\000\023\000\000'.

not sure if that's important though, as I think the SSL handshake needs to succeed before rails will know what to do.

I'm using Mac OS X Lion.

NullVoxPopuli
  • 305
  • 1
  • 4
  • 13
  • As I was saying in my comments to [your original post on SO](http://stackoverflow.com/q/9120658/372643), it's still not clear what you're trying to do. Can you clarify whether the Apache reverse proxy and your rails server sit on the same machine? – Bruno Feb 03 '12 at 15:00
  • I thought I did o.o maybe I have no idea what I'm doing. But I'm just trying to access my rails server via SSL from a remote machine. just as any web-goer would access a website from their machine. – NullVoxPopuli Feb 03 '12 at 15:02
  • Yes, but from that discussion, it wasn't clear whether that Apache server and your rails server were on the same machine. Are they? Is port 3002 listing to HTTPS connections or plain HTTP, you're using both in your config now... – Bruno Feb 03 '12 at 15:10
  • ah, sorry, I thought that was clear because of the localhost. port 3002 is listening to both https and http, as rails is pretty cool like that. BUT, I'm having handshake errors. I'm using both 80 and 443 now, because a discussion on stack overflow convinced me that it wouldn't hurt to have both. =\ – NullVoxPopuli Feb 03 '12 at 15:17
  • It's still not clear, you're implying in some comments you want to reverse proxy a different machine. Put it simply, is your rails server running on ssl.mydomain.com: yes or no? – Bruno Feb 03 '12 at 15:20
  • yes. T_T I guess I just don't know what reverse proxy means. =\ – NullVoxPopuli Feb 03 '12 at 15:23

3 Answers3

1

You are forwarding both ports 80 (clear http) and 443 (encrypted https) to the same port 3002. This will NOT work.

I did not understand your configuration completely, but the error in SSL handshake explains what is happening. From this error I can tell that you are establishing a clear-text connection (http) to https (port 443) which will clearly fail.

You will get similar error if you try to access a URL like http://server:443/ and this port 443 is opened for https.

Khaled
  • 35,688
  • 8
  • 69
  • 98
  • how does this not work when the rails server handles both http and https? I don't understand. the server is running on port 3002. and the data recieved on ports 80 and 443 is just forwarded to the rails app... the apache SSL stuff decrypts the message and sends it to the rails app doesn't it? so then the rails app can understand both sets of messages. Or i have no idea what I'm doing, and haven't a clue how the production server works on EngineYard. (I'm trying to set up a development / staging server) – NullVoxPopuli Feb 03 '12 at 15:06
  • @DerNalia: Oh, I think in this case you need to change both URLs to be `http://localhost:3002/` in the `proxypass`. You should not mix http and https on the same port 3002. – Khaled Feb 03 '12 at 15:12
  • well, when I do that, I get a redirect loop. =\ The rails server re-directs http requests to https. and i guess when I made all the proxypasses to be http, it redirected the https to http =\ – NullVoxPopuli Feb 03 '12 at 15:15
1

(Just copying my own answer from the duplicate on SO.)

Don't bother with HTTPS between your front-end and your back-end server from localhost to localhost.

EDIT: to clarify, use ProxyPass / http://localhost:3002/ instead of ProxyPass / https://localhost:3002/

Alternatively, if you really want to connect your reverse proxy to the back-end server using SSL as well (mostly useful when that server isn't where the Apache Httpd reverse proxy is), in addition to https://backend-server-address, use the SSLProxy* directives to set up the CA certs, as documented in the introduction to the mod_proxy documentation.

Community
  • 1
Bruno
  • 4,069
  • 1
  • 20
  • 37
  • but.. .I'm not trying to connect over ssl from localhost to localhost. maybe you didn't see the updates I made to the question... but I'm always connecting from a machine that the server isn't running on. =\ – NullVoxPopuli Feb 03 '12 at 15:18
  • but... localhost:3002 is where the server is on the machine that ssl.mydomain.com. like.. once a browser has the IP for ssl.mydomain.com, the server needs to know what to do with the request coming in right? it needs to go to the rails server on 3002. So... I guess... I'm just confused. It goes Remote -> Server -> Rails App (Also on the server) So i guess it is Remote <-> Local <-> Local – NullVoxPopuli Feb 03 '12 at 15:25
  • Browser ---`https://ssl.yourdomain/`---> Apache on ssl.yourdomain ---`http://localhost:3002/`---> Rails on the same box as Apache Httpd. – Bruno Feb 03 '12 at 15:28
  • I just saw your edit. that's what I'm doing, the httpS://localhost:3002 =\ – NullVoxPopuli Feb 03 '12 at 15:31
  • when I use just http:// I get a redirect loop. and rails says this: Redirected to https://ssl.devtinderbox.com/ Filter chain halted as [:ensure_proper_protocol] rendered_or_redirected. Completed in 0ms (DB: 0) | 302 Found [http://ssl.devtinderbox.com/] cause the rails app is trying to force SSL (by just redirecting non-ssl requests) ... so maybe I do need SSLProxy*? – NullVoxPopuli Feb 03 '12 at 15:39
  • Well, we can't turn off https in rails. Teh problem isn't in rails, it's that rails is still receiving an http request, and therefore is redirecting (but apache is forwarding https requests to http, hence the redirect loop). How does one use SSLProxy? – NullVoxPopuli Feb 03 '12 at 15:47
  • SSLProxy is an invalid command o.o – NullVoxPopuli Feb 03 '12 at 16:01
  • rails has a certificate? I thought the only certificates were teh ones I made from http://hints.macworld.com/article.php?story=20041129143420344 and your saying the the "Common Name" should be localhost? – NullVoxPopuli Feb 03 '12 at 16:30
  • how is it a rails issue? in my app, I don't want standard http, so I just redirect to the https equivalent of the same URL. – NullVoxPopuli Feb 03 '12 at 16:41
  • also, no guide I've ever followed has said RAILS needs a certificate for apache to connect to it. It's just apache that needs the certificates. =\ – NullVoxPopuli Feb 03 '12 at 16:46
  • o.o ok. I think we have a huge misunderstanding. me of server stuff in general. you of rails stuff. – NullVoxPopuli Feb 03 '12 at 17:29
0

I've never seen ProxyPass used for this; why don't you just use an .htaccess rule to force redirect to https if someone connects to http?

Something like this (if you have no other htaccess rules):

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

Did you say you're using rails though? If the app already has an .htaccess file you'll need to modify it depending on the existing rules. If you post the current .htaccess file we can take a look.

Demelziraptor
  • 479
  • 1
  • 4
  • 11
  • the proxy pass, I think, is just to forward connection coming from mydomain.com to the correct server running locally on the machine.. isn't it? and that isn't the part that is messed up =( I post screenshot – NullVoxPopuli Feb 03 '12 at 14:39