Using Https between Apache Loadbalancer and backends

Question

I am using an apache (2.4) server configured as loadbalancer in front of 2 apache servers. It works fine when I use http connections between loadbalancer and backends, however using https does not work. The configuration of the loadbalancer:

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
<Proxy balancer://testcluster>
  BalancerMember https://[Backend1]:443/test
  BalancerMember https://[Backend2]:443/test
</Proxy>
ProxyPass /test balancer://testcluster

The backends only have self-signed certificates for now which is why the certificate verification is disabled.

The error-log on the loadbalancer contains the following:

[proxy:error] [pid 31202:tid 140325875570432] (502)Unknown error 502: [client ...] AH01084: pass request body failed to [Backend1]:443 ([Backend1])
[proxy:error] [pid 31202:tid 140325875570432] [client ...] AH00898: Error during SSL Handshake with remote server returned by /test/test.jsp
[proxy_http:error] [pid 31202:tid 140325875570432] [client ...] AH01097: pass request body failed to [Backend1]:443 ([Backend1]) from [...] ()

The error-page in the browser contains:

Proxy Error

The proxy server could not handle the request GET /test/test.jsp.
Reason: Error during SSL Handshake with remote server

As I already stated above changing the configuration to the http protocol and port 80 works. Also https connections between the client and loadbalancer work, so the ssl module of the loadbalancer seems to be setup properly. Connecting directly to the backend via https also does not yield any errors.

Thanks in advance for your time

Edit: I figured it out, the problem is that my certificates common name does not match the server name. I thought SSLProxyVerify none would cause this mismatch to be ignored, but it doesn't. Prior to apache 2.4.5 this check can be disabled using SSLProxyCheckPeerCN off but on higher versions (I am using 2.4.7) SSLProxyCheckPeerName off also needs to be specified.

Apache documentation for sslproxycheckpeername

The working configuration looks like this:

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

<Proxy balancer://testcluster>
  BalancerMember https://[backend1]:443/test
  BalancerMember https://[backend1]:443/test
</Proxy>
ProxyPass /test balancer://testcluster

Unfortunately I can't answer my own question for lack of reputation so I edited my question, I hope this helps anyone who encounters a similar problem

Interesting. I used to do this with apache2.2 and never had to so SSLProxyVerify none and never had problems with self-sign certs. You sure the backend server is fine.? — ETL, Feb 22 '14 at 20:49
@ETL I don't know if "SSLProxyVerify none" is required or not, I just added that in the hope it might fix the issue. Calling "wget https://[backend1]/test/test.jsp --no-check-certificate" on the load-balancer server downloads the expected file. ng — user3240383, Feb 22 '14 at 21:26

score 21 · Answer 1 · edited Feb 10 '17 at 20:43

21

The problem turned out to be that the certificates common name did not match the server name.

Prior to Apache 2.4.5 this check can be disabled using SSLProxyCheckPeerCN off but on higher versions (such as 2.4.7) SSLProxyCheckPeerName off also needs to be specified.

Apache documentation for SSLProxyCheckPeerName

The working configuration looks like this:

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

<Proxy balancer://testcluster>
  BalancerMember https://[backend1]:443/test
  BalancerMember https://[backend1]:443/test
</Proxy>
ProxyPass /test balancer://testcluster

You can check the version of Apache that you have with:

apachectrl -V

edited Feb 10 '17 at 20:43

mlissner

990
3
8
17

answered Feb 22 '14 at 22:47

ETL

6,443
1
26
47

Hey I have the exact same problem except the configuration is little different: `` ProxyPass https://xxxx.thoughtworks.net:8443/margin-tool ProxyPassReverse https://xxxx.thoughtworks.net:8443/margin-tool `` Same settings are not working. Any ideas? – user157735 Aug 04 '17 at 09:30
Got here due to similar errors. Resolution in my specific case was to use DNS name for BalancerMember rather than IP address. Common name now matched name on certificate, so Apache handled it properly--without need to resort to SSLProxyVerify, SSLProxyCheckPeer... elements required for the above answer. – David Fackler Dec 15 '21 at 02:31

score 0 · Answer 2 · edited Oct 30 '15 at 21:39

0

Adding below solved the problem

SSLProxyProtocol +TLSv1

edited Oct 30 '15 at 21:39

sysadmin1138

131,083
18
173
296

answered Oct 30 '15 at 16:42

Murryy

29

6

Giving mystical config samples isn't a well-quality answer. Copy-pasting strings from the internet isn't what a professional system administrator does. Explain it, what it does and why. – peterh Oct 30 '15 at 21:54
ran into this with java12 - among other things, this solved my problem.... – womd Apr 04 '19 at 13:01

score -3 · Answer 3 · answered Dec 13 '14 at 17:59

-3

i use apache 2.4.9 and adding to the httpd-ssl.conf the following code

SSLProxyProtocol +SSLv3 +TLSv1 +TLSv1.1

i have solved the problems

answered Dec 13 '14 at 17:59

nutria

7

3

Ever heard of [POODLE](http://en.wikipedia.org/wiki/POODLE)? SSLv3 should be disabled. – Sven Dec 13 '14 at 18:06
3

SSLv3 is vulnerable – insider Dec 13 '14 at 18:06

Using Https between Apache Loadbalancer and backends

3 Answers3