Hi all,
I am trying to setup an apache virtualhost under CentOS 6.7 that needs to redirects requests from port 444 to port 5100 in its local ip. But I am doing some mistakes because every time I'm receiving a loop error.
My actual httpd's config for this virtualhost is:
NameVirtualHost 192.168.1.5:444 <VirtualHost 192.168.1.5:444> ServerName myweb01.local.domain ErrorLog logs/ssl_error.log CustomLog logs/ssl_access.log combined CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b" LogLevel info SSLEngine on SSLProxyEngine On SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!EXPORT56:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2 SSLCertificateFile /etc/httpd/certs/server.crt SSLCertificateKeyFile /etc/httpd/certs/server.key ProxyRequests Off ProxyPreserveHost On ProxyPass / http://192.168.1.5:5100/ ProxyPassReverse / http://192.168.1.5:5100/ RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "444" RewriteEngine On RewriteRule ^/(.*) https://myweb01.local.domain:444/$1 [R,L] </VirtualHost>
As you can see, I need to do a redirection to port 5100 from 444 port and protect it using ssl.
I've configured iptables rules to drop connections to port 5100 directly:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 444 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Any idea how to accomplish/resolve this?
Thanks.
On Mon 29.Feb'16 at 13:19:07 +0000, C. L. Martinez wrote:
Hi all,
I am trying to setup an apache virtualhost under CentOS 6.7 that needs to redirects requests from port 444 to port 5100 in its local ip. But I am doing some mistakes because every time I'm receiving a loop error.
My actual httpd's config for this virtualhost is:
NameVirtualHost 192.168.1.5:444 <VirtualHost 192.168.1.5:444> ServerName myweb01.local.domain ErrorLog logs/ssl_error.log CustomLog logs/ssl_access.log combined CustomLog logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b" LogLevel info SSLEngine on SSLProxyEngine On SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!EXPORT56:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2 SSLCertificateFile /etc/httpd/certs/server.crt SSLCertificateKeyFile /etc/httpd/certs/server.key ProxyRequests Off ProxyPreserveHost On ProxyPass / http://192.168.1.5:5100/ ProxyPassReverse / http://192.168.1.5:5100/ RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "444" RewriteEngine On RewriteRule ^/(.*) https://myweb01.local.domain:444/$1 [R,L]
</VirtualHost>
As you can see, I need to do a redirection to port 5100 from 444 port and protect it using ssl.
I've configured iptables rules to drop connections to port 5100 directly:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 444 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Any idea how to accomplish/resolve this?
Thanks.
More info in my ssl_error.log:
Mon Feb 29 14:32:06 2016] [info] [client 10.64.118.59] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page [Mon Feb 29 14:32:06 2016] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
On 02/29/2016 05:33 AM, C. L. Martinez wrote:
More info in my ssl_error.log:
Mon Feb 29 14:32:06 2016] [info] [client 10.64.118.59] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page [Mon Feb 29 14:32:06 2016] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
Well, that just looks like you're making an http request instead of https in your browser. It doesn't tell us anything about what's looping.
On Mon 29.Feb'16 at 9:05:13 -0800, Gordon Messmer wrote:
On 02/29/2016 05:33 AM, C. L. Martinez wrote:
More info in my ssl_error.log:
Mon Feb 29 14:32:06 2016] [info] [client 10.64.118.59] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page [Mon Feb 29 14:32:06 2016] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
Well, that just looks like you're making an http request instead of https in your browser. It doesn't tell us anything about what's looping.
Right, this is due to the changes in the Rewrite rule. I am doing some modifications and now the only error is:
SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
Any idea how to fix this??
Am 01.03.2016 um 12:31 schrieb C. L. Martinez carlopmart@gmail.com:
On Mon 29.Feb'16 at 9:05:13 -0800, Gordon Messmer wrote:
On 02/29/2016 05:33 AM, C. L. Martinez wrote:
More info in my ssl_error.log:
Mon Feb 29 14:32:06 2016] [info] [client 10.64.118.59] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page [Mon Feb 29 14:32:06 2016] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
Well, that just looks like you're making an http request instead of https in your browser. It doesn't tell us anything about what's looping.
Right, this is due to the changes in the Rewrite rule. I am doing some modifications and now the only error is:
SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?
Any idea how to fix this??
How is your client making the request to the proxy (full URI)?
-- LF
On 02/29/2016 05:19 AM, C. L. Martinez wrote:
But I am doing some mistakes because every time I'm receiving a loop error.
...
<VirtualHost 192.168.1.5:444>
...
ProxyPass / http://192.168.1.5:5100/ ProxyPassReverse / http://192.168.1.5:5100/ RewriteEngine On RewriteRule ^/(.*) https://myweb01.local.domain:444/$1 [R,L]
</VirtualHost>
As you can see, I need to do a redirection to port 5100 from 444 port and protect it using ssl.
I think you need to figure out whether you want to proxy those requests or rewrite them. You can't reasonably do both.
If you want to keep them SSL protected, then you don't need the rewrite rule at all. Drop it. Right now, you're redirecting clients to the same URL that they loaded to begin with, which is why your client is warning you about a loop.
On Tue 1.Mar'16 at 10:31:43 -0800, Gordon Messmer wrote:
On 02/29/2016 05:19 AM, C. L. Martinez wrote:
But I am doing some mistakes because every time I'm receiving a loop error.
...
<VirtualHost 192.168.1.5:444>
...
ProxyPass / http://192.168.1.5:5100/ ProxyPassReverse / http://192.168.1.5:5100/ RewriteEngine On RewriteRule ^/(.*) https://myweb01.local.domain:444/$1 [R,L]
</VirtualHost>
As you can see, I need to do a redirection to port 5100 from 444 port and protect it using ssl.
I think you need to figure out whether you want to proxy those requests or rewrite them. You can't reasonably do both.
If you want to keep them SSL protected, then you don't need the rewrite rule at all. Drop it. Right now, you're redirecting clients to the same URL that they loaded to begin with, which is why your client is warning you about a loop.
Ok, problem solved. Finally, redirection needs to go to a tomcat server that use this commercial solution. Changing:
ProxyPass / http://192.168.1.5:5100/ ProxyPassReverse / http://192.168.1.5:5100/
to
ProxyPass / ajp://192.168.1.5:5100/ ProxyPassReverse / ajp://192.168.1.5:5100/
... problem solved.
Many thanks to all for your help.
-
C. L. Martinez -
Gordon Messmer -
Leon Fauster