Apache reverse proxy with SSL frontend gives bad gateway error

ariva · 09-21-2016, 03:29 PM

OS: CentOS 7
Apache package: httpd-2.4.6-40.el7.centos.4.x86_64
Proxy modules: proxy_module, proxy_ajp_module, proxy_balancer_module, proxy_connect_module, proxy_express_module, proxy_fcgi_module, proxy_fdpass_module, proxy_ftp_module, proxy_http_module, proxy_scgi_module, proxy_wstunnel_module
My goal is to launch reverse proxy terminating SSL, then pass proxy request to the backend via plain http:
SSL from brower to Proxy only: Browser (https) --> Proxy Inbound (https) / Proxy Outbound (http) --> Backend server (http)
I have problem with reverse proxy when SSL engine is enabled on the front-end side.
When i put plain http on the front, the problem goes away. When i disable reverse proxy, and put example html document, problem does not appear.
My current config:

Code:

<VirtualHost 10.2.2.2:443>
    ServerAdmin itlinux@domain.local
    ServerName  example.domain.com:443
    ErrorLog    logs/example.domain.com-error_log
    TransferLog logs/example.domain.com-access_log
    CustomLog   logs/example.domain.com-request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    LogLevel    debug
    SetEnv           proxy-nokeepalive 1
    ProxyPreserveHost On
    ProxyRequests    Off
    ProxyPass        / http://10.1.1.1:80/ retry=30 acquire=3000 timeout=6000
    ProxyPassReverse / http://10.1.1.1:80/
    <Proxy *>
      Require ip 10.0.0.0/8
    </Proxy>
    SSLEngine      on
    SSLHonorCipherOrder on
    SSLProtocol    all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!ADH:!AECDH:-ADH-DES-CBC3-SHA:-ADH-RC4-MD5:-ADH-AES128-SHA:-ADH-AES256-SHA
    SSLCertificateFile    /etc/pki/tls/certs/multi_domain.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/multi_domain.com.key
    SSLCertificateChainFile /etc/pki/tls/certs/sub_ca.crt
</VirtualHost>

I receive
Bad Gateway
The proxy server received an invalid response from an upstream server.
Error page and get following info on the error_log:

Code:

[ssl:debug] [pid 3505] ssl_engine_io.c(1201): (104)Connection reset by peer: [remote 10.1.1.1:80] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[ssl:info] [pid 3505] [remote 10.1.1.1:80] AH01998: Connection closed to child 0 with abortive shutdown (server example.domain.com:443)
[proxy:error] [pid 3505] (104)Connection reset by peer: [client 10.0.0.4:50507] AH01084: pass request body failed to 10.1.1.1:80 (10.1.1.1)
[proxy_http:error] [pid 3505] [client 10.0.0.4:50507] AH01097: pass request body failed to 10.1.1.1:80 (10.1.1.1) from 10.0.0.4 ()
[proxy:debug] [pid 3505] proxy_util.c(2218): AH00943: HTTP: has released connection for (10.1.1.1)
[ssl:debug] [pid 3505] ssl_engine_io.c(992): [client 10.0.0.4:50507] AH02001: Connection closed to child 0 with standard shutdown (server example.domain.com:443)

Due to that information, my assumption is that the Apache server tries to communicate with the backend using SSL handshake. Am i correct? If so, how could i force it to use plain HTTP protocol to the backend?

bathory · 09-22-2016, 03:13 AM

Hi,

Since you're running a reverse proxy, you should ditch:

Quote:

<Proxy *>
Require ip 10.0.0.0/8
</Proxy>

Also note that you should disable SSLv3 due to the poodle bug. You need to use:

Code:

SSLProtocol All -SSLv2 -SSLv3

Regards

ariva · 09-22-2016, 08:25 AM

Thanks for the suggestion. I did not metioned that i have already tried the config without ip or SSL cipher restrictions, without any change. In fact the problem is soved now. I have cleared all config adapted from old apache service to the new one, reinstall apache service and applying little by little the config to the new one. I am still investigating what was the casue for ssl comunication with the backends. I'll put it here if i find it.