OS: CentOS 7
Apache package: httpd-2.4.6-40.el7.centos.4.x86_64
Proxy modules: proxy_module, proxy_ajp_module, proxy_balancer_module, proxy_connect_module, proxy_express_module, proxy_fcgi_module, proxy_fdpass_module, proxy_ftp_module, proxy_http_module, proxy_scgi_module, proxy_wstunnel_module
My goal is to launch reverse proxy terminating SSL, then pass proxy request to the backend via plain http:
SSL from brower to Proxy only: Browser (https) --> Proxy Inbound (https) / Proxy Outbound (http) --> Backend server (http)
I have problem with reverse proxy when SSL engine is enabled on the front-end side.
When i put plain http on the front, the problem goes away. When i disable reverse proxy, and put example html document, problem does not appear.
My current config:
Code:
<VirtualHost 10.2.2.2:443>
ServerAdmin itlinux@domain.local
ServerName example.domain.com:443
ErrorLog logs/example.domain.com-error_log
TransferLog logs/example.domain.com-access_log
CustomLog logs/example.domain.com-request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
LogLevel debug
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://10.1.1.1:80/ retry=30 acquire=3000 timeout=6000
ProxyPassReverse / http://10.1.1.1:80/
<Proxy *>
Require ip 10.0.0.0/8
</Proxy>
SSLEngine on
SSLHonorCipherOrder on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!ADH:!AECDH:-ADH-DES-CBC3-SHA:-ADH-RC4-MD5:-ADH-AES128-SHA:-ADH-AES256-SHA
SSLCertificateFile /etc/pki/tls/certs/multi_domain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/multi_domain.com.key
SSLCertificateChainFile /etc/pki/tls/certs/sub_ca.crt
</VirtualHost>
I receive
Bad Gateway
The proxy server received an invalid response from an upstream server.
Error page and get following info on the error_log:
Code:
[ssl:debug] [pid 3505] ssl_engine_io.c(1201): (104)Connection reset by peer: [remote 10.1.1.1:80] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[ssl:info] [pid 3505] [remote 10.1.1.1:80] AH01998: Connection closed to child 0 with abortive shutdown (server example.domain.com:443)
[proxy:error] [pid 3505] (104)Connection reset by peer: [client 10.0.0.4:50507] AH01084: pass request body failed to 10.1.1.1:80 (10.1.1.1)
[proxy_http:error] [pid 3505] [client 10.0.0.4:50507] AH01097: pass request body failed to 10.1.1.1:80 (10.1.1.1) from 10.0.0.4 ()
[proxy:debug] [pid 3505] proxy_util.c(2218): AH00943: HTTP: has released connection for (10.1.1.1)
[ssl:debug] [pid 3505] ssl_engine_io.c(992): [client 10.0.0.4:50507] AH02001: Connection closed to child 0 with standard shutdown (server example.domain.com:443)
Due to that information, my assumption is that the Apache server tries to communicate with the backend using SSL handshake. Am i correct? If so, how could i force it to use plain HTTP protocol to the backend?