LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Bad Gateway using Apache as rev proxy for Exchange 2007 (http://www.linuxquestions.org/questions/linux-server-73/bad-gateway-using-apache-as-rev-proxy-for-exchange-2007-a-907636/)

rvicker 10-11-2011 02:32 PM

Bad Gateway using Apache as rev proxy for Exchange 2007
 
I am trying to move an ancient (FC8) config of using Apache as a reverse proxy to an Exchange 2007 server to a new Fedora 14 system.

I am using HTTPS both to the reverse proxy and from it to the Exchange server. Both are using self signed certificates.

I copied all the settings over from the old system however, when I go to the web page I get

Bad Gateway

The proxy server received an invalid response from an upstream server.
Apache/2.2.17 (Fedora) Server at newserver.company.org Port 443

The only things I can find in the logs are in the error log:

[Tue Oct 11 14:17:57 2011] [error] [client 10.0.1.22] Certificate Verification: Error (20): unable to get local issuer certificate

[Tue Oct 11 14:17:57 2011] [error] (502)Unknown error 502: proxy: pass request body failed to 10.0.1.22:443 (exchange.company.org)

[Tue Oct 11 14:17:57 2011] [error] proxy: pass request body failed to 10.0.1.22:443 (exchange.company.org) from 10.0.0.199 ()


What am I missing that is different from the old apache that is still work and the new one?

Thanks.

cheesus 10-14-2011 01:05 PM

Well, errno 20 is
Quote:

#define ENOTDIR 20 /* Not a directory */
(from /usr/include/asm-generic/errno-base.h)
so maybe you gave file parameter, where Apache expected a directory ?
Without seeing your config, this is hard...
Cheers!

rvicker 10-18-2011 11:14 AM

I have checked and the .crt and .key files referenced exist.

=========
.conf file
=========

Code:

ProxyReceiveBufferSize 1024


#Exchange

<VirtualHost *:443>
#  DocumentRoot /var/www/html/

  RequestHeader set Front-End-Https "On"

  RewriteEngine On

  SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

  SSLEngine On
  SSLProxyEngine On
  SSLProxyVerify Optional

  SetEnv HTTPS_PORT 443

  ExpiresActive On
  ExpiresDefault "access plus 300 seconds"

  <Proxy *>
      Order deny,allow
      Allow from all
  </Proxy>

  ProxyPreserveHost On
  ProxyBadHeader StartBody
  ProxyVia On

  RewriteRule ^/owa$ owa/ [R]

<Location /owa>
    ProxyPass https://exchange.company.org/owa
    ProxyPassReverse https://exchange.company.org/owa
    SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /OAB>
      ProxyPass https://exchange.company.org/OAB
      ProxyPassReverse https://exchange.company.org/OAB
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /rpc>
      ProxyPass https://exchange.company.org/rpc
      ProxyPassReverse https://exchange.company.org/rpc
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /ecp>
      ProxyPass https://exchange.company.org/ecp
      ProxyPassReverse https://exchange.company.org/ecp
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

<Location /RpcWithCert>
      ProxyPass https://exchange.company.org/RpcWithCert
      ProxyPassReverse https://exchange.company.org/RpcWithCert
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

# Enables Windows Mobile ActiveSync
<Location /Microsoft-Server-ActiveSync>
      ProxyPass https://exchange.company.org/Microso...ver-ActiveSync
      ProxyPassReverse https://exchange.company.org/Microso...ver-ActiveSync
      SSLRequireSSL

      # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value
      SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
      Header Always Unset WWW-Authenticate
      Header Always Add WWW-Authenticate "Basic realm=www.company.org"
</Location>

</VirtualHost>
#/Exchange


cheesus 10-18-2011 11:27 AM

I see no newserver.company.org in your config ?

Use
curl -i yoururl
to see what's really going over the wire.
(or any other tool like wget, which will display/log the full http(s) traffic...

rvicker 10-18-2011 09:35 PM

It looks like the exchange cert is machine name only while Apache is expecting FQDN.

When I tried changing the config to use only the machine name I got an error about verification since the certificate is self signed.

Why did the older system accept this but the new build won't?

=======
wget debug output
=======

Code:

--20:51:39--  https://exchange.company.org/owa/
          => `index.html'
Resolving exchange.company.org... seconds 0.00, 10.0.1.22
Caching exchange.company.org => 10.0.1.22
Connecting to exchange.company.org|10.0.1.22|:443... seconds 0.00, connected.
Created socket 1868.
Releasing 0x009b2d38 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 1868 to SSL handle 0x009b2d98
certificate:
  subject: /CN=exchange
  issuer:  /CN=exchange
ERROR: Certificate verification error for exchange.company.org: unable to get local issuer certificate
ERROR: certificate common name `exchange' doesn't match requested host name exchange.company.org'.
To connect to exchange.company.org insecurely, use `--no-check-certificate'.
Closed 1868/SSL 0x9b2d98
Unable to establish SSL connection.


cheesus 10-19-2011 06:48 AM

Well, doing SSL with not-fully-QDN seems like a very bad idea to me, so maybe they forbid that for security reasons...
In any case, did you now try with a FQDN ?

rvicker 11-22-2011 03:04 PM

Just for grins I tried another config. I removed the REQUIRE SSL from the Exchange server's IIS configs and changed the Apache proxy/reversproxy statements from https://... to http://...

Now it connects but some of the urls in the browser are missing https:// as in after entering https://public.company.com/owa it changes to public.company.com/owa/auth/logon.aspx?url=http://public.company.com/owa/&reason=0 and if I manually add the https:// to the front I get the login screen and everything works from there except for the page AFTER a logout has the same missing https://

Apache is the only public accessible server so this config would be workable if the missing https:// didn't happen. Is there a way to make Apache do this correctly?

Do I need to import the exchange certificate into Apache somehow, to make end to end SSL work?

cheesus 11-29-2011 01:02 PM

Aha! I would say, if the certificate of the IIS is a self-signed one, yes, you need to import the certificate.


All times are GMT -5. The time now is 01:56 AM.