https://bz.apache.org/bugzilla/show_bug.cgi?id=65614
Bug ID: 65614
Summary: cannot SSLProxy ProxyPass over Unix domain socket
Product: Apache httpd-2
Version: 2.4.48
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
tested on official Debian 11 container, running on a Debian 10 desktop. the
versions mentioned below for apache2 are the versions i'm getting from using
apt. i don't believe the issue is fixed in 2.4.49 based on a glance at the
changelog.
I have an experiment where I was testing two separate things using apache2 as a
reverse proxy
1. reverse proxying over unix domain socket to a simple websocket application,
this works 2.4.48 in deb11's repos no problem, deb10's repos have 2.4.38 which
is missing a bugfix in 2.4.39 for websocket over UDS.
2. upstream TLS between the reverse proxy and the server listening on some
network port (really mTLS since i have both sides checking certs), this works
fine in 2.4.38 and 2.4.48.
however, in 2.4.48, i cannot do both together, i.e. I cannot seem to do ssl
proxying over unix socket. I can hit the server's unix socket with curl doing
HTTPS just fine however, so it seems to be an apache issue.
in my virtualhost block, i have the following stuff. note that the commented
out bits work, if i proxy to a localhost port.
SSLCACertificateFile /certs/ca/dummy_root_ca.crt
SSLProxyCACertificateFile /certs/ca/dummy_root_ca.crt
SSLProxyMachineCertificatePath /certs/proxyclient/
SSLProxyEngine on
SSLProxyVerify require
SSLProxyVerifyDepth 1
#ProxyPass /ws wss://localhost:5000/test/ws
#ProxyPassReverse /ws wss://localhost:5000/test/ws
#ProxyPass / https://localhost:5000/
#ProxyPassReverse / https://localhost:5000/
ProxyPass /ws unix:/run/server.sock|wss://localhost/test/ws
ProxyPassReverse /ws unix:/run/server.sock|wss://localhost/test/ws
ProxyPass / unix:/run/server.sock|https://localhost/
ProxyPassReverse / unix:/run/server.sock|https://localhost/
with this configuration, my server seems to not see the request and i get the
following errors in the logs
[Mon Oct 04 16:53:15.128651 2021] [proxy:error] [pid 36:tid 139650561906432]
(20014)Internal error (specific information not available): [client
172.17.0.1:54422] AH01084: pass request body failed to 0.0.0.0:0 (httpd-UDS)
[Mon Oct 04 16:53:15.128678 2021] [proxy:error] [pid 36:tid 139650561906432]
[client 172.17.0.1:54422] AH00898: Error during SSL Handshake with remote
server returned by /jsclient
[Mon Oct 04 16:53:15.128682 2021] [proxy_http:error] [pid 36:tid
139650561906432] [client 172.17.0.1:54422] AH01097: pass request body failed to
0.0.0.0:0 (httpd-UDS) from 172.17.0.1 ()
if i change wss -> ws and https -> http in the proxy pass lines, I get expected
"why is this http not https" from the server error messages.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
