[Bug 66190] New: unwanted error log messages for TLS reverse proxy connections

Fri, 29 Jul 2022 12:15:22 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=66190

            Bug ID: 66190
           Summary: unwanted error log messages for TLS reverse proxy
                    connections
           Product: Apache httpd-2
           Version: 2.4.53
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

When we upgraded to Apache httpd 2.4.53, we started seeing error.log messaages
for our reverse proxy connections that were configured for TLS. The situation
is unchanged with 2.3.54.

AH01961:  failed to enable ssl support [Hint: if using mod_ssl, see
SSLProxyEngine]

Two important points about this:

1. Our reverse proxy configuration did not change, and
2. The TLS reverse proxy connections continue to work as they did in the past,
despite this message repeated for every such connection.

In a preliminary investigation, it looks like this comes about from some new
code as part of providing both mod_ssl and mod_tls (and potentially others) as
the TLS implementation. However, I can't tell if this is an unintended side
effect of that new code or if it's just an ambiguity in the mod_ssl
documentation.

Our reverse proxy connections are in a typical proxy balancer group. A
simplified version of it looks like this:

<Proxy balancer://backend_cluster>
  BalancerMember https://backend.example.com:443
  SSLProxyEngine on
  # ... various other SSLProxy* directives
</Proxy>

The <Proxy> block is not within a <VirtualHost> block. Experimentally, we found
that adding "SSLProxyEngine on" to our <VirtualHost> block gets rid of the
messages. I did not find anywhere that documents that that's the correct
location for the SSLProxyEngine directive. (If it is documented somewhere, it
seems kind of odd since the TLS applies to the outbound connection to the
source server, not the inbound connection from the client. And, as I said,
things work without it as long as there is an SSLProxyEngine directive in the
<Proxy> block.)

So, is getting those messages with our original config a bug in the new code?
If it's a requirement to have the SSLProxyEngine directive in the <VirtualHost>
block, can that be documented?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to