James Chamberlain wrote: > Hello, > > I am testing out mod_nss 1.0.18 using the following combo: Server: > Apache/2.4.20, Interface: mod_nss/1.0.18, Library: NSS/3.40.1 > > The requests from clients are coming in via https and being reverse > proxied to an http endpoint using mod_proxy. > > The response to the browser takes a long time, but eventually the > following is returned: > > > Bad Request > > Your browser sent a request that this server could not understand. > > > Here is an excerpt from the httpd error log: > > [Mon Dec 17 15:58:13.927232 2018] [:info] [pid 24535:tid > 140117113034496] SSL library error 0 writing data > > [Mon Dec 17 15:58:13.927274 2018] [:info] [pid 24535:tid > 140117113034496] SSL Library Error: 0 Unknown > > [Mon Dec 17 15:58:13.927331 2018] [proxy:error] [pid 24535:tid > 140117113034496] (20014)Internal error (specific information not > available): [client 192.168.20.1:52182 <http://192.168.20.1:52182>] > AH01084: pass request body failed to 127.0.0.1:6400 > <http://127.0.0.1:6400> (127.0.0.1) > > [Mon Dec 17 15:58:13.927369 2018] [proxy_http:error] [pid 24535:tid > 140117113034496] [client 192.168.20.1:52182 <http://192.168.20.1:52182>] > AH01097: pass request body failed to 127.0.0.1:6400 > <http://127.0.0.1:6400> (127.0.0.1) from 192.168.20.1 (testclient) > > [Mon Dec 17 15:58:13.927382 2018] [proxy:debug] [pid 24535:tid > 140117113034496] proxy_util.c(2330): AH00943: HTTP: has released > connection for (127.0.0.1) > > [Mon Dec 17 15:58:13.927398 2018] [:debug] [pid 24535:tid > 140117113034496] nss_engine_io.c(666): SSL connection destroyed without > being closed > > > I'm not sure where to look for the problem. This all used to work just > fine. Can anybody point me in the right direction?
The only major change in 1.0.18 is to fix an issue with reverse proxies introduced in Apache 2.4.33. It would appear the change isn't backwards compatible with 2.4.20 (I did it last April and don't remember if I did any testing on older Apache releases). So for now downgrading seems like the best bet. The only other changes were some minor issues detected by clang-analyze. I'm not sure it is worth the effort to try to detect the version of Apache and register the proxy callbacks dynamically or not. rob _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
