I have been trying to configure the following setup:
PRIVATE LAN | INTERNET
|
back_end <--HTTP--> Apache <--HTTPS--> Client
|
|
Ie the Apache box is acting as a bastion host between the Internet and a
private LAN segment. I have a valid cert and key on the Apache box, and SSL
negotiation works fine. I also have the whole thing working with pure HTTP (no
SSL) but with both, ie running SSL to the Apache box, then plain HTTP to the
back end, it breaks.
This is with Apache 2.0.32 (so the API is somewhat different), but here's a
brief trace from the SSL engine log....
[26/Mar/2002 16:38:34 19733] [info] Connection to child 4 established (server
www.test.com:443, client 1.2.3.4)
[26/Mar/2002 16:38:34 19733] [info] Seeding PRNG with 136 bytes of entropy
[26/Mar/2002 16:38:34 19733] [info] Connection: Client IP: 1.2.3.4, Protocol: TLSv1,
Cipher: RC4-MD5 (128/128 bits)
[26/Mar/2002 16:38:34 19733] [info] Connection to child 4 established (server
www.test.com:443, client 10.46.101.101)
[26/Mar/2002 16:38:34 19733] [info] Seeding PRNG with 136 bytes of entropy
[26/Mar/2002 16:38:34 19733] [error] SSL error on writing data (OpenSSL library error
follows)
[26/Mar/2002 16:38:34 19733] [error] OpenSSL: error:140D0114:SSL
routines:SSL_write:uninitialized
[26/Mar/2002 16:38:34 19733] [error] failed to write 16 of 16 bytes (reason unknown)
Client IP address has been changed, as has the site name... OK, so everything
is going really well up to line 4. 10.46.101.101 is the back end server, but
it would appear that the SSL engine thinks that the back end server has
connected to it as a client (odd...). It then all goes pear shaped.
>From what I can remember, this type of setup should work, and I seem
to recall getting it to work before (with Apache 1.3.x ?). Has anyone else
had any success at getting this type of bastion host to work with
Apache 2.0.32 (and the mod_ssl supplied with that) ? Is it supposed to
work at all? Is this a bug, feature, or just my poor configuration skills?
>From what I can tell from the source code, it would appear that mod_ssl calls
ap_hook_pre_connection to register the function which builds the SSL session, my
gut feeling is that this is being inherited by mod_proxy, and as mod_proxy
tries to send the HTTP/1.1 request to the back end, mod_ssl is trying to
negotiate an SSL with a client (which does not exist). But I may well be
barking up the wrong tree. Any help / advice / known good configs most
appreciated.
Regards,
Patrick Herborn.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
