subject:"502 Proxy Error"

Re: 502 Proxy Error

2017-06-29 Thread Mark Thomas

On 29/06/17 18:40, TED SPRADLEY wrote:
> I've worked on this for three days and at this point am not sure where to
> begin debugging. 
> 
> I don't know if this is a SSL Cert issue, an Apache Reverse Proxy issue, a
> Tomcat Connector issue or a Tomcat import of the SSL Cert issue.
> 
> Any feedback is much appreciated.



> Configuration files content:
> 
> -- begin virtualhost.conf
> 
>   ServerName www.example.com
>   ServerAlias example.com *.example.com
>   ProxyRequests off
>   ProxyPreserveHost on
>   ProxyPass / http://example.com:8081/
>   ProxyPassReverse / http://example.com:8081/
>   ProxyPass /somecontext  http://example.com:8081/somecontext
>   ProxyPassReverse  /somecontext  http://example.com:8081/somecontext

The above two lines are unnecessary. The previous ProxyPass proxies all
content to Tomcat.

> 
> 
> 
>   ServerName www.exampledefaultdomain.com
>   ServerAlias exampledefaultdomain.com *.exampledefaultdomain.com
> 
> 
> 
>   ServerName www.example.com
>   ServerAlias example.com *.example.com
>   ProxyRequests off
>   ProxyPreserveHost on
>   CustomLog "/etc/httpd/logs/examplessl.log" "%h %l %u %t \"%r\" %>s %b"
>   ErrorLog "/etc/httpd/logs/examplessl_error.log"
>   SSLEngine on
>   SSLProxyEngine on
>   SSLCertificateFile /path/to/certs/example.com.crt
>   SSLCertificateKeyFile /path/to/keys/example.key
>   SSLCertificateChainFile /path/to/certs/ca_bundle.crt
>   ProxyPass / http://example.com:8443/
>   ProxyPassReverse / http://example.com:8443/
>   ProxyPass /somecontext  http://example.com:8443/somecontext
>   ProxyPassReverse  /somecontext  http://example.com:8443/somecontext

The above two lines are unnecessary. The previous ProxyPass proxies all
content to Tomcat.

And here appears to be the problem.

If you are proxying to a secure port on Tomcat then the scheme needs to
be https, not http. i.e.:

ProxyPass/ https://example.com:8443/
ProxyPassReverse / https://example.com:8443/

Well done for proxying http and https separately. Many users proxy them
to the same Tomcat connector and create a bunch of security issues
(which can be avoided with very careful configuration but that often
gets overlooked).

> 
> -- end virtualhost.conf
> 
> -- begin ssl.conf -
> 
>   ErrorLog logs/ssl_error_log
>   TransferLog logs/ssl_access_log
>   LogLevel warn
>   SSLEngine on
>   SSLProtocol all -SSLv2
>   SSLCertificateFile /path/to/certs/example.com.crt
>   SSLCertificateKeyFile /path/to/keys/example.key
>   SSLCACertificateFile /path/to/certs/ca_bundle.crt
> 
> -- end ssl.conf -
> 
> -- begin Tomcat server.xml Connector:
>  protocol="org.apache.coyote.http11.Http11AprProtocol"
> maxThreads="150"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> proxyName="www.example.com"
> proxyPort="443"
> keystoreFile="conf/.keystore"
> clientAuth="false"
> sslProtocol="TLS"
> xpoweredBy="false"
> server="Apache TomEE" />> -- end Tomcat server.xml Connector:

That looks OK on the face of it.

It would have been nice to see the config for the 8001 connector but
that doesn't appear to be relevant to the problem at this point.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

502 Proxy Error

2017-06-29 Thread TED SPRADLEY

I've worked on this for three days and at this point am not sure where to
begin debugging. 

I don't know if this is a SSL Cert issue, an Apache Reverse Proxy issue, a
Tomcat Connector issue or a Tomcat import of the SSL Cert issue.

Any feedback is much appreciated.

Thank you in advance,
Ted S.

Server version: Apache Tomcat/7.0.68
Server built:   Feb 8 2016 20:25:54 UTC
Server number:  7.0.68.0
OS Name:Linux
OS Version: 3.10.0-327.3.1.el7.x86_64
Architecture:   amd64
JVM Version:1.8.0_91-b14
JVM Vendor: Oracle Corporation

Important Points:
1. Apache was unable to be restarted without reboot.
2. After reboot requests to https://example.com/somecontext receive "502
Proxy Error"
3. I rekeyed SSL Certs and re-imported into Tomcat (command below)
4. Requests to https://example.com/somecontext still receive "502 Proxy
Error"
4. I suspect one problem may be with contents of the  element

After a recent reboot I encountered the following issue.

Issue: Requests via browser client to https://example.com/somecontext
return -
-- begin browser page
Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /.

Reason: Error reading from remote server
-- end browser page

Unexpected Observed Behavior: Requests via browser client to
https://www.example.com/ return the default index.html for the server.
Requests via command line client curl https://www.example.com/ return "502
Proxy Error"

This server has been in production for seven months correctly responding
to requests on ports 80 & 443 (with secure content). I updated content and
wanted to change to redirecting incoming requests from port 80 to port 443.

When I attempted to restart Apache, Apache failed to kill the running
process. I issued 'kill'. Then tried to start. Apache failed to start. I
restored the  container to the state listed below, then
tried to start Apache. Apache failed to start. I rebooted the server, then
started Apache. 

Then any request via browser behaved as above. I then rekeyed the SSL Cert
and re-imported the cert into Tomcat with:

$ openssl pkcs12 -export -in /etc/pki/tls/certs/example.com.crt -inkey
/etc/pki/
tls/private/example.key -out examplecert.p12 -name tomcat -CAfile
/etc/pki/tls/certs/ca_bundle.crt -caname root -chain

Configuration files content:

-- begin virtualhost.conf

  ServerName www.example.com
  ServerAlias example.com *.example.com
  ProxyRequests off
  ProxyPreserveHost on
  ProxyPass / http://example.com:8081/
  ProxyPassReverse / http://example.com:8081/
  ProxyPass /somecontext  http://example.com:8081/somecontext
  ProxyPassReverse  /somecontext  http://example.com:8081/somecontext



  ServerName www.exampledefaultdomain.com
  ServerAlias exampledefaultdomain.com *.exampledefaultdomain.com



  ServerName www.example.com
  ServerAlias example.com *.example.com
  ProxyRequests off
  ProxyPreserveHost on
  CustomLog "/etc/httpd/logs/examplessl.log" "%h %l %u %t \"%r\" %>s %b"
  ErrorLog "/etc/httpd/logs/examplessl_error.log"
  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile /path/to/certs/example.com.crt
  SSLCertificateKeyFile /path/to/keys/example.key
  SSLCertificateChainFile /path/to/certs/ca_bundle.crt
  ProxyPass / http://example.com:8443/
  ProxyPassReverse / http://example.com:8443/
  ProxyPass /somecontext  http://example.com:8443/somecontext
  ProxyPassReverse  /somecontext  http://example.com:8443/somecontext

-- end virtualhost.conf

-- begin ssl.conf -

  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCertificateFile /path/to/certs/example.com.crt
  SSLCertificateKeyFile /path/to/keys/example.key
  SSLCACertificateFile /path/to/certs/ca_bundle.crt

-- end ssl.conf -

-- begin Tomcat server.xml Connector:

-- end Tomcat server.xml Connector:


$ openssl x509 -in /etc/pki/tls/certs/example.com.crt -noout -subject
subject= /OU=Domain Control Validated/CN=example.com

$ apachectl -S

VirtualHost configuration:
*:443  is a NameVirtualHost
 default server www.example.com (/etc/httpd/conf.d/ssl.conf:56)
 port 443 namevhost www.example.com (/etc/httpd/conf.d/ssl.conf:56)
 port 443 namevhost www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:35)
 alias example.com
 wild alias *.example.com
*:80   is a NameVirtualHost
 default server www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:13)
 port 80 namevhost www.example.com
(/etc/httpd/conf.d/virtualhosts.conf:13)
 alias example.com
 wild alias *.example.com




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: 502 Proxy Error

502 Proxy Error

2 matches

Site Navigation

Mail list logo

Footer information