Sslproxyengine on must be defined where the balancer is defined due to its members being ssl, try that or move the balancer definition inside the virtual host.
El sáb., 14 sept. 2019 1:14, Santosh Kondapuram <skondapu...@vitechinc.com.invalid> escribió: > Can you try adding the following Apache directive setting it to none: > SSLProxyVerify none > > Thanks, > Santosh. > > -----Original Message----- > From: Antony Stone <antony.st...@apache.open.source.it> > Sent: Friday, September 13, 2019 6:15 PM > To: users@httpd.apache.org > Subject: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse > proxy load balancing > > Hi. > > I am trying to set up reverse proxy load balancing using Apache. > > I've read https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html and > https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html and > https://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html > > What I want to achieve is: > > HTTPS connection to my load balancer (which has an appropriate SSL > certificate for its own URL) forwarding requests on to (currently two) > HTTPS back-end servers (each of which also has an appropriate SSL > certificate for its distinct URL). > > I can get things working fine if I use HTTP for the "proxy to backend" > connection. > > As soon as I use HTTPS, I get "All workers are in error state". > > Here is my (sanitised) configuration: > > -------- > ProxyHCExpr ok200 {%{REQUEST_STATUS} =~ /^200/} > > <Proxy balancer://url.mydomain.net> > BalancerMember https://first.server.net route=first.server.net > hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10 > BalancerMember https://second.server.net route=second.server.net > hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10 > ProxySet lbmethod=bytraffic > </Proxy> > > <VirtualHost 198.51.100.222:443> > ServerName url.mydomain.net > SSLEngine On > SSLProxyEngine On > SSLCertificateFile /etc/url.mydomain.net.crt > SSLCertificateKeyFile /etc/url.mydomain.net.key > ProxyPass / balancer://url.mydomain.net/ > ProxyPassReverse / balancer://url.mydomain.net/ </VirtualHost> > -------- > > > What happens is that every 10 seconds I get the following entries in > /var/log/apache2/error.log: > > [Fri Sep 13 02:50:07.600652 2019] [ssl:error] [pid 8628:tid > 140240740148992] [remote 203.0.113.223:443] AH01961: SSL Proxy requested > for > my.local.host.name:80 but not enabled [Hint: SSLProxyEngine] [Fri Sep 13 > 02:50:07.600703 2019] [proxy:error] [pid 8628:tid 140240740148992] > AH00961: HCOH: failed to enable ssl support for 203.0.13.223:443 > (first.server.net) > > Plus the same thing for second.server.net > > Now, I can see the "Hint: SSLProxyEngine", but I already have that in my > VirtualHost definition, so I don't know what this hint is trying to hint at. > > What I also do not understand is the "SSL Proxy requested for > my.local.host.name:80" part. I have completely disabled port 80 on this > machine. Apache is not listening on port 80, I do not need to use standard > HTTP, and a packet capture shows that nothing is being sent to, or received > on, port 80, anywhere. > > > If I change the BalancerMember URLs to use HTTP instead of HTTPS, the > backend workers become available and I can proxy requests to them, but this > is not how the eventual system is required to work. I have to point at > HTTPS-only backend servers. > > > So, what am I doing wrong, and/or what do I need to change in order to get > BalancerMembers using HTTPS to become available for use? > > > Happy to supply any further details needed if people ask. > > > Thanks, > > > Antony. > > -- > All generalisations are inaccurate. > > Please reply to the > list; > please *don't* CC > me. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > > This e-mail message and any files transmitted with it may contain > confidential and proprietary information and are intended solely for the > use of the individual or entity to which they are addressed. Any > unauthorized review, use, disclosure or distribution is strictly > prohibited. If you have received this e-mail in error please notify the > sender by reply email and destroy all copies of the original message. Thank > you for your cooperation. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
