On Saturday 14 September 2019 at 02:10:26, Daniel Ferradal wrote:
> Sslproxyengine on must be defined where the balancer is defined due to its
> members being ssl, try that or move the balancer definition inside the
> virtual host.
Putting "SSLProxyEngine On" in the Balancer definition gives "SSLProxyEngine
not allowed here".
Putting ther Balancer definition inside the VirtualHost in fact results in a
segmentation fault. I assume you meant:
--------
<VirtualHost 198.51.100.222:443>
ServerName url.mydomain.net
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/url.mydomain.net.crt
<Proxy balancer://url.mydomain.net>
BalancerMember https://first.server.net route=first.server.net
hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
BalancerMember https://second.server.net route=second.server.net
hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
ProxySet lbmethod=bytraffic
</Proxy>
SSLCertificateKeyFile /etc/url.mydomain.net.key
ProxyPass / balancer://url.mydomain.net/
ProxyPassReverse / balancer://url.mydomain.net/
</VirtualHost>
--------
That gives me:
# /etc/init.d/apache2 restart
[FAIL] Restarting Apache httpd web server: apache2 failed!
[warn] The apache2 configtest failed. ... (warning).
Output of config test was:
Segmentation fault
Action 'configtest' failed.
The Apache error log may have more information.
and nothing in /var/log/apache2/error.log :(
(I also tried it with the Proxy Balancer stanza at the very top of the Virtual
Host stanza, no difference).
Thanks for the help, but any other ideas?
Antony.
> > -----Original Message-----
> > From: Antony Stone <[email protected]>
> > Sent: Friday, September 13, 2019 6:15 PM
> > To: [email protected]
> > Subject: [EXT] [users@httpd] Apache 2.4.25 (Debian Stretch 9.11) reverse
> > proxy load balancing
> >
> > Hi.
> >
> > I am trying to set up reverse proxy load balancing using Apache.
> >
> > I've read https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html and
> > https://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html and
> > https://httpd.apache.org/docs/2.4/mod/mod_proxy_hcheck.html
> >
> > What I want to achieve is:
> >
> > HTTPS connection to my load balancer (which has an appropriate SSL
> > certificate for its own URL) forwarding requests on to (currently two)
> > HTTPS back-end servers (each of which also has an appropriate SSL
> > certificate for its distinct URL).
> >
> > I can get things working fine if I use HTTP for the "proxy to backend"
> > connection.
> >
> > As soon as I use HTTPS, I get "All workers are in error state".
> >
> > Here is my (sanitised) configuration:
> >
> > --------
> > ProxyHCExpr ok200 {%{REQUEST_STATUS} =~ /^200/}
> >
> > <Proxy balancer://url.mydomain.net>
> >
> > BalancerMember https://first.server.net route=first.server.net
> >
> > hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
> >
> > BalancerMember https://second.server.net route=second.server.net
> >
> > hcmethod=GET hcuri=/isalive hcexpr=ok200 hcinterval=10
> >
> > ProxySet lbmethod=bytraffic
> >
> > </Proxy>
> >
> > <VirtualHost 198.51.100.222:443>
> >
> > ServerName url.mydomain.net
> > SSLEngine On
> > SSLProxyEngine On
> > SSLCertificateFile /etc/url.mydomain.net.crt
> > SSLCertificateKeyFile /etc/url.mydomain.net.key
> > ProxyPass / balancer://url.mydomain.net/
> > ProxyPassReverse / balancer://url.mydomain.net/ </VirtualHost>
> >
> > --------
> >
> >
> > What happens is that every 10 seconds I get the following entries in
> > /var/log/apache2/error.log:
> >
> > [Fri Sep 13 02:50:07.600652 2019] [ssl:error] [pid 8628:tid
> > 140240740148992] [remote 203.0.113.223:443] AH01961: SSL Proxy requested
> > for
> > my.local.host.name:80 but not enabled [Hint: SSLProxyEngine] [Fri Sep 13
> > 02:50:07.600703 2019] [proxy:error] [pid 8628:tid 140240740148992]
> > AH00961: HCOH: failed to enable ssl support for 203.0.13.223:443
> > (first.server.net)
> >
> > Plus the same thing for second.server.net
> >
> > Now, I can see the "Hint: SSLProxyEngine", but I already have that in my
> > VirtualHost definition, so I don't know what this hint is trying to hint
> > at.
> >
> > What I also do not understand is the "SSL Proxy requested for
> > my.local.host.name:80" part. I have completely disabled port 80 on this
> > machine. Apache is not listening on port 80, I do not need to use
> > standard HTTP, and a packet capture shows that nothing is being sent to,
> > or received on, port 80, anywhere.
> >
> >
> > If I change the BalancerMember URLs to use HTTP instead of HTTPS, the
> > backend workers become available and I can proxy requests to them, but
> > this is not how the eventual system is required to work. I have to
> > point at HTTPS-only backend servers.
> >
> >
> > So, what am I doing wrong, and/or what do I need to change in order to
> > get BalancerMembers using HTTPS to become available for use?
> >
> >
> > Happy to supply any further details needed if people ask.
--
Anything that improbable is effectively impossible.
- Murray Gell-Mann, Nobel Prizewinner in Physics
Please reply to the list;
please *don't* CC me.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
