For background information: (Question at bottom)
I'm trying to connect to a client, who has 8 servers, all of which have unique IP addresses. The client uses the same SSL certificate on all the servers (for this example, cert name == www.all_servers.com). The client only allows incoming requests over https.
I'm trying to create an apache proxy using mod_proxy that maps different URI mappings to different servers. For example:
https://PROXY_SERVER/SERVER1/{REQUEST}
This would send {REQUEST} to server1
https://PROXY_SERVER/SERVER2/{REQUEST}
would send {REQUEST} to server2.
So far, pretty simple.
In Apache 2.2, this could be achieved by using the IP addresses like so:
SSLProxyEngine On
ProxyPass /server1 https://1.1.1.1/
ProxyPassReverse /server1 https://1.1.1.1/
ProxyPass /server2 https://1.1.1.2/
ProxyPassReverse /server2 https://1.1.1.2/
This was due to Apache 2.2 not checking if the certificate matched (1.1.1.1 != www.all_servers.com)
However, in Apache 2.4, I'm now getting certificate issues (rightly so). (This exact code works on an apache 2.2 box)
[Thu Oct 10 12:01:48.571246 2013] [proxy:error] [pid 13282:tid 140475667224320] (502)Unknown error 502: [client 192.168.1.1:48967] AH01084: pass request body failed to 1.1.1.1:443 (1.1.1.1)
[Thu Oct 10 12:01:48.571341 2013] [proxy:error] [pid 13282:tid 140475667224320] [client 192.168.1.1:48967] AH00898: Error during SSL Handshake with remote server returned by /server1/asd
[Thu Oct 10 12:01:48.571354 2013] [proxy_http:error] [pid 13282:tid 140475667224320] [client 192.168.1.1:48967] AH01097: pass request body failed to 1.1.1.1:443 (1.1.1.1) from 192.168.1.1 ()
I can't use /etc/hosts, as one server would work, using:
1.1.1.1 www.all_servers.com
SSLProxyEngine On
ProxyPass /server1 https://www.all_servers.com/
ProxyPassReverse /server1 https://www.all_servers.com/
But many servers wouldn't
So, to the actual question:
Is there a way to force mod_proxy to ignore miss-matching certificates. Or, is there a better way to do this.
Thanks for any help with this!
You can set the SSLProxy* options on your Apache server (which is a client as far as the reverse proxy connections are concerned).
This was done with SSLProxyCheckPeerCN (off by default in 2.2, but on by default in 2.4), but I'm not sure how this is going to work with IP addresses (since having IP addresses in the CN is not standard). There's a new option in Apache Httpd 2.4 for checking SANs (SSLProxyCheckPeerName), but I'm not sure how it behaves for IP addresses either.
Having IP addresses in DNS SAN extensions or in the CN is not standard compliant with HTTPS:
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common
Name field in the Subject field of the certificate MUST be used.
Although the use of the Common Name is existing practice, it is
deprecated and Certification Authorities are encouraged to use the
dNSName instead.
[...]
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
Related
I'm using Apache Httpd 2.4 as a web server ,and I fail to allow access only from a specific host to a URL-path "/x" on my web server.
httpd.conf:
<Location "/x">
Require host myhost.com
</Location>
Basically it ignores "Require host myhost.com" and restricts access from all hosts.
authz_host, authz_core modules are enabled.
Am I missing anything?
Thanks
To make Require host work, you have to make sure that reverse dns lookup for your domain works properly. This is done by PTR (pointer) records in your DNS. You can check it with the dig command like this:
$ dig +short www.google.de
172.217.22.67
$ dig +noall +answer -x 172.217.22.67
67.22.217.172.in-addr.arpa. 85372 IN PTR fra15s17-in-f3.1e100.net.
67.22.217.172.in-addr.arpa. 85372 IN PTR fra15s17-in-f67.1e100.net.
Note that the IP of the PTR record is reversed: 172.217.22.67 <=> 67.22.217.172
So www.google.com has a proper reverse dns entry.
If your domain has no reverse dns pointer set you will find an entry like this in your apache error log (unless you have configured it to be in a different location it should be /var/log/apache2/error.log):
[Wed Dec 05 16:18:23.854771 2018] [authz_core:error] [pid 4711] [client W.X.Y.Z:54050] AH01630: client denied by server configuration: /var/www/example.com/x
As a workaround you could just use Require ip:
<Location "/x">
Require ip W.X.Y.Z
</Location>
where W.X.Y.Z is your IP according to the entry in the error.log.
Hope this helps, if so I would be glad if you would accept the answer.
I'm wanting to front an AWS APIGateway URL with a reverse proxy in Apache. The reason is due to a process requiring a static IP to provision a service behind a strict firewall and that the current infrastructure has mod_proxy already in place. The solution I'm looking to implement is to simply to route https->https(apiGateway) via mod_proxy.
But.. AWS uses SNI and I can not get mod_proxy to handshake.
I have the following settings enabled
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
SSLProxyEngine On
ProxyPass /api/1_0/ https://xxx.execute-api.eu-west-1.amazonaws.com/1_0/
ProxyPassReverse /api/1_0/ https://xxx.execute-api.eu-west-1.amazonaws.com/1_0/
The following logs are available in debug mode
proxy_util.c(2020): AH00942: HTTPS: has acquired connection for (xxx.execute-api.eu-west-1.amazonaws.com)
proxy_util.c(2610): AH00962: HTTPS: connection complete to 52.x.x.x:443 (xxx.execute-api.eu-west-1.amazonaws.com)
AH01964: Connection to child 0 established (server domain.com:443)
AH02003: SSL Proxy connect failed
SSL Library Error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
AH01998: Connection closed to child 0 with abortive shutdown (server domain.com:443)
AH01997: SSL handshake failed: sending 502
If I connect using openssl, I can demonstrate a similar error
openssl s_client -tls1_2 -connect xxx.execute-api.eu-west-
1.amazonaws.com:443
CONNECTED(00000003)
140735866254216:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:s3_pkt.c:1494:SSL alert number 40
140735866254216:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
adding -servername for SNI, results in a valid connection
SSL handshake has read 3601 bytes and written 489 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
...
I therefore believe that mod_proxy and mod_ssl are not sending the servername to the remote https server and could be a bug.
I am running Ubuntu 14.04 with
Server version: Apache/2.4.7 (Ubuntu)
Server built: Sep 18 2017 16:37:54
OpenSSL 1.0.1f 6 Jan 2014
I have attempted to limit the SSLProxyProtocol to TLS1_2 and the cipher list too however the sslv3 alert handshake failure log still exists regardless.
Has any one come across this and know how to ensure that the SNI values are being sent or is this a restriction in the Apache modules?
This is due to ProxyPreserveHost On being set early in the configuration.
Setting ProxyPreserveHost Off under a proxy tag completes as expected:
<Proxy "https://xxx.execute-api.eu-west-1.amazonaws.com/1_0">
ProxyAddHeaders off
ProxyPreserveHost off
</Proxy>
Info on the directive:
When enabled, this option will pass the Host: line from the incoming
request to the proxied host, instead of the hostname specified in the
ProxyPass line.
This option should normally be turned Off. It is mostly useful in
special configurations like proxied mass name-based virtual hosting,
where the original Host header needs to be evaluated by the backend
server.
The answer above helped us. For the sake of "googling" it I would like to add the following scenario as well:
we use a cloud WAF infront of one of our services. Another service needs to forward specific queries to this host and pass through the WAF.
The working configuration looks like this:
<Proxy "balancer://qwertz">
ProxyPreserveHost off
BalancerMember "https://somehost.somewhere.de:443"
</Proxy>
ProxyPass "/special/webservices/" "balancer://qwertz/special/webservices/"
ProxyPassReverse "/special/webservices/" "balancer://qwertz/special/webservices/"
The apache is configured as reverse proxy and runs inside a docker container.
Note that the balancer has only one host, thus no balancing is done.
Before this answer we were getting SSL erros like:
Error during SSL Handshake with remote server returned by...
pass request body failed to...
or
server certificate does NOT include an ID which matches the server name
Like AWS the Cloud WAF also requires SNI.
Hope this post makes this answer more visible (or findable) to someone else.
This setup was working on an ubuntu 14.04 until a recent update (probably the update/ change in package itself is old).
An internal DNS resolves "piwik.7l" to 192.168.1.17 .
192.168.1.17 serves an apache with piwik on it and following conf
<VirtualHost *:80>
ServerName "piwik.7l"
ServerAlias www.piwik.7l
</VirtualHost>
The setup now does work if addressed by IP, but responds with a 400 Bad Request if browsed to via its domain (piwik.7l). The 400 page does contain
Apache/2.4.7 (Ubuntu) Server at piwik.7l Port 80 and after setting the LogLevel to debug, I see following messages in the error.log:
[Mon May 22 15:12:33.566249 2017] [core:debug] [pid 1559] vhost.c(794): [client 192.168.1.112:38587] AH02415: [strict] Invalid host name 'piwik.7l', problem near: .7l
[Mon May 22 15:12:33.566316 2017] [core:debug] [pid 1559] vhost.c(889): [client 192.168.1.112:38587] AH00550: Client sent malformed Host header: piwik.7l
[Mon May 22 15:12:33.566326 2017] [core:debug] [pid 1559] protocol.c(1356): [client 192.168.1.112:38587] AH00569: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
In scroll-friendly
[strict] Invalid host name 'piwik.7l', problem near: .7l
AH00550: Client sent malformed Host header: piwik.7l
AH00569: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
I tried various combinations of IP, port and domain name usage in the VirtualHost/ServerName/ServerAlias blocks and disabled all other VirtualHost-definitions.
To me it sounds as if Apache would try to validate the "tld" part of the domain (7l) in a strict way. Is there any way I can disable that or debug it further?
Edit
The relevant parts of apache2ctl -S:
VirtualHost configuration:
*:80 piwik.7l (/etc/apache2/sites-enabled/000-default.conf:1)
Edit 2
ping piwik.7l does resolve fine from the webserver and from my machine.
Thanks to #savedarios answer here: https://serverfault.com/questions/658537/apache-virtualhost-error-invalid-host-name/841984#841984
If found the solution to be the following change to my apache2.conf:
HttpProtocolOptions Unsafe
I recently received an abuse report from Amazon (AWS) saying that my server was attempting to log in to forums and such. When I look at my error logs, I have lines and lines of:
[proxy:warn] [pid 2916:tid 1668] [client 82.117.234.134:6152] AH01144: No protocol handler was valid for the URL yandex.ru:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1668] [client 120.132.54.62:58004] AH01144: No protocol handler was valid for the URL www.baidu.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1672] [client 188.173.26.212:52049] AH01144: No protocol handler was valid for the URL l9bjkkhaycw6f8f4.soundcloud.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1668] [client 104.199.176.143:56048] AH01144: No protocol handler was valid for the URL www.amazon.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1744] [client 119.97.174.200:3700] AH01144: No protocol handler was valid for the URL zhifu.99.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[proxy:warn] [pid 2916:tid 1712] [client 113.189.16.238:60122] AH01144: No protocol handler was valid for the URL s.youtube.com:443. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
My httpd-vhosts.conf is configured with:
<VirtualHost *:80>
ServerName demo.mysite.com
DocumentRoot "D:/sites/mysite/www/"
<Directory "D:/sites/mysite/www/">
AllowOverride All
Require all granted
</Directory>
ProxyPreserveHost On
ProxyPass "/data" "http://localhost:8080/data/"
ProxyPassReverse "/data" "http://localhost:8080/data/"
Header set Access-Control-Allow-Origin "*"
ErrorLog "logs/demo.mysite.com-error.log"
CustomLog "logs/demo.mysite.com-access.log" common
</VirtualHost>
Starting the server for even just a minute creates about 300+ lines of the above logs. This leads me to several questions:
Is my server possibly misconfigured or is it infected with something?
Where should I look to find out how it got like this?
UPDATE/EDIT:
It turns out that I had ProxyRequests On because a tutorial said that I have to have it on for Reverse Proxy to work. It's now turned off (ProxyRequests Off) and everything is fine. Thanks to Configuring mod_proxy for Apache to reject wrong domain requests
Make sure thatyou don't confuse Forward and Reverse Proxies. ProxyRequests On is for Forward Proxies. If you don't configure it properly after that, your server is an open proxy for the world. This is what is causing all of the logs is everyone using your (now) proxy server to access the internet.
For Reverse Proxies, make sure that you have ProxyRequests Off and then follow the rest of the configuration like adding ProxyPass and ProxyPassReverse.
Thanks to Configuring mod_proxy for Apache to reject wrong domain requests for pointing out that it is possible to turn your Apache server into an open proxy on accident.
I configured apache server as a reverse proxy and it works fine if I point a backend server as HTTP. That is:
I configured virtual host 443 like:
ProxyPass /primary/store http://localhost:9763/store/
ProxyPassReverse /primary/store http://localhost:9763/store/
Here users will access the server like https://localhost/primary/store
And this works fine... But I want to configure HTTP server like;
ProxyPass /primary/store https://localhost:9443/store/
ProxyPassReverse /primary/store https://localhost:9443/store/
When I configure like apache server gives 500 internal server error. What am I doing wrong here?
The error I get is:
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, you#example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
In the apache error log it states;
nt: SSLProxyEngine]
[Mon Aug 04 00:03:26 2014] [error] proxy: HTTPS: failed to enable ssl support for [::1]:9443 (localhost)
[Mon Aug 04 00:03:31 2014] [error] [client ::1] SSL Proxy requested for localhost:443 but not enabled [Hint: SSLProxyEngine]
[Mon Aug 04 00:03:31 2014] [error] proxy: HTTPS: failed to enable ssl support for [::1]:9443 (localhost)
[Mon Aug 04 00:03:51 2014] [error] [client ::1] SSL Proxy requested for localhost:443 but not enabled [Hint: SSLProxyEngine]
[Mon Aug 04 00:03:51 2014] [error] proxy: HTTPS: failed to enable ssl support for [::1]:9443 (localhost)
How to configure http server to talk to HTTPS server?
Your server tells you exactly what you need : [Hint: SSLProxyEngine]
You need to add that directive to your VirtualHost before the Proxy directives :
SSLProxyEngine on
ProxyPass /primary/store https://localhost:9763/store/
ProxyPassReverse /primary/store https://localhost:9763/store/
See the doc for more detail.
In my case, my server was configured to work only in https mode, and error occured when I try to access http mode. So changing http://my-service to https://my-service helped.