Why am I getting an Apache Proxy 503 error? - apache

My server was doing just fine up until yesterday. It was running Redmine, and it was the happiest little server until my "friend" imported a SQL table that my little guy couldn't take. Unfortunately, after an hour of trying to get the lil guy to respond, we had to power cycle him.
Now after restart, we get a 503 error when trying to visit the domain connected to Redmine. It's hooked up to a Mongrel daemon, and we use Apache Proxy to direct all connections to the port Redmine is running on.
Using Lynx on the server (http://localhost:8000) you can see the Ruby application working fine. But this bit is not working in my Apache configuration file:
<VirtualHost *:80>
ServerName sub.example.com
ProxyPass / http://localhost:8000
ProxyPassReverse / http://localhost:8000
ProxyPreserveHost on
LogLevel debug
</VirtualHost>
Here's the error log output for Apache:
[debug] mod_proxy_http.c(54): proxy: HTTP: canonicalising URL //localhost:8000
[debug] proxy_util.c(1335): [client 216.27.137.51] proxy: http: found worker http://localhost:8000 for http://localhost:8000/
[debug] mod_proxy.c(756): Running scheme http handler (attempt 0)
[debug] mod_proxy_http.c(1687): proxy: HTTP: serving URL http://localhost:8000/
[debug] proxy_util.c(1755): proxy: HTTP: has acquired connection for (localhost)
[debug] proxy_util.c(1815): proxy: connecting http://localhost:8000/ to localhost:8000
[debug] proxy_util.c(1908): proxy: connected / to localhost:8000
[debug] proxy_util.c(2002): proxy: HTTP: fam 2 socket created to connect to localhost
[error] (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:8000 (localhost) failed
[error] ap_proxy_connect_backend disabling worker for (localhost)
[debug] proxy_util.c(1773): proxy: HTTP: has released connection for (localhost)


Apache will respond with 503's for at least 60 seconds any time it detects that the backend server is down. This is the default behavior. As in your example, if you restart your backend server (Rails in this example) and someone tries to access it through the Apache proxy before Rails is ready then Apache will return 503's for the next 60 seconds regardless if your backend is now 'up'. Please see the apache docs on ProxyPass where it states:
retry 60
Connection pool worker retry timeout in seconds. If the connection pool worker to the backend server is in the error state, Apache will not forward any requests to that server until the timeout expires. This enables to shut down the backend server for maintenance, and bring it back online later. A value of 0 means always retry workers in an error state with no timeout.
So if you set your Proxy Pass to include retry=0 you won't see the 503's when you restart your backend service. This is also useful when using Apache as reverse proxy during development! For example:
ProxyPass / http://localhost:8000 retry=0


Run following command
# /usr/sbin/setsebool httpd_can_network_connect 1
OR
# /usr/sbin/setsebool httpd_can_network_connect true
and after that restart httpd
# service httpd restart


Are you sure they're restarting in the correct order? I've had weird issues where Apache starts, then Mongrel starts and although Mongrel is running, Apache still throws the proxy error.
I've solved this in the past with various incantations and restarts of Apache and eventually the gods are happy. It seems that sometimes the Mongrel processes don't properly shut down so you have to manually kill them. Here's a link with some [possible] help.
I ended up adding a "kill" option to my /etc/init.d/ mongrel script because it happened so much. It stop Mongrel, killed all Mongrel sessions, started Mongrel and restarted Apache.
<snip>
kill)
echo "Stopping, killing, starting, and restarting Apache..."
mongrel_cluster_ctl stop -c $CONF_DIR --clean
killall -u mongrel
mongrel_cluster_ctl start -c $CONF_DIR --clean
/etc/init.d/httpd restart
RETVAL=$?
;;
</snip>
Probably not a very good solution but the evil went away.


Try running monit to monitor your mongrels behind Apache, and that way it can restart mongrels for you if they die or get too hungry for memory. If for any reason Apache still gets confused you may just have to gracefully restart apache and it should resolve itself, but for 99% of cases having monit watch over your mongrels should avoid this happening again. The other option is look into Phusion Passenger.


First check whether the port 8080 is listening or not by the following command
netstat -tlpn
If not than restart the jenkins server by the following command
sudo /etc/init.d/jenkins start
It should work now. Hope it helps.


Fist, you must install selinux: (SELinux stands for Security-Enhanced Linux.)
apt-get install selinux
After that, you can enable Security Policy of SElinux by follow command:
sed -i 's/SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
Notice:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
Final,restart apache!

Related

Flask app with Apache proxy + Gunicorn not working on HTTPS

Updates in the bottom, I kind of solved it but not sure if the solution is a correct one.
I have Apache running on CentOS with a proxy to localhost port 8080 where I have Flask app running using Gunicorn. This setup works on Apache port 80 (HTTP) and I can connect to it using my domain http://example.com with a browser but now I have tried to setup SSL/HTTPS and it just doesn't work.
Navigating to https://example.com tries to load the page for a while (like 30ish seconds) and then it shows 502 error page:
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /.
Reason: Error reading from remote server
Apache error log:
[proxy_http:error] [pid 30209] (103)Software caused connection abort: [client xx.xxx.xxx.xxx:60556] AH01102: error reading status line from remote server localhost:8080
[proxy:error] [pid 30209] [client xx.xxx.xxx.xxx:60556] AH00898: Error reading from remote server returned by /
Gunicorn error log (first 7 lines are from Gunicorn startup, no idea why this info is in error log, last 3 lines are when the HTTPS request returns 502 error):
[29478] [INFO] Listening at: http://127.0.0.1:8080 (29478)
[29478] [INFO] Using worker: sync
[29480] [INFO] Booting worker with pid: 29480
[29481] [INFO] Booting worker with pid: 29481
[29482] [INFO] Booting worker with pid: 29482
[29483] [INFO] Booting worker with pid: 29483
[29484] [INFO] Booting worker with pid: 29484
[29478] [CRITICAL] WORKER TIMEOUT (pid:29480)
[29480] [INFO] Worker exiting (pid: 29480)
[29554] [INFO] Booting worker with pid: 29554
Apache config which is working for HTTP (/etc/httpd/conf/httpd.conf):
Listen 80
#other default config values here
<VirtualHost *:80>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
IncludeOptional conf.d/*.conf
Apache config which is not working for HTTPS (/etc/httpd/conf.d/ssl.conf):
Listen 443 https
#other default config values here
<VirtualHost *:443>
#other default config values here too
SSLCertificateFile /etc/pki/tls/certs/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/cert.key
SSLProxyEngine on
ProxyPass / https://localhost:8080/
ProxyPassReverse / https://localhost:8080/
</VirtualHost>
If I remove/comment the SSLProxyEngine, ProxyPass amd ProxyPassReverse lines and restart Apache I get the default Apache welcome page and HTTPS works just fine so clearly the problem is in the Proxy somehow?
The flask app is started with Gunicorn by:
gunicorn --config gunicorn_config.py app:app
gunicorn_config.py:
workers = 5
bind = '127.0.0.1:8080'
umask = 0o007
reload = True
accesslog = 'log_gunicorn_access.txt'
errorlog = 'log_gunicorn_error.txt'
app.py:
from flask import Flask
app = Flask(__name__)
#app.route('/')
def hello_world():
return 'Hello world!'
if __name__ == '__main__':
app.run(host='127.0.0.1', port=8080)
And once again, this works when navigating to my domain using HTTP but doesn't work when using HTTPS.
Any help?
UPDATE:
I managed to get another error. Now navigating to https://example.com loads instantly and shows 500 error page:
Proxy Error
The proxy server could not handle the request GET /.
Reason: Error during SSL Handshake with remote server
Apache error log:
[proxy:error] [pid 32385] (502)Unknown error 502: [client xx.xxx.xxx.xxx:50932] AH01084: pass request body failed to [::1]:8080 (localhost)
[proxy:error] [pid 32385] [client xx.xxx.xxx.xxx:50932] AH00898: Error during SSL Handshake with remote server returned by /
[proxy_http:error] [pid 32385] [client xx.xxx.xxx.xxx:50932] AH01097: pass request body failed to [::1]:8080 (localhost) from xx.xxx.xxx.xxx ()
No more any errors in Gunicorn error log.
I added these two lines to gunicorn_config.py:
keyfile = '/etc/pki/tls/private/cert.key'
certfile = '/etc/pki/tls/certs/cert.pem'
and made sure both files are accessible by the user running Gunicorn (chmod o+r cert.key/pem).
No idea if I was supposed to change it like this as I thought the traffic should go like: client --https--> Apache and then Apache --http--> Gunicorn.
Also HTTP (http://example.com) no longer works and gives the previous 502 error page but I guess running Gunicorn with the cert configs doesn't allow HTTP anymore and would need to run the app twice with different configs).
UPDATE 2:
I added more Apache logging by adding this line to /etc/httpd/conf.d/ssl.conf inside virtual host:
LogLevel info
And now I got additional info in Apache error log:
[ssl:info] [pid 3808] [remote 127.0.0.1:8080] AH02411: SSL Proxy: Peer certificate does not match for hostname localhost
Then I added new line to /etc/httpd/conf.d/ssl.conf inside virtual host:
SSLProxyCheckPeerName off
And now I got another Apache error:
[ssl:info] [pid 3999] [remote 127.0.0.1:8080] AH02005: SSL Proxy: Peer certificate CN mismatch: Certificate CN: example.com Requested hostname: localhost
Added new line to /etc/httpd/conf.d/ssl.conf inside virtual host:
SSLProxyCheckPeerCN off
Aaaand now navigating to https://example.com correctly works and I get "Hello world" back from the app!
Now I guess my question needs update as well: Is it bad practice, wrong or insecure to use SSLProxyCheckPeerName off and SSLProxyCheckPeerCN off in this context? Or is there a better way as I don't think there's a way to order an official SSL certificate on localhost?

You're using
ProxyPass / http://localhost:8080/
and
ProxyPass / https://localhost:8080/
(note the 1 letter difference).
Your localhost:8080 will serve either http or https. Based on your description (and common expectations) it's serving http. If you proxy even your :443 virtual host to http, it'll work better.
You might run into more issues, as the proxied application doesn't really know that it's actually served through https, but that's a different beast than this question.

SSL issue with Apache httpd reverse proxy scheme

Apologies this question is a mix of Chef and Apache-httpd, but ultimately I believe it's an Apache-httpd configuration issue.
I have a Chef client/node happily hitting a Chef Server w/ SSL.
Chef client/node - /etc/chef/client.rb
chef_server_url 'https://chefserverhostname/organizations/myOrg'
ssl_verify_mode :verify_peer
I'm trying to put a proxy in front of the Chef Server so I can re-point down the road if needed. Apache-httpd is installed fine (on the same box as Chef Server), all firewall and iptables are consistent with my below configuration.
Chef Server - /etc/httpd/conf/httpd.conf
Listen 8443
<VirtualHost *:8443>
ServerAdmin me#email
ServerName chefserverhostname
ServerAlias CDS-PROXY
ProxyPass / https://chefserverhostname:443/
ProxyPassReverse / https://chefserverhostname:443/
RewriteEngine On
</VirtualHost>
I reconfigure the Chef client/node's client.rb to point to https://chefserverhostname:8443/organizations/myOrg, and hope to have the request pass through the proxy. ChefServer/nginx is listening on 443 and I'm assuming that it's taking care of the SSL decrypt, and 8443 is just the 'pass-through'. But when I fire up my Chef client/node I'm getting an SSL error message:
ERROR: SSL Validation failure connecting to host: chefserverhostname - SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol

You are using HTTPS but your vhost does not have any configuration to enable mod_ssl or another TLS option. As such, you should be using http://hostname:8443 but this very not recommended.
Chef Server is an appliance at heart and this kind of extra proxy layer is possible but not how things are intended to operate. You should just use the default setup which already includes a fronting nginx proxy for Erchef and friends.

You can check https://github.com/chef-cookbooks/httpd this recipe and configure properly apache ssl and additional modules.
To me is also not ok to drop SSL connection on chef server - base on your current setup.
Since you have nginx on your machine you can extend the configuration there to support reverse proxy. Later on if you remove chefserver/nginx from this machine and you want only to leave proxy, install new nginx and apply the same conf for proxy configuration.
I rather drop apache from your setup.

Apache Webserver ReverseProxy to serve Apache Solr Admin Panel

I'm trying to run an Apache Solr Service (on its emdedded jetty server) on a remote server. The admin has provided me following information:
DNS: my.server.com
IP: xxx.xxx.xxx
Server OS: 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux
Only Port 80 is accessible. On the server we want to deploy Apache Solr and a microservice which uses Solr as search engine. I want to use Apache Webserver to forward the HTTP-Request to the Solr Admin UI and to the microservice UI, but it doesn't seem to work, I use Apache Server version: Apache/2.4.10 (Debian)
Server built: Sep 15 2016 20:44:43.
I installed Apache and started the server, so far everything works as expected. I can access the admin view from Apache entering the DNS in my browser.
I enabled a few modules following this articel https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension:
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_ajp
a2enmod rewrite
a2enmod deflate
a2enmod headers
a2enmod proxy_balancer
a2enmod proxy_connect
a2enmod proxy_html
Then I tried to configure a virtual host under /etc/apache2/sites-available/myconf.conf:
<VirtualHost *:80>
DocumentRoot /var/www/html
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
ProxyPass /solr http://my.server.com:8983 retry=0 timeout=5
ProxyPassReverse /solr http://my.server.com:8983
ProxyPass /microservice http://my.server.com:6868 retry=0 timeout=5
ProxyPassReverse /microservice http://my.server.com:6868
LogLevel debug
</VirtualHost>
Solr uses its standard port 8983 and the microservice will be on port 6868. When I try to acces solr with http://my.server.com/solr I get an HTTP 503 Service unavailable.
I first tried this:
/usr/sbin/setsebool -P httpd_can_network_connect 1
But it changed nothing. I also had to install first:
apt-get install policycoreutils
to make this option available. The solr service seems to be ok:
solr status
Found 1 Solr nodes:
Solr process 14082 running on port 8983
{
"solr_home":"/etc/apache-solr/solr-6.2.0/server/solr",
"version":"6.2.0 764d0f19151dbff6f5fcd9fc4b2682cf934590c5 - mike - 2016-08-20 05:41:37",
"startTime":"2016-10-07T12:02:05.300Z",
"uptime":"0 days, 1 hours, 29 minutes, 55 seconds",
"memory":"29.7 MB (%6.1) of 490.7 MB"}
The Apache log keeps saying:
The timeout specified has expired: AH00957: HTTP: attempt to connect to xxx.xxx.xxx:8983 (my.server.com) failed
AH00959: ap_proxy_connect_backend disabling worker for (my.server.com) for 0s
AH01114: HTTP: failed to make connection to backend: my.server.com
Without my timeout setting everthing keeps the same but it takes ages before I get the 503 Error.
Any hints? After one day struggeling I'm depressed ... all I want is to finish the task.
Thanks in advance!

It turns out that I needed to append a slash to the urls:
ProxyPass /solr/ http://my.server.com:8983/ retry=0 timeout=5
ProxyPassReverse /solr/ http://my.server.com:8983/
ProxyPass /microservice/ http://my.server.com:6868/ retry=0 timeout=5
ProxyPassReverse /microservice/ http://my.server.com:6868/

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details

This is due to non-existance of "/var/www/html" directory. run mkdir "/var/www/html" , hope it will solved.
I have installed a fresh copy of Centos 7. Then I restarted Apache but the Apache failed to start. I have 3 days stucked in this issue. Even the support can not figure out the error.
sudo service httpd start
Failed to start apache :
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2016-05-09 16:08:02 BST; 59s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 5710 (code=exited, status=1/FAILURE)
May 09 16:08:02 mike079.startdedicated.de systemd[1]: Starting The Apache HTTP Server...
May 09 16:08:02 mike079.startdedicated.de httpd[5710]: (98)Address already in use: AH00072: make_sock: could not bind to address 85.25.12.20:80
May 09 16:08:02 startdedicated.de httpd[5710]: no listening sockets available, shutting down
May 09 16:08:02 startdedicated.de httpd[5710]: AH00015: Unable to open logs
May 09 16:08:02 startdedicated.de systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 09 16:08:02.startdedicated.de kill[5712]: kill: cannot find process ""
May 09 16:08:02 .startdedicated.de systemd[1]: httpd.service: control process exited, code=exited status=1
May 09 16:08:02startdedicated.de systemd[1]: Failed to start The Apache HTTP Server.
May 09 16:08:02 startdedicated.de systemd[1]: Unit httpd.service entered failed state.
May 09 16:08:02 mike: httpd.service failed.

I got the same error because of a simple typo in vhost.conf.
Remember to make sure you don't have any errors in the config files.
apachectl configtest

From your output:
no listening sockets available, shutting down
what basically means, that any port in which one apache is going to be listening is already being used by another application.
netstat -punta | grep LISTEN
Will give you a list of all the ports being used and the information needed to recognize which process is so you can kill stop or do whatever you want to do with it.
After doing a nmap of your ip I can see that
80/tcp open http
so I guess you sorted it out.

In my case I got the error simply because I had changed the Listen 80 to listen 443 in the file
/etc/httpd/conf/httpd.conf
Since I had installed mod_ssl using the yum commands
yum -y install mod_ssl
there was a duplicate listen 443 directive in the file ssl.conf created during mod_ssl installation.
You can verify this if you have duplicate listen 80 or 443 by running the below command in linux centos (My linux)
grep '443' /etc/httpd/conf.d/*
below is sample output
/etc/httpd/conf.d/ssl.conf:Listen 443 https
/etc/httpd/conf.d/ssl.conf:<VirtualHost _default_:443>
/etc/httpd/conf.d/ssl.conf:#ServerName www.example.com:443
Simply reverting the listen 443 in httd.conf to listen 80 fixed my issue.

on command line type journalctl -xe and the results will be
SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 83 or 80
This means that the SELinux is running on your machine and you need to disable it. then edit the configuration file by type the following
nano /etc/selinux/config
Then find the line SELINUX=enforce and change to SELINUX=disabled
Then type the following and run the command to start httpd
setenforce 0
Lastly start a server
systemctl start httpd

Allow Apache Through the Firewall
Allow the default HTTP and HTTPS port, ports 80 and 443, through firewalld:
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
And reload the firewall:
sudo firewall-cmd --reload

Some other service may be using port 80: try to stop the other services: HTTPD, SSL, NGINX, PHP, with the command sudo systemctl stop and then use the command sudo systemctl start httpd

For me the issue was the following:
[Sat Sep 10 00:43:20.999998 2022] [auth_digest:error] [pid 123456] (2)No such file or directory: AH01762: Failed to create shared memory segment on file /run/httpd/authdigest_shm.128124
[Sat Sep 10 00:43:20.999999 2022] [auth_digest:error] [pid 123456] (2)No such file or directory: AH01760: failed to initialize shm - all nonce-count checking and one-time noncesdisabled
I have just tailed the error logs to get those two line above:
*ADMINSHELL* :/var/opt/custom_path/logs/httpd # tail error_log
So the problem was that this folder was missing: /run/httpd/
Solution:
mkdir /run/httpd
chown root:httpd /run/httpd
chmod 0710 /run/httpd
After this is done. You will be able to restart the service:
systemctl restart httpd.service
Double check:
systemctl status httpd.service

The error could be anywhere, configs, libraries or the binaries. Error in the control process is a general error thrown by the system when its not able to start/restart the service. In my case one of libraries linked to the exe in the .service file has a problem. Fixing that library solved the problem.

try this cmd to know the missing config or error in the file configuration
$ apachectl configtest

I had almost the same error, and I found the error on vhost.conf file, which is located on /etc/httpd/conf.d/vhost.conf.
If you were configuring the virtual host, I suggest you look at the following file and find if you have any errors there.
/etc/httpd/conf.d/vhost.conf

For me also the same error happens after adding dummy SSL
in /etc/httpd/conf.d/ssl.conf file it's created a line like,
SLCertificateFile /etc/pki/tls/certs/localhost.crt
I changed it from SLCertificateFile to SSLCertificateFile
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
And after apache restart it started working fine.

<VirtualHost *:80>
ServerName www.YOURDOMAIN.COM
ServerAlias YOURDOMAIN.COM
DocumentRoot /var/www/YOURDOMAIN.COM/public_html
ErrorLog /var/www/YOURDOMAIN.COM/error.log
CustomLog /var/www/YOURDOMAIN.COM/requests.log combined
DocumentRoot /var/www/YOURDOMAIN.COM/public_html
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/YOURDOMAIN.COM/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>

ws_tunnel Apache->Websocket server not working

I have a local web socket server running on WSS:// port 9000. In the same server I have apache running as well.
When I try and connect from my remote client directly to port 9000 via WSS like this:
wss://myserver:9000
it works fine. However, I blocked port 9000 on my router and am trying to access it via apache (which is running on SSL).
When I try and access
wss://myserver/
I can see the logs in Apache that it issued a GET but my web socket server does not receive the connection.
I've read through various SO threads and I think I have my ordering correct.
Details:
Apache Version:
Server version: Apache/2.4.7 (Ubuntu)
sudo apache2ctl -M shows proxy_* modules running
proxy_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
Apache configuration: (relevant lines inside VirtualHost)
ProxyPass / wss://localhost:9000/
ProxyPassReverse / wss://localhost:9000/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
Note that both my local web socket server and Apache are configured to use the same certificates
(I'm not sure if I need the Proxy * part, but I saw it in one SO thread)
And here are debug logs:
http://pastebin.com/gqVp3Pz5
Thanks

It seems by default Apache wstunnel does not work when the need is to tunnel SSL end to end. What works is if Apache terminates WSS and then does a WS with the local server.
I found this thread tunneling secure websocket connections with apache that describes how to recompile Apache to allow for end to end WSS tunneling.
I've currently decided to not do apache tunneling and open a firewall port for my event server directly as I don't expect my users to have the inclination to recompile Apache for this.