25

I have a server that acts as a front-end for a cPanel mailserver in a network. The apache proxy on the front-end server ran for 152 days without fault then suddenly I now get 500/502 errors when using it to access the webmail clients of the mailserver.

The front-end server uses a signed SSL cert, the cPanel sever is using a self signed cert. Here is the error log output from the front-end server when it first started happening:

[Tue Sep 10 18:22:52.959291 2013] [proxy:error] [pid 19531] (502)Unknown error 502: [client 173.xx.xx.xx:9558] AH01084: pass request body failed to 184.xx.xx.xx:2096 (184.xx.xx.xx), referer: https://domain.com:2096/cpsess12385596/3rdparty/roundcube/?_task=mail&_refresh=1&_mbox=INBOX

[Tue Sep 10 18:22:52.959469 2013] [proxy:error] [pid 19531] [client 173.xx.xx.xx:9558] AH00898: Error during SSL Handshake with remote server returned by /cpsess12385596/3rdparty/roundcube/, referer: https://domain.com:2096/cpsess12385596/3rdparty/roundcube/?_task=mail&_refresh=1&_mbox=INBOX

The front-end server is an EC2 instance running Apache/2.4.6 (Amazon) My VirtualHost setup for the proxy on this server is as follows:

< VirtualHost *:2096> ServerName domain.com

SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off

SSLCertificateFile /x/x/x/domain.com.crt
SSLCertificateKeyFile /x/x/x/domain.com.key
SSLCACertificateFile /x/x/x/domain.com.cabundle

ProxyPass / https://184.xx.xx.xx:2096/
ProxyPassReverse / https://184.xx.xx.xx:2096/
ProxyPassReverseCookieDomain 184.xx.xx.xx:2096 domain.com
ProxyPassReverseCookiePath / /

SetOutputFilter INFLATE;proxy-html;DEFLATE
ProxyHTMLURLMap https://184.xx.xx.xx:2096 /

< /VirtualHost>

As far as I can think nothing has changed on the front-end server, I didn't do an update or anything, once noticing this problem and fiddling with no success I tried a restart on both servers but it did nothing to fix this.

Any suggestions?

DePages
  • 251
  • 1
  • 3
  • 4

4 Answers4

47

Came across the same issue with Server version: Apache/2.4.6

As per the documentation at [1], "In 2.4.5 and later, SSLProxyCheckPeerCN has been superseded by SSLProxyCheckPeerName, and its setting is only taken into account when SSLProxyCheckPeerName off is specified at the same time."

So adding following entry did the trick:

SSLProxyCheckPeerName off

So my working config looks like...

    ProxyRequests Off

    SSLEngine On
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off

    SSLCertificateFile /x/x/keys/server.crt
    SSLCertificateKeyFile /x/x/keys/server.key

[1] http://httpd.apache.org/docs/2.4/mod/mod_ssl.html

Artem Russakovskii
  • 1,003
  • 3
  • 12
  • 25
Pavithra Madurangi
  • 471
  • 4
  • 3
  • 1
    Note that "SSLEngine On" is not concerned with the proxy part of the configuration, but with _serving_ this request via SSL/TLS, even though it is grouped with the proxy config options. – Perseids Nov 16 '16 at 00:00
16

If the backend server uses out-of-date self signed certificate, one more option is needed (if there is no access to the backend server):

SSLProxyCheckPeerExpire off
Jenny D
  • 27,780
  • 21
  • 75
  • 114
Milan Kerslager
  • 371
  • 3
  • 9
3

I'm also getting the same error but in my case, the accepted answer here solved this error: https://stackoverflow.com/questions/47718508/apache-proxypass-https-and-remote-server-with-sni

I added

ProxyAddHeaders off
ProxyPreserveHost off
jacob
  • 31
  • 1
0

I cannot explain why it suddenly fails, but I just ran into a similar case where apache failed to connect as proxy to another HTTPS-server, which was running on a non-standard port.

The solution in my case: If you want to connect to:

ProxyPass / https://184.xx.xx.xx:2096/

then also add:

AllowCONNECT 443 2096

(i.e. add the port 2096 to the list of ports apache is allowed to make CONNECT requests to, to start a TLS-connection)

See also: Apache HTTPD reference documentation AllowCONNECT in the mod_proxy_connect module

Clemens Klein-Robbenhaar
  • 141
  • 7