1

TL;DR: Web tasks taking longer than 5 minutes through an Apache ReverseProxy errors out. Tasks/reports of shorter duration succeed. Directly accessing reports succeeds (http://internalserver/foobar.aspx instead of http://public.mycompany.com/foobar.aspx). Where should I be looking and what timeouts am I missing?

I have an Apache Instance that is switching to HTTPS then ProxyPassing a request along it's merry way... into an Windows Server 2012 R2 IIS 8 instance.

Browser <==> 
Apache 2.2.15 <==> 
IIS 8 (Windows 2012 R2, IIS 8.5.9600.16384) <==> 
Web App (<==> database)

Everything is going just cheeky - until a "long running" report is kicked off. When run directly on the Windows server, the report takes ~6 minutes. When run from the Browser, shorter reports succeed - but this one eventually fails.

Web Page Error:

502 Proxy Error

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /app/LongRunningReport.aspx.

Reason: Error reading from remote server

ssl_error:

==> ssl_error_log <==
[Wed Nov 04 14:59:48 2015] [error] [client 192.168.1.225] (104)Connection reset by peer: proxy: error reading status line from remote server 192.168.1.179
[Wed Nov 04 14:59:48 2015] [error] [client 192.168.1.225] proxy: Error reading from remote server returned by /app/LongRunningReport.aspx

ssl.conf:

LoadModule ssl_module modules/mod_ssl.so
Listen 192.168.1.101:443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  1200
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost 192.168.1.101:443>
  ErrorLog logs/ssl_error_log
  TransferLog logs/ssl_access_log
  LogLevel warn
  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  SSLCertificateFile conf.d/ssl.crt/test.crt
  SSLCertificateKeyFile conf.d/ssl.key/test.key
  SSLCertificateChainFile conf.d/ssl.crt/2015.crt
  SSLCACertificateFile conf.d/ssl.crt/Company_Root_CA.cer
  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
  </Files>
  <Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
  </Directory>
  CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  ServerName test.company.com
  RedirectMatch ^/$ https://test.company.com/app/login.aspx

  SSLProxyEngine on
  ProxyPass        / https://192.168.1.179/
  ProxyPassReverse / https://192.168.1.179/

  SetEnv force-proxy-request-1.0 1
  SetEnv proxy-nokeepalive 1
  SetEnv proxy-initial-not-pooled 1

  TimeOut 1200
  ProxyTimeout 1200
</VirtualHost>
SSLInsecureRenegotiation off
SSLHonorCipherOrder on

IIS Settings:
Advanced Settings > Limits > Connection Time-out (seconds): 1200
Session State > Cookie Settings > Timeout (in minutes): 20

We've tried increasing all the Timeout settings we can to 1200 (20 minutes) - inside Apache and IIS.

What am I missing? What can be causing a proxyerror message between Apache and IIS?

WernerCD
  • 344
  • 2
  • 6
  • 18
  • Is your IIS using a self signed certificate? Might be that Apache is trying to negotiate an SSL connection with a certificate he cannot validate. – Mauricio López Nov 10 '15 at 20:14
  • Can you try bumping your `LogLevel` up to debug and see if anything gets reported there around the timeout? – Gagravarr Nov 10 '15 at 20:33
  • @MauricioLópez The process works if its under 5 minutes. A report that takes 2 minutes completes successfully. One that takes 6 minutes doesn't - it gives the above errors. The "Web <==> Apache" link is SSL Signed via Entrust. The "Apache <==> IIS" is self signed, but again it works for tasks under 5 minutes. – WernerCD Nov 10 '15 at 21:55
  • @Gagravarr I had LogLevel Debug, but had to much "noise". I'm not at my desk currently, but I meant to research ignoring stuff at debug level (network tools that check the website every minute. Light traffic outside of this query. etc.) Failing that, I'll have to re-enable and just filter out the noise. I don't recall anything that stood out when I had it enabled, but I had to clear it because of how big the logs got. – WernerCD Nov 10 '15 at 21:59

0 Answers0