SSLProxyProtocol directive inside section

Question

I'm trying to set SSL settings for Healthchecks on LoadBalancers. According to documentation, SSLProxy*- directives should work inside a Proxy- section. So what i'm trying to do is the following (i left out unimportant config stuff):

  <VHost ...>
    SSLProxyEngine on
    <Proxy balancer://mybalancer>
      SSLProxyProtocol [a protocol]
      SSLProxyCipherSuite  [a cipher suite]
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
  </VHost>

Like this SSLProxyProtocol and SSLProxyCipherSuite have no effect on the healthchecks, but on normal requests.

If i move the directives up to VHost Level, healthchecks are executed with the correct settings:

  <VHost ...>
    SSLProxyEngine on
    SSLProxyProtocol [a protocol]
    SSLProxyCipherSuite  [a cipher suite]
    <Proxy balancer://mybalancer>
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
  </VHost>

But what i need are different SSL/TLS settings for different LoadBalancers. I'm working with apache version 2.4.33.

I am wondering if someone experiences the same problems, or if someone was able to successfully set up a configuration like this?

You do not show your ProxyPass and ProxyPassReverse directives, but lets assume `https://www.example.com/test` is mapped to your `balancer://mybalancer`. So does the health check call `https://www.example.com/test` or just `https://www.example.com`? If it does not call with the `/test` it would make sense for the configurations inside the proxy section not to be used. I have seen a tool that does the SSL checks only on the domain has a whole, it does not care for the URI section. — Nic3500, Jun 27 '18 at 19:53
the healthcheck would call /healthcheck.php in the above example (hcuri=/healthcheck.php) but its a good input thanks, i will check this.. — USP-dos, Jun 28 '18 at 07:05
So you have a `ProxyPass "/healthcheck.php" "balancer://mybalancer"` somewhere? The `hc` parameters are only for health check, they do not define what your client will put in the URL to read your balancer. — Nic3500, Jun 28 '18 at 18:01
not i don't have `ProxyPass "/healthcheck.php" "balancer://mybalancer" `. but i have quickly checked it, and it makes no difference. i know that hc- parameters are only for healthchecks. as i said, for _normal_ requests (e.g request to / which is mapped to balancer://mybalancer) it works perfectly. but the healthchecks still have the wrong settings.. — USP-dos, Jun 29 '18 at 10:05
See this duplicate for a solution: https://stackoverflow.com/questions/51261409/apache-loadbalancing-ssl-tls-settings-for-healthchecks — USP-dos, Sep 04 '18 at 12:40

score 0 · Accepted Answer · answered Sep 04 '18 at 12:41

thanks to yann and armin for help on this. it works with the patch provided in this bug-report:

https://bz.apache.org/bugzilla/show_bug.cgi?id=62556#c6

(you only need attachment 36043, the other patch is wrong/not needed!)

as discussed there, the problem is that the worker for the balancer member is not correctly initialized. this is why we have to set at least one proxy parameter.

If we extend the above Proxy balancer:// definition like below, it works:(after the patch, of course):

<Proxy balancer://mybalancer2 lbmethod=byrequests>

We can take any of the lb-parameters here, and we can easily set it to the default value. (lbmethod=byrequests is default, so nothing is changed except the worker is correctly initialized).

the complete, working example from above:

<VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    ProxyPass "/2"  "balancer://mybalancer2"
    <Proxy balancer://mybalancer lbmethod=byrequests>
      SSLProxyProtocol [a protocol]
      SSLProxyCipherSuite  [a cipher suite]
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
    <Proxy balancer://mybalancer2 lbmethod=byrequests>
      SSLProxyProtocol [another protocol]
      SSLProxyCipherSuite  [another cipher suite]
      BalancerMember https://www.backend3.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend4.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
</VHost>

the patch should be included in the next release, maybe probably 2.4.35

SSLProxyProtocol directive inside section

1 Answers1