Apache LoadBalancing: SSL/TLS settings for healthchecks

Question

I'm trying to setup a loadbalancer with apache. The communication to the backend servers is TLS-encrypted. When i enable healthchecks, this works as long as the ProxySSL* directives are set on VHost Level, and not inside the Proxy section. When i move them inside the Proxy section, the SSL/TLS settings are no longer evaluated correctly (the connection to the backend uses the default SSL/TLS settings and not the one specified). But according to documentation, it should be possible to define SSL/TSL settings inside a Proxy section, which should allow to set different SSL/TLS settings for different LoadBalancers.

What works:

  <VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    SSLProxyProtocol [a protocol]
    SSLProxyCipherSuite  [a cipher suite]
    <Proxy balancer://mybalancer>
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
  </VHost>

In the above example, healthchecks, as well as ordinary requests use the Protocol and CipherSuite specified. The problem with this solution is, that i cannot create a second balancer inside the same VHost with different SSL/TLS settings. Unfortunately thats exactly what i need.

What does not work:

<VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    ProxyPass "/2"  "balancer://mybalancer2"
    <Proxy balancer://mybalancer>
      SSLProxyProtocol [a protocol]
      SSLProxyCipherSuite  [a cipher suite]
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
    <Proxy balancer://mybalancer2>
      SSLProxyProtocol [another protocol]
      SSLProxyCipherSuite  [another cipher suite]
      BalancerMember https://www.backend3.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend4.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
</VHost>

Like this, Protocol and CipherSuite specified have no effect on healthchecks, instead, healthchecks for both balancers use the default settings specified in the global scope of httpd.conf.

I think setting SSLProtocol and SSLCipherSuite for healthchecks is a quite common case, and i'm wondering if someone has a setup that works, or if someone has faced the same problems.

Thanks in advance for any help or hints where to look further.

Answer 1

thanks to yann and armin for help on this. it works with the patch provided in this bug-report:

https://bz.apache.org/bugzilla/show_bug.cgi?id=62556#c6

(you only need attachment 36043, the other patch is wrong/not needed!)

as discussed there, the problem is that the worker for the balancer member is not correctly initialized. this is why we have to set at least one proxy parameter.

If we extend the above Proxy balancer:// definition like below, it works:(after the patch, of course):

<Proxy balancer://mybalancer2 lbmethod=byrequests> 

We can take any of the lb-parameters here, and we can easily set it to the default value. (lbmethod=byrequests is default, so nothing is changed except the worker is correctly initialized).

the complete, working example from above:

<VHost ...>
    SSLProxyEngine on
    ProxyPass "/"  "balancer://mybalancer"
    ProxyPass "/2"  "balancer://mybalancer2"
    <Proxy balancer://mybalancer lbmethod=byrequests>
      SSLProxyProtocol [a protocol]
      SSLProxyCipherSuite  [a cipher suite]
      BalancerMember https://www.backend1.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend2.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
    <Proxy balancer://mybalancer2 lbmethod=byrequests>
      SSLProxyProtocol [another protocol]
      SSLProxyCipherSuite  [another cipher suite]
      BalancerMember https://www.backend3.com hcinterval=1 hcmethod=get hcuri=/healthcheck1.php
      BalancerMember https://www.backend4.com hcinterval=1 hcmethod=get hcuri=/healthcheck2.php
   </Proxy>
</VHost>

the patch should be included in the next release, maybe probably 2.4.35