We have 2 Proxy directives for a virtual host organized like this in our Apache 2.4 reverse proxy configuration:
<Proxy https://xx.xx.xx.xx:ppp/>
SSLProxyVerify require
SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyMachineCertificateFile <pem file>
SSLProxyCACertificateFile <crt file>
</Proxy>
<Proxy https://yy.yy.yy.yy:qqq/>
SSLProxyVerify require
SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyMachineCertificateFile <path to second pem file>
SSLProxyCACertificateFile <path of second crt file>
</Proxy>
As you can see both downstream servers require mutual TLS. Then we have the appropriate ProxyPass and ProxyPassReverse directives to redirect urls to the above URLS like below:
ProxyPass /url1/ https://xx.xx.xx.xx:ppp/url2/
ProxyPassReverse /url1/ https://xx.xx.xx.xx:ppp/url2/
...
ProxyPass /url3/ https://yy.yy.yy.yy:qqq/url4/
ProxyPassReverse /url3/ https://yy.yy.yy.yy:qqq/url4/
This configuration was working until we recently upgraded packages on proxy machine running a RHEL 9 derivative distro. The other side is RHEL 7 derivative distro.
Now we get a 502 proxy error when accessing URLs that go to the second server (/url3) but not when we access the first server (/url1). The browser reports the following:
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server
Examining the logs on the downstream server suggests that the proxy may not be using the client cert when connecting to the second server (yy.yy.yy.yy in this case).
What could be going wrong? How does one debug this?
