Problems With ProxyPass To A Local Ip (using SSL)

Home » CentOS » Problems With ProxyPass To A Local Ip (using SSL)
CentOS 6 Comments

Hi all,

I am trying to setup an apache virtualhost under CentOS 6.7 that needs to redirects requests from port 444 to port 5100 in its local ip. But I am doing some mistakes because every time I’m receiving a loop error.

My actual httpd’s config for this virtualhost is:

NameVirtualHost 192.168.1.5:444

ServerName myweb01.local.domain ErrorLog logs/ssl_error.log CustomLog logs/ssl_access.log combined CustomLog logs/ssl_request.log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
LogLevel info SSLEngine on SSLProxyEngine On SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!EXPORT56:!EXP:!eNULL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2
SSLCertificateFile /etc/httpd/certs/server.crt SSLCertificateKeyFile /etc/httpd/certs/server.key ProxyRequests Off ProxyPreserveHost On ProxyPass / http://192.168.1.5:5100/
ProxyPassReverse / http://192.168.1.5:5100/
RequestHeader set X-Forwarded-Proto “https”
RequestHeader set X-Forwarded-Port “444”
RewriteEngine On RewriteRule ^/(.*) https://myweb01.local.domain:444/$1 [R,L]

As you can see, I need to do a redirection to port 5100 from 444 port and protect it using ssl.

I’ve configured iptables rules to drop connections to port 5100 directly:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 444 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT

Any idea how to accomplish/resolve this?

Thanks.

6 thoughts on - Problems With ProxyPass To A Local Ip (using SSL)

  • More info in my ssl_error.log:

    Mon Feb 29 14:32:06 2016] [info] [client 10.64.118.59] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
    [Mon Feb 29 14:32:06 2016] [info] SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?

  • Well, that just looks like you’re making an http request instead of https in your browser. It doesn’t tell us anything about what’s looping.

  • Right, this is due to the changes in the Rewrite rule. I am doing some modifications and now the only error is:

    SSL Library Error: 336027804 error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request speaking HTTP to HTTPS port!?

    Any idea how to fix this??

  • Am 01.03.2016 um 12:31 schrieb C. L. Martinez :

    How is your client making the request to the proxy (full URI)?


  • I think you need to figure out whether you want to proxy those requests or rewrite them. You can’t reasonably do both.

    If you want to keep them SSL protected, then you don’t need the rewrite rule at all. Drop it. Right now, you’re redirecting clients to the same URL that they loaded to begin with, which is why your client is warning you about a loop.

  • Ok, problem solved. Finally, redirection needs to go to a tomcat server that use this commercial solution. Changing:

    ProxyPass / http://192.168.1.5:5100/
    ProxyPassReverse / http://192.168.1.5:5100/

    to

    ProxyPass / ajp://192.168.1.5:5100/
    ProxyPassReverse / ajp://192.168.1.5:5100/

    … problem solved.

    Many thanks to all for your help.