Apache2 foward proxy fails to connect to https sites

I have a strange problem that looks to me like a bug.

I am using apache 2.2 as a simple forward proxy.

The same setup works on another server (same operation system, same version).

I simply install apache2 and enable the modules proxy, proxy_http and proxy_connect and set up proper authentication methods.

Normal http requests work fine, but https requests display (after some waiting time) the following erro in the browser (chrome);

Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error. 

The apache errror log displays the following:

[Tue Dec 27 18:30:17 2011] [error] [client ***] (20014)Internal error: proxy: error reading status line from remote server ***.com [Tue Dec 27 18:30:17 2011] [error] [client ***] proxy: Error reading from remote server returned by ***.com:443 

I read some bug reports and googled for the error and found some stuff that in reverse proxy setups and set some some environment variables to disable keep alives, but it did not solve the problem.

The strange thing is that on another server it seems to work just fine!

Can anybody point me in the right direction with this error?

edit:

The servers run on Ubuntu 10.04.3 LTS but I also reproduced the probelm on a test server which runs Ubuntu 10.04 LTS

The exact apache version affected is:

[email protected]:/home/pm-peer# apache2ctl -V Server version: Apache/2.2.14 (Ubuntu) Server built:   Nov  3 2011 03:29:23 Server's Module Magic Number: 20051115:23 Server loaded:  APR 1.3.8, APR-Util 1.3.9 Compiled using: APR 1.3.8, APR-Util 1.3.9 Architecture:   64-bit Server MPM:     Prefork   threaded:     no     forked:     yes (variable process count) Server compiled with....  -D APACHE_MPM_DIR="server/mpm/prefork"  -D APR_HAS_SENDFILE  -D APR_HAS_MMAP  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)  -D APR_USE_SYSVSEM_SERIALIZE  -D APR_USE_PTHREAD_SERIALIZE  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT  -D APR_HAS_OTHER_CHILD  -D AP_HAVE_RELIABLE_PIPED_LOGS  -D DYNAMIC_MODULE_LIMIT=128  -D HTTPD_ROOT=""  -D SUEXEC_BIN="/usr/lib/apache2/suexec"  -D DEFAULT_PIDLOG="/var/run/apache2.pid"  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"  -D DEFAULT_LOCKFILE="/var/run/apache2/accept.lock"  -D DEFAULT_ERRORLOG="logs/error_log"  -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"  -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf" 

My configuration which differs from the default is the following:

ServerLimit 1024  ProxyRequests On ProxyVia Block ProxyStatus Off  # i tried the following to solve the problem #SetEnv force-proxy-request-1.0 1 #SetEnv proxy-nokeepalive 1 #SSLProxyEngine on   DefineExternalAuth proxy_auth pipe /home/pm-peer/proxy_auth.php   <Proxy *>          Allow from 127.0.0.1          AuthType Basic         AuthName "Password Required"         AuthBasicProvider external         AuthExternal proxy_auth         Require valid-user      # tried the following directives also inside the proxy container     #SetEnv force-proxy-request-1.0 1     #SetEnv proxy-nokeepalive 1  </Proxy> 

I also tried upgrading the other server where everything works with apt-get upgrade, because I suspected that maby an update caused this error. But after the ugprade and an apache restart everything still worked.

I think I must have (without knowing it) done something on the other server that made it work, but I have no clue what it could be. Maby I installed a package or library that is missing?

I start with a ubuntu minimal version and isntall the following, thats pretty much it:

apt-get install -y php5-cli libapache2-mod-php5 php5-curl libapache2-mod-authnz-external logrotate php5-mysql a2enmod proxy a2enmod proxy_http a2enmod proxy_connect a2enmod rewrite a2enmod headers a2enmod authnz_external 

Replay

Wow, there could be a lot of things wrong. How sure are you that your Apache2 proxy was compiled with SSL support (not saying that it needs to be but it might help)? Your compile options that you listed do not show this. Also, can you tell us what your destination SSL server is? Is it also a Apache2 server? If so, is it listening on all interfaces or just localhost?

What happens if you set Apache environment variable for "proxy-initial-not-pooled" ?

As so often the solution was trivial and the cause pure stupidity.

I had a ProxyMatch rule defined that interfered with the configuration.

Thanks for the help anway.

Category: apache 2.2 Time: 2011-12-27 Views: 1

Related post

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 0.233 (s). 12 q(s)