Problems with mod_ssl and mod_proxy

Hallo,

I have a problem with Apache Server (Apache/2.2.14 (Win32) mod_ssl/2.2.14 O=
penSSL/0.9.8k):

I want to set up that the server controll a client-cert and, if it is OK, c=
onnect with a ProxyPass to the right server.

The config:

LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_alias_module modules/mod_authn_alias.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule dumpio_module modules/mod_dumpio.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
#LoadModule ident_module modules/mod_ident.so
#LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
#LoadModule ldap_module modules/mod_ldap.so
#LoadModule logio_module modules/mod_logio.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
LoadModule ssl_module modules/mod_ssl.so
#LoadModule status_module modules/mod_status.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule unique_id_module modules/mod_unique_id.so
#LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule version_module modules/mod_version.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so


Order Deny,Allow
Deny from all
=20

ProxyRequests Off

NameVirtualHost :443

:443>
DocumentRoot "C:/Program Files/Webserver/Apache/htdocs"
ServerName
ServerAlias

SSLEngine on
SSLCertificateFile
SSLCertificateKeyFile
SSLCACertificateFile
SSLVerifyClient require
SSLVerifyDepth 10

ProxyPreserveHost On
ProxyPass /
ProxyPassReverse /



When I connect to the server now, the browser loads some time and then give=
s me a timeout. What do I wrong?

Viele Grüße
Jan=

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Problems with mod_ssl and mod_proxy

> -----Original Message-----
> From: Jan Luca Naumann [mailto:jan@naumannsfamily.de]=20
> Sent: Tuesday, December 08, 2009 3:53 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Problems with mod_ssl and mod_proxy
>=20
> Hallo,
>=20
> I have a problem with Apache Server (Apache/2.2.14 (Win32)=20
> mod_ssl/2.2.14 OpenSSL/0.9.8k):
>=20
> I want to set up that the server controll a client-cert and,=20
> if it is OK, connect with a ProxyPass to the right server.
>=20
> ...
>=20
>
> Order Deny,Allow
> Deny from all
> =20
>=20
> ProxyRequests Off
>=20
> NameVirtualHost :443
>=20
> :443>
> DocumentRoot "C:/Program Files/Webserver/Apache/htdocs"
> ServerName
> ServerAlias
>=20
> SSLEngine on
> SSLCertificateFile
> SSLCertificateKeyFile
> SSLCACertificateFile
> SSLVerifyClient require
> SSLVerifyDepth 10
>=20
> ProxyPreserveHost On
> ProxyPass /
> ProxyPassReverse /
>
>=20
>=20
> When I connect to the server now, the browser loads some time=20
> and then gives me a timeout. What do I wrong?

Break the problem into two parts and get the ProxyPass working before =
worrying about the SSL client verification. What happens if you comment =
out all the SSL stuff and try to get to the back-end server with a plain =
HTTP virtual host?

If that times out, what happens if you try to access the back-end =
directly (from a client that has TCP/IP access, obviously)?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

>=20
> Viele Grüße
> Jan
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP=20
> Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20
=20
This message is for the named person's use only. It may contain =
confidential, proprietary or legally privileged information. If you =
receive this message in error, please notify the sender urgently and =
then immediately delete the message and any copies of it from your =
system. Please also immediately destroy any hardcopies of the message.=20
The sender's company reserves the right to monitor all e-mail =
communications through their networks.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

AW: Problems with mod_ssl and mod_proxy

Hi,

without all SSL stuff I geta timeout, too, but the right webserver is OK.

Viele Grüße
Jan

________________________________________
Von: Boyle Owen [Owen.Boyle@six-group.com]
Gesendet: Dienstag, 8. Dezember 2009 16:51
An: users@httpd.apache.org
Betreff: RE: [users@httpd] Problems with mod_ssl and mod_proxy

> -----Original Message-----
> From: Jan Luca Naumann [mailto:jan@naumannsfamily.de]
> Sent: Tuesday, December 08, 2009 3:53 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Problems with mod_ssl and mod_proxy
>
> Hallo,
>
> I have a problem with Apache Server (Apache/2.2.14 (Win32)
> mod_ssl/2.2.14 OpenSSL/0.9.8k):
>
> I want to set up that the server controll a client-cert and,
> if it is OK, connect with a ProxyPass to the right server.
>
> ...
>
>
> Order Deny,Allow
> Deny from all
>
>
> ProxyRequests Off
>
> NameVirtualHost :443
>
> :443>
> DocumentRoot "C:/Program Files/Webserver/Apache/htdocs"
> ServerName
> ServerAlias
>
> SSLEngine on
> SSLCertificateFile
> SSLCertificateKeyFile
> SSLCACertificateFile
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> ProxyPreserveHost On
> ProxyPass /
> ProxyPassReverse /
>
>
>
> When I connect to the server now, the browser loads some time
> and then gives me a timeout. What do I wrong?

Break the problem into two parts and get the ProxyPass working before worry=
ing about the SSL client verification. What happens if you comment out all =
the SSL stuff and try to get to the back-end server with a plain HTTP virtu=
al host?

If that times out, what happens if you try to access the back-end directly =
(from a client that has TCP/IP access, obviously)?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

>
> Viele Grüße
> Jan
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

This message is for the named person's use only. It may contain confidentia=
l, proprietary or legally privileged information. If you receive this messa=
ge in error, please notify the sender urgently and then immediately delete =
the message and any copies of it from your system. Please also immediately =
destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communication=
s through their networks.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org=

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: AW: Problems with mod_ssl and mod_proxy

Jan Luca Naumann wrote:
>>

Some additional tips :

You also need a line

Listen :443
....

>> NameVirtualHost :443
>>
>> :443>


Start Apache.
Open a command window, and enter : netstat -an | more
You should see a line like :

TCP :443 0.0.0.0:0 ABHÖREN

do you ?

Is the Windows firewall enabled ?
If yes, does it allow incoming connections on port 443 ?
(or turn off the firewall)



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org