reverse proxy with apache 1.3 and apache 2.2

Hello,

I have to migrate a working reverse proxy from apache-ssl
1.3.33-6sarge3 to apache2 2.2.9-10+lenny6 with ssl but I encounter a
critical issue : when I try to access the website from behind a proxy,
it's working with apache 1.3 but not with apache 2.2 (without proxy,
it's working fine for both version).

The error displayed in the error.log is : [error] (104)Connection
reset by peer: proxy: prefetch request body failed to 192.168.20.8
(intra-8.lan) from a.b.c.d ()

Both server have IP address in the same subnet and have only this
virtual host enabled.

I have tried some tweak in the configuration but I'm clueless to find
any parameter correcting this behavior. Bellow is the apache-ssl 1.3
config vhost file :

ServerName extranet.enterprise.com
ServerAdmin support@enterprise.com
SSLCertificateFile /etc/apache-ssl/ssl/ip-13.crt
SSLCertificateKeyFile /etc/apache-ssl/ssl/ip-13.key
ProxyPass / http://intra-8.lan/
ProxyPassReverse / http://intra-8.lan/


An here is the apache 2.2 config file :


ServerName extranet-new.enterprise.com
ServerAdmin support@enterprise.com
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/ip-14.crt
SSLCertificateKeyFile /etc/apache2/ssl/ip-14.key
ProxyRequests Off

Order Deny,Allow
Allow from all

ProxyPass / http://intra-8.lan/
ProxyPassReverse / http://intra-8.lan/



I really need to migrate this website to the new server, any idea ?

Jeremie

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: reverse proxy with apache 1.3 and apache 2.2

At first guess it seems like your server intra-8.lan is dropping
connections for the new server.

Does intra-8.lan restrict connections from certain IPs?

On Thu, Dec 17, 2009 at 11:54 PM, J=E9r=E9mie G wrote:
> Hello,
>
> I have to migrate a working reverse proxy from apache-ssl
> 1.3.33-6sarge3 to apache2 2.2.9-10+lenny6 with ssl but I encounter a
> critical issue : when I try to access the website from behind a proxy,
> it's working with apache 1.3 but not with apache 2.2 (without proxy,
> it's working fine for both version).
>
> The error displayed in the error.log is : [error] (104)Connection
> reset by peer: proxy: prefetch request body failed to 192.168.20.8
> (intra-8.lan) from a.b.c.d ()
>
> Both server have IP address in the same subnet and have only this
> virtual host enabled.
>
> I have tried some tweak in the configuration but I'm clueless to find
> any parameter correcting this behavior. Bellow is the apache-ssl 1.3
> config vhost file :
>
> =A0 =A0 =A0 =A0ServerName extranet.enterprise.com
> =A0 =A0 =A0 =A0ServerAdmin support@enterprise.com
> =A0 =A0 =A0 =A0SSLCertificateFile =A0 =A0/etc/apache-ssl/ssl/ip-13.crt
> =A0 =A0 =A0 =A0SSLCertificateKeyFile /etc/apache-ssl/ssl/ip-13.key
> =A0 =A0 =A0 =A0ProxyPass / http://intra-8.lan/
> =A0 =A0 =A0 =A0ProxyPassReverse / http://intra-8.lan/
>
>
> An here is the apache 2.2 config file :
>
>
> =A0 =A0 =A0 =A0ServerName extranet-new.enterprise.com
> =A0 =A0 =A0 =A0ServerAdmin support@enterprise.com
> =A0 =A0 =A0 =A0SSLEngine On
> =A0 =A0 =A0 =A0SSLCertificateFile =A0 =A0/etc/apache2/ssl/ip-14.crt
> =A0 =A0 =A0 =A0SSLCertificateKeyFile /etc/apache2/ssl/ip-14.key
> =A0 =A0 =A0 =A0ProxyRequests Off
> =A0 =A0 =A0 =A0
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Order Deny,Allow
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Allow from all
> =A0 =A0 =A0 =A0
> =A0 =A0 =A0 =A0ProxyPass / http://intra-8.lan/
> =A0 =A0 =A0 =A0ProxyPassReverse / http://intra-8.lan/
>
>
>
> I really need to migrate this website to the new server, any idea ?
>
> Jeremie
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>



--=20
"The secret impresses no-one, the trick you use it for is everything"
- Alfred Borden (The Prestiege)

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: reverse proxy with apache 1.3 and apache 2.2

Hello,

Unfortunately, there is no restriction of any sort on intra-8.lan. I
can access the website with links2 on the proxy server and remember
that when someone is browsing this proxy from Internet without a
proxy, it's working. To clarify :

This is working with apache 2.2 and apache 1.3 :
Customer =3D> *Internet* =3D> httpd reverse proxy =3D> intranet web server

This is only working with apache 1.3 :
Customer =3D> Customer proxy server =3D> *Internet* =3D> httpd reverse prox=
y
=3D> Intranet web server

Also remember that the httpd reverse proxy is serving https while the
Intranet web server is serving http (reverse proxy http from http is
working, but it's not an option for me).

Regards,
Jeremie

2009/12/21 Devraj Mukherjee :
> At first guess it seems like your server intra-8.lan is dropping
> connections for the new server.
>
> Does intra-8.lan restrict connections from certain IPs?
>
> On Thu, Dec 17, 2009 at 11:54 PM, J=E9r=E9mie G wrot=
e:
>> Hello,
>>
>> I have to migrate a working reverse proxy from apache-ssl
>> 1.3.33-6sarge3 to apache2 2.2.9-10+lenny6 with ssl but I encounter a
>> critical issue : when I try to access the website from behind a proxy,
>> it's working with apache 1.3 but not with apache 2.2 (without proxy,
>> it's working fine for both version).
>>
>> The error displayed in the error.log is : [error] (104)Connection
>> reset by peer: proxy: prefetch request body failed to 192.168.20.8
>> (intra-8.lan) from a.b.c.d ()
>>
>> Both server have IP address in the same subnet and have only this
>> virtual host enabled.
>>
>> I have tried some tweak in the configuration but I'm clueless to find
>> any parameter correcting this behavior. Bellow is the apache-ssl 1.3
>> config vhost file :
>>
>> =A0 =A0 =A0 =A0ServerName extranet.enterprise.com
>> =A0 =A0 =A0 =A0ServerAdmin support@enterprise.com
>> =A0 =A0 =A0 =A0SSLCertificateFile =A0 =A0/etc/apache-ssl/ssl/ip-13.crt
>> =A0 =A0 =A0 =A0SSLCertificateKeyFile /etc/apache-ssl/ssl/ip-13.key
>> =A0 =A0 =A0 =A0ProxyPass / http://intra-8.lan/
>> =A0 =A0 =A0 =A0ProxyPassReverse / http://intra-8.lan/
>>
>>
>> An here is the apache 2.2 config file :
>>
>>
>> =A0 =A0 =A0 =A0ServerName extranet-new.enterprise.com
>> =A0 =A0 =A0 =A0ServerAdmin support@enterprise.com
>> =A0 =A0 =A0 =A0SSLEngine On
>> =A0 =A0 =A0 =A0SSLCertificateFile =A0 =A0/etc/apache2/ssl/ip-14.crt
>> =A0 =A0 =A0 =A0SSLCertificateKeyFile /etc/apache2/ssl/ip-14.key
>> =A0 =A0 =A0 =A0ProxyRequests Off
>> =A0 =A0 =A0 =A0
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Order Deny,Allow
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Allow from all
>> =A0 =A0 =A0 =A0
>> =A0 =A0 =A0 =A0ProxyPass / http://intra-8.lan/
>> =A0 =A0 =A0 =A0ProxyPassReverse / http://intra-8.lan/
>>
>>
>>
>> I really need to migrate this website to the new server, any idea ?
>>
>> Jeremie
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Projec=
t.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>
> --
> "The secret impresses no-one, the trick you use it for is everything"
> - Alfred Borden (The Prestiege)
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project=
..
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: reverse proxy with apache 1.3 and apache 2.2

After several tests, I have isolated the error and it's related to
mod_ssl : take the exact same configuration, the exact same customer
proxy server and remove any reverse proxy mechanism and ...

with debian sarge, apache-ssl 1.3.33-6sarge3, this is working :
Customer =3D> Customer proxy =3D> *Internet* =3D> httpd 1.3.33 server (prot=
o https)

with debian etch, apache -ssl 1.3.34-4.1+etch1, this is *not* working ;
Customer =3D> Customer proxy =3D> *Internet* =3D> httpd 1.3.34 server (prot=
o =3D https)

I really have no clue how to solve this, my configuration files are
exactly the same for both servers and it's working when there is no
proxy between the customer and Internet !

The vhost file for both server is very simple :

DocumentRoot /var/www/testpage-ssl/

Options FollowSymLinks
AllowOverride None


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all

LogLevel warn
SSLCertificateFile /etc/apache-ssl/ssl/ip.crt
SSLCertificateKeyFile /etc/apache-ssl/ssl/ip.key


This looks like a bug on the ssl implementation of httpd, a pretty big
one if there is no way to solve it as several of our customers have
the same issue, using different proxy software. I really can't believe
that this issue is not known.

Does any one know of a configuration tweak that solve this issue ?

Regards,
Jeremie



2009/12/21 J=E9r=E9mie G :
> Hello,
>
> Unfortunately, there is no restriction of any sort on intra-8.lan. I
> can access the website with links2 on the proxy server and remember
> that when someone is browsing this proxy from Internet without a
> proxy, it's working. To clarify :
>
> This is working with apache 2.2 and apache 1.3 :
> Customer =3D> *Internet* =3D> httpd reverse proxy =3D> intranet web serve=
r
>
> This is only working with apache 1.3 :
> Customer =3D> Customer proxy server =3D> *Internet* =3D> httpd reverse pr=
oxy
> =3D> Intranet web server
>
> Also remember that the httpd reverse proxy is serving https while the
> Intranet web server is serving http (reverse proxy http from http is
> working, but it's not an option for me).
>
> Regards,
> Jeremie
>
> 2009/12/21 Devraj Mukherjee :
>> At first guess it seems like your server intra-8.lan is dropping
>> connections for the new server.
>>
>> Does intra-8.lan restrict connections from certain IPs?
>>
>> On Thu, Dec 17, 2009 at 11:54 PM, J=E9r=E9mie G wro=
te:
>>> Hello,
>>>
>>> I have to migrate a working reverse proxy from apache-ssl
>>> 1.3.33-6sarge3 to apache2 2.2.9-10+lenny6 with ssl but I encounter a
>>> critical issue : when I try to access the website from behind a proxy,
>>> it's working with apache 1.3 but not with apache 2.2 (without proxy,
>>> it's working fine for both version).
>>>
>>> The error displayed in the error.log is : [error] (104)Connection
>>> reset by peer: proxy: prefetch request body failed to 192.168.20.8
>>> (intra-8.lan) from a.b.c.d ()
>>>
>>> Both server have IP address in the same subnet and have only this
>>> virtual host enabled.
>>>
>>> I have tried some tweak in the configuration but I'm clueless to find
>>> any parameter correcting this behavior. Bellow is the apache-ssl 1.3
>>> config vhost file :
>>>
>>> =A0 =A0 =A0 =A0ServerName extranet.enterprise.com
>>> =A0 =A0 =A0 =A0ServerAdmin support@enterprise.com
>>> =A0 =A0 =A0 =A0SSLCertificateFile =A0 =A0/etc/apache-ssl/ssl/ip-13.crt
>>> =A0 =A0 =A0 =A0SSLCertificateKeyFile /etc/apache-ssl/ssl/ip-13.key
>>> =A0 =A0 =A0 =A0ProxyPass / http://intra-8.lan/
>>> =A0 =A0 =A0 =A0ProxyPassReverse / http://intra-8.lan/
>>>
>>>
>>> An here is the apache 2.2 config file :
>>>
>>>
>>> =A0 =A0 =A0 =A0ServerName extranet-new.enterprise.com
>>> =A0 =A0 =A0 =A0ServerAdmin support@enterprise.com
>>> =A0 =A0 =A0 =A0SSLEngine On
>>> =A0 =A0 =A0 =A0SSLCertificateFile =A0 =A0/etc/apache2/ssl/ip-14.crt
>>> =A0 =A0 =A0 =A0SSLCertificateKeyFile /etc/apache2/ssl/ip-14.key
>>> =A0 =A0 =A0 =A0ProxyRequests Off
>>> =A0 =A0 =A0 =A0
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Order Deny,Allow
>>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Allow from all
>>> =A0 =A0 =A0 =A0
>>> =A0 =A0 =A0 =A0ProxyPass / http://intra-8.lan/
>>> =A0 =A0 =A0 =A0ProxyPassReverse / http://intra-8.lan/
>>>
>>>
>>>
>>> I really need to migrate this website to the new server, any idea ?
>>>
>>> Jeremie
>>>
>>> ------------------------------------------------------------ ---------
>>> The official User-To-User support forum of the Apache HTTP Server Proje=
ct.
>>> See for more info.
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>
>>
>>
>> --
>> "The secret impresses no-one, the trick you use it for is everything"
>> - Alfred Borden (The Prestiege)
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Projec=
t.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org