小贝子编程

代理远程导致"AH00898: Error during SSL Handshake with remote server ...",在其他服务器上工作



目标

将虚拟主机设置为反向代理,该反向代理还充当到另一个"代理"的正向代理;"远程";特定URL模式的代理。

问题

我有两台服务器(实际上是两台独立的机器),它们都有相同的配置,但只有一台服务器能够转发请求。

我搜索了整个网络,做了比下面描述的更多的实验(但在这里似乎无关紧要),所以我非常感谢你提出的任何想法/实验!

Config

转储

Acc。对于apache2ctl -DDUMP_CONFIG | grep -vE "^[ ]*#[ ]*[0-9]+:$" > apache_dump.conf,两个服务器的apache配置是相同的。

虚拟主机

<VirtualHost *:80>
[...]
SSLProxyEngine on
ProxyRemote "https://booking-service.com/" "http://remote-proxy:3128"
<Location /booking>
ProxyPass https://booking-service.com/api
ProxyPassReverse https://booking-service.com/api
ProxyPreserveHost Off
RequestHeader set X-Api-Key "..."
RequestHeader unset Cookie
RequestHeader unset Authorization
</Location>
</VirtualHost>

模块

以下是IMHO可能相关的激活模块摘录:

[...]
http_module (static)
[...]
ssl_module (shared)
[...]
proxy_module (shared)
proxy_http_module (shared)
proxy_ftp_module (shared)
proxy_ajp_module (shared)
proxy_wstunnel_module (shared)
proxy_balancer_module (shared)
[...]

常规错误日志

(IP和主机名混淆)

[proxy:trace2] [pid 21616:tid 140692231767808] proxy_util.c(3016): HTTPS: fam 2 socket created to connect to booking-service.com
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(3050): AH02824: HTTPS: connection established with 192.18.191.131:3128 (booking-service.com)
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(2677): AH00948: CONNECT: sending the CONNECT request for booking-service.com:443 to the remote proxy 192.18.191.131:3128 (remote-proxy.net)
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(2731): AH00949: send_http_connect: response from the forward proxy: HTTP/1.1 200 Connection establishedrnrn
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(3218): AH00962: HTTPS: connection complete to 192.18.191.131:3128 (remote-proxy.net)
[proxy:error] [pid 21616:tid 140692231767808] (20014)Internal error (specific information not available): [client 111.222.33.444:20435] AH01084: pass request body failed to 192.18.191.131:3128 (remote-proxy.net)
[proxy:error] [pid 21616:tid 140692231767808] [client 111.222.33.444:20435] AH00898: Error during SSL Handshake with remote server returned by /booking/test-request
[proxy_http:error] [pid 21616:tid 140692231767808] [client 111.222.33.444:20435] AH01097: pass request body failed to 192.18.191.131:3128 (remote-proxy.net) from 111.222.33.444 ()
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(2334): AH00943: HTTPS: has released connection for (booking-service.com)

带ssl:trace7的错误日志

我得到以下两个网络服务器:

[ssl:trace3] [pid 25298:tid 140395937773312] ssl_engine_kernel.c(2180): [remote 192.18.191.131:3128] OpenSSL: Handshake: start
[...]
[ssl:trace3] [pid 25298:tid 140395937773312] ssl_engine_kernel.c(2189): [remote 192.18.191.131:3128] OpenSSL: Loop: before/connect initialization
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: write 517/517 bytes to BIO#7fb05c009ba0 [mem: 7fb05c011070] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 16 03 01 02 00 01 00 01-fc 03 03 c5 c2 b9 30 65  ..............0e |
[...]
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0140: 03 00 0f 00 01 01 00 15-00 bb                    ..........       |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2179): [remote 192.18.191.131:3128] | 0517 - <SPACES/NULS>
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace3] [pid 25298:tid 140395937773312] ssl_engine_kernel.c(2189): [remote 192.18.191.131:3128] OpenSSL: Loop: SSLv2/v3 write client hello A
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: read 7/7 bytes from BIO#7fb05c00cc70 [mem: 7fb05c0165d0] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 16 03 03 00 41 02                                ....A.           |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2179): [remote 192.18.191.131:3128] | 0007 - <SPACES/NULS>
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: read 63/63 bytes from BIO#7fb05c00cc70 [mem: 7fb05c0165da] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 00 3d 03 03 f8 86 f8 5b-c5 71 0e 3f d6 fb 37 1d  .=.....[.q.?..7. |
[...]
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0030: 00 00 00 00 0b 00 04 03-00 01 02 00 23           ............#    |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2179): [remote 192.18.191.131:3128] | 0063 - <SPACES/NULS>
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace3] [pid 25298:tid 140395937773312] ssl_engine_kernel.c(2189): [remote 192.18.191.131:3128] OpenSSL: Loop: unknown state
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: read 5/5 bytes from BIO#7fb05c00cc70 [mem: 7fb05c026da3] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 16 03 03 0d ce                                   .....            |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: read 3534/3534 bytes from BIO#7fb05c00cc70 [mem: 7fb05c026da8] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 0b 00 0d ca 00 0d c7 00-07 12 30 82 07 0e 30 82  ..........0...0. |
[...]
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0dc0: ca 5b e0 d5 f6 6c 23 9d-20 29 55 cd 3a c5        .[...l#. )U.:.   |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+

BADweb服务器在这里突然停止;证书验证";并且否";握手:完成";,即没有与该客户端请求相关的另外的CCD_ 2日志条目。

相比之下,GOODweb服务器执行以下操作:

[ssl:debug] [pid 9659:tid 140475999237888] ssl_engine_kernel.c(1738): [remote 192.18.191.131:3128] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=...]
[ssl:debug] [pid 9659:tid 140475999237888] ssl_engine_kernel.c(1738): [remote 192.18.191.131:3128] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=...]
[...]
[ssl:trace3] [pid 9659:tid 140475999237888] ssl_engine_kernel.c(2184): [remote 192.18.191.131:3128] OpenSSL: Handshake: done
[...]

失败的实验

到目前为止我尝试了什么:

  • 添加以下设置(即使其他web服务器在没有它们的情况下工作,我知道…我很绝望:D):
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1
SSLProxyCACertificateFile /etc/ssl/certs/<the-ca-cert>.crt [afaik should be considered anyway b/c in /etc/ssl/certs]
  • 重新启动apache2.service
  • 重新启动整个linux机器
  • 带有卷曲的请求:有效
    • curl --request POST 'https://booking-service.com/api/test-request' --header 'Content-Type: application/json' --header 'X-Api-Key: ...' --proxy 'http://remote-proxy.net:3128' --data '@/tmp/request-body.txt' -iv
  • 使用openssl进行调试:看起来不错&两台服务器都相同
    • openssl-1_1 s_client -connect booking-service.com -proxy remote-proxy.net:3128 -state -debug

应用程序版本(在两台服务器上相同)

  • Linux:lsb_release -a:
LSB Version:    n/a
Distributor ID: SUSE
Description:    SUSE Linux Enterprise Server 12 SP5
Release:        12.5
Codename:       n/a
  • Apache:httpd -v
Server version: Apache/2.4.38 (Linux/SUSE)
Server built:   2019-02-08 01:59:10.000000000 +0000
  • OpenSSL:openssl version:
OpenSSL 1.0.2p-fips  14 Aug 2018

我会检查所有服务器中的TLS/SSL证书是否相同。

默认情况下,httpd在每次安装中都会生成一个自签名证书。

TLS通信集群中的所有服务器/主机必须共享相同的证书,以便相互信任。

我建议将私钥和公共证书从主机#1复制到其他主机。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium