/ Zope / Apsis / Pound Mailing List / Archive / 2007 / 2007-07 / Pound issues with apache-ssl debian

[ << ] [ >> ]

[ Patch to allow BPROPFIND WebDAV method / Scott ... ] [ howto rproxy multiple https-hosts ? / "Fanny ... ]

Pound issues with apache-ssl debian
"Mister V" <badvad(at)gmail.com>		 2007-07-10 19:45:52 [ FULL ] 
https returns

500 internal error

An internal server error occurred. Please try again later.

syslog says:

Jul 10 19:44:08 localhost pound: response error read from 127.0.0.1:82:
Connection reset by peer

apache-ssl logs says:

[Tue Jul 10 19:44:08 2007] [error] SSL_accept failed
[Tue Jul 10 19:44:08 2007] [error] error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request
From what i have researched it is passing http to https port .?

This is my config ?

(where am i going wrong or what is done wrong)
pound.cfg(ssl config)
  ListenHTTPS
                Address xxx.xxx.xxx.xxx
                Port    443
                Cert    "/etc/apache-ssl/poundcert.pem"
                AddHeader "X-Forwarded-Proto: https"

                HeadRemove "X-Forwarded-Proto"
                AddHeader "Front-End-Https: on"
                Ciphers "RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA"
        Service
               Url
"(%|`|;|\|(at)|\||~|<|>|\"|\$|\(|\)|\{|\}|\[|\]\*|!|')"
               Redirect    "http://www.domain/"
        End
        Service
              BackEnd
               Address  127.0.0.1
               Port  82
             End
        End
  End

(netstat - showing port 82 is up)
root(at)XXXXXX:# netstat -an|grep 82
tcp        0      0 127.0.0.1:82            0.0.0.0:*               LISTEN


httpd.conf in apache-ssl showing the various configs done or there for ssl.

grep 82 /etc/apache-ssl/httpd.conf
Listen 127.0.0.1:82
Port 82


grep SSL /etc/apache-ssl/httpd.conf |grep -v "#"
SSLRandomFile file /dev/urandom 1024
SSLRandomFilePerConnection file /dev/urandom 1024
SSLEnable
SSLCacheServerPath /usr/lib/apache-ssl/gcache
SSLCacheServerPort /var/run/gcache_port
SSLSessionCacheTimeout 15
SSLCertificateKeyFile /etc/apache-ssl/server.pem
SSLCertificateFile     /etc/apache-ssl/server.crt
SSLVerifyClient 0
SSLVerifyDepth 10
SSLUseCRL
SSLCRLCheckAll
SSLOnRevocationSetEnv SSL_REVOKED
SSLOnCRLExpirySetEnv SSL_CRL_EXPIRED
SSLOnNoCRLSetEnv SSL_NO_CRL
SSLFakeBasicAuth
SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
SSLRequireCipher
SSLBanCipher NULL-MD5:NULL-SHA

thanks
vahid
Attachments:  
text.html text/html 4029 Bytes
Re: [Pound Mailing List] Pound issues with apache-ssl debian
ezahurak(at)atlanticbb.net		 2007-07-10 19:57:52 [ FULL ] 
Pound only talks http to backends, I believe, not https.

Sent via BlackBerry by AT&T

-----Original Message-----
From: "Mister V" <badvad(at)gmail.com>

Date: Tue, 10 Jul 2007 18:45:52 
To:pound(at)apsis.ch
Subject: [Pound Mailing List] Pound issues with apache-ssl debian


https returns

500 internal error

An internal server error occurred. Please try again later.

syslog says:

Jul 10 19:44:08 localhost pound: response error read from 127.0.0.1:82:
Connection reset by peer

apache-ssl logs says:

[Tue Jul 10 19:44:08 2007] [error] SSL_accept failed
[Tue Jul 10 19:44:08 2007] [error] error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request
From what i have researched it is passing http to https port .?

This is my config ?

(where am i going wrong or what is done wrong)
pound.cfg(ssl config)
  ListenHTTPS
                Address xxx.xxx.xxx.xxx
                Port    443
                Cert    "/etc/apache-ssl/poundcert.pem"
                AddHeader "X-Forwarded-Proto: https"

                HeadRemove "X-Forwarded-Proto"
                AddHeader "Front-End-Https: on"
                Ciphers "RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA"
        Service
               Url
"(%|`|;|\|(at)|\||~|<|>|\"|\$|\(|\)|\{|\}|\[|\]\*|!|')"
               Redirect    "http://www.domain/"
        End
        Service
              BackEnd
               Address  127.0.0.1
               Port  82
             End
        End
  End

(netstat - showing port 82 is up)
root(at)XXXXXX:# netstat -an|grep 82
tcp        0      0 127.0.0.1:82            0.0.0.0:*               LISTEN


httpd.conf in apache-ssl showing the various configs done or there for ssl.

grep 82 /etc/apache-ssl/httpd.conf
Listen 127.0.0.1:82
Port 82


grep SSL /etc/apache-ssl/httpd.conf |grep -v "#"
SSLRandomFile file /dev/urandom 1024
SSLRandomFilePerConnection file /dev/urandom 1024
SSLEnable
SSLCacheServerPath /usr/lib/apache-ssl/gcache
SSLCacheServerPort /var/run/gcache_port
SSLSessionCacheTimeout 15
SSLCertificateKeyFile /etc/apache-ssl/server.pem
SSLCertificateFile     /etc/apache-ssl/server.crt
SSLVerifyClient 0
SSLVerifyDepth 10
SSLUseCRL
SSLCRLCheckAll
SSLOnRevocationSetEnv SSL_REVOKED
SSLOnCRLExpirySetEnv SSL_CRL_EXPIRED
SSLOnNoCRLSetEnv SSL_NO_CRL
SSLFakeBasicAuth
SSLRequiredCiphers RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA
SSLRequireCipher
SSLBanCipher NULL-MD5:NULL-SHA

thanks
vahid


--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
Re: [Pound Mailing List] Pound issues with apache-ssl debian
"Mister V" <badvad(at)gmail.com>		 2007-07-11 13:05:23 [ FULL ] 
By the way

http://gentoo-wiki.com/HOWTO_Email:_A_Complete_Virtual_System_-_Web_Access

   - Follow the steps at http://slacksite.com/apache/certificate.html
   - cat server.pem > poundcert.pem
   - cat server.crt >> poundcert.pem


openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024
openssl rsa -in server.key -out server.pem
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 60 -in server.csr -signkey server.key -out server.crt

Now these two files as above have been put into poundcert.pem

and apache config as per last email is using new certificates.

(None of above is clearly explained on the debian package installed)

When i try to access the url before the 500 error I actually get the
SSL request popping up on browser saying its an untrusted SSL source
which is correct) but then it gives 500 once you press ok to continue




On 10/07/07, Mister V <badvad(at)gmail.com> wrote:[...]
Attachments:  
text.html text/html 5835 Bytes
Re: Pound issues with apache-ssl debian
"Mister V" <badvad(at)gmail.com>		 2007-07-14 15:00:22 [ FULL ] 
Hi All thanks to the last poster yes it is https  it cant to talk to back
end https hence get it to talk to normal apache and all is fine,.. but is
this now really https ? or is it port 80 traffic being redirected on port
443 (i.e clear text .... :( )

Or does using the cert mean it is getting encrypted ?  from web to server
then pound decrypts and sends clear text to localhost   aha I think i get it
...

Very cool


I do have another question though ..

I want some strict url settings where I allow %5.* %3.* [1char] but

disallow.. %.* and [anyother combo]

hence if url line has %3dsaAblach%5[6] let it go through but if i have

%3dsaAblach%5[6]%4  fail (%4)
%3dsaAblach%5[asd6] fail ([asd6])
and so forth..

here is config now for who ever else gets stuck on ssl - the trick the the
pem file - which i posted before..
ListenHTTPS
    Address 10.0.0.1
    Port 443
    xHTTP 1
    Cert "/etc/apache-ssl/poundcert.pem"
    Ciphers "RC4-MD5:RC4-SHA:IDEA-CBC-MD5:DES-CBC3-SHA"
END
ListenHTTP
  Address 10.0.0.1
  Port 80
  xHTTP 1
END
Service
   Url         "(%7.*|`|;|\|(at)|\||~|<|>|\"|\$|\(|\)|\{|\}|\*|!|')"
   Redirect    "http://www.domain"
End
Service
  BackEnd
    Address  127.0.0.1
    Port  83
  End
End




On 10/07/07, Mister V <badvad(at)gmail.com> wrote:[...]
Attachments:  
text.html text/html 6581 Bytes
MailBoxer