[Modules] Trouble using mod_proxy with mod_gnutls

Guillaume Rousse Guillaume.Rousse at inria.fr
Mon Feb 25 04:25:30 EST 2008 

Hello list.

With the following configuration, mod_proxy works perfectly in the
non-ssl vhost, but not in the ssl one. The client hangs a long
time for an answer, which finally comes as "Site error" message, with a
"404 858" error status in the logs. The waiting time before the error
occurs is superior to mod_proxy timeout configuration.

<VirtualHost *:80>
    Servername foo.domain.com
    ProxyPass / http://127.0.0.1:8080/
</VirtualHost>

<VirtualHost *:443>
    Servername foo.domain.com
    ProxyPass / http://127.0.0.1:8080/
    GnuTLSEnable on
    GnuTLSPriorities NORMAL
    GnuTLSCertificateFile /etc/pki/tls/certs/foo.crt
    GnuTLSKeyFile /etc/pki/tls/private/foo.key
</VirtualHost>

Using debug log level, here is the log trace of successfule proxy
connection:
[Fri Feb 22 15:26:28 2008] [debug] mod_cache.c(131): Adding CACHE_SAVE
filter for /
[Fri Feb 22 15:26:28 2008] [debug] mod_cache.c(138): Adding
CACHE_REMOVE_URL filter for /
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(54): proxy: HTTP:
canonicalising URL //www.msr-inria.inria.fr/
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1412): [client
195.83.212.52] proxy: http: found worker http://www.msr-inria.inria.fr/
for http://www.msr-inria.inria.fr/
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy.c(819): Running scheme http
handler (attempt 0)
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(1693): proxy: HTTP:
serving URL http://www.msr-inria.inria.fr/
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1852): proxy: HTTP: has
acquired connection for (www.msr-inria.inria.fr)
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1913): proxy: connecting
http://www.msr-inria.inria.fr/ to www.msr-inria.inria.fr:80
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(2012): proxy: connected
/ to www.msr-inria.inria.fr:80
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(2169): proxy: HTTP: fam
2 socket created to connect to www.msr-inria.inria.fr
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(2266): proxy: HTTP:
connection complete to 193.55.250.161:80 (www.msr-inria.inria.fr)
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(1478): proxy: start
body send
[Fri Feb 22 15:26:28 2008] [debug] mod_cache.c(528): cache: / not
cached. Reason: Expires header already expired, not cacheable
[Fri Feb 22 15:26:28 2008] [debug] mod_proxy_http.c(1567): proxy: end
body send
[Fri Feb 22 15:26:28 2008] [debug] proxy_util.c(1870): proxy: HTTP: has
released connection for (www.msr-inria.inria.fr)

Here is an unsucessful one. The 'GnuTLS: Handshake Failed' make me think
than mod_gnutls tries to cypher outgoing connection too, and fails:
[Fri Feb 22 15:33:15 2008] [debug] mod_cache.c(131): Adding CACHE_SAVE
filter for /
[Fri Feb 22 15:33:15 2008] [debug] mod_cache.c(138): Adding
CACHE_REMOVE_URL filter for /
[Fri Feb 22 15:33:15 2008] [debug] mod_proxy_http.c(54): proxy: HTTP:
canonicalising URL //www.msr-inria.inria.fr/
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(1412): [client
195.83.212.52] proxy: http: found worker http://www.msr-inria.inria.fr/
for http://www.msr-inria.inria.fr/
[Fri Feb 22 15:33:15 2008] [debug] mod_proxy.c(819): Running scheme http
handler (attempt 0)
[Fri Feb 22 15:33:15 2008] [debug] mod_proxy_http.c(1693): proxy: HTTP:
serving URL http://www.msr-inria.inria.fr/
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(1852): proxy: HTTP: has
acquired connection for (www.msr-inria.inria.fr)
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(1913): proxy: connecting
http://www.msr-inria.inria.fr/ to www.msr-inria.inria.fr:80
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(2012): proxy: connected
/ to www.msr-inria.inria.fr:80
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(2169): proxy: HTTP: fam
2 socket created to connect to www.msr-inria.inria.fr
[Fri Feb 22 15:33:15 2008] [debug] proxy_util.c(2266): proxy: HTTP:
connection complete to 193.55.250.161:80 (www.msr-inria.inria.fr)
[Fri Feb 22 15:34:56 2008] [error] [client 193.55.250.161] GnuTLS:
Handshake Failed. Hit Maximum Attempts
[Fri Feb 22 15:34:56 2008] [error] [client 193.55.250.161] GnuTLS:
Handshake Failed. Hit Maximum Attempts
[Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52]
(104)Connection reset by peer: proxy: error reading status line from
remote server www.msr-inria.inria.fr
[Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52]
(104)Connection reset by peer: proxy: error reading status line from
remote server www.msr-inria.inria.fr
[Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52] proxy: Error
reading from remote server returned by /error/HTTP_BAD_GATEWAY.html.var
[Fri Feb 22 15:34:56 2008] [error] [client 195.83.212.52] proxy: Error
reading from remote server returned by /error/HTTP_BAD_GATEWAY.html.var
[Fri Feb 22 15:34:56 2008] [debug] proxy_util.c(1870): proxy: HTTP: has
released connection for (*)
[Fri Feb 22 15:34:56 2008] [debug] proxy_util.c(1870): proxy: HTTP: has
released connection for (*)

The same configuration worked perfectly with mod_ssl (we switched for
SNI support). I reported the issue to mod_gnutls author
(http://lists.outoforder.cc/pipermail/modules/2008-February/000097.html),
but he me to look for mod_proxy maintainer help, as he didn't knew this
module enough himself. I had a quick look at apache bugzilla, but most
issues I found were related to proxying ssl connections explicitely (as
http://issues.apache.org/bugzilla/show_bug.cgi?id=29744), whereas my
problem seem rather with proxying a non-ssl connection from a ssl one.

-- 
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62

More information about the Modules mailing list