ProxyRemote 导致“AH00898:与远程服务器进行 SSL 握手时出错...”,在其他服务器上工作

问题描述 投票:0回答:1

目标

将虚拟主机设置为反向代理,它还充当特定 URL 模式的另一个“远程”代理的正向代理。

问题

我有 2 台服务器(实际上是 2 台独立的机器),两者具有相同的配置,但只有一台服务器能够转发请求

我搜索了整个网络,做了比下面描述的更多的实验(但似乎与这里提及无关),所以我非常非常感谢你提出的任何想法/实验!

配置

转储

根据。

apache2ctl -DDUMP_CONFIG | grep -vE "^[ ]*#[ ]*[0-9]+:$" > apache_dump.conf
两台服务器的 apache 配置是相同

虚拟主机

<VirtualHost *:80>

[...]

SSLProxyEngine on
ProxyRemote "https://booking-service.com/" "http://remote-proxy:3128"

<Location /booking>
    ProxyPass https://booking-service.com/api
    ProxyPassReverse https://booking-service.com/api
    ProxyPreserveHost Off
    RequestHeader set X-Api-Key "..."
    RequestHeader unset Cookie
    RequestHeader unset Authorization
</Location>

</VirtualHost>

模块

这里是恕我直言可能相关的激活模块的摘录:

[...]
http_module (static)
[...]
ssl_module (shared)
[...]
proxy_module (shared)
proxy_http_module (shared)
proxy_ftp_module (shared)
proxy_ajp_module (shared)
proxy_wstunnel_module (shared)
proxy_balancer_module (shared)
[...]

常规错误日志

(IP 和主机名已混淆)

[proxy:trace2] [pid 21616:tid 140692231767808] proxy_util.c(3016): HTTPS: fam 2 socket created to connect to booking-service.com
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(3050): AH02824: HTTPS: connection established with 192.18.191.131:3128 (booking-service.com)
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(2677): AH00948: CONNECT: sending the CONNECT request for booking-service.com:443 to the remote proxy 192.18.191.131:3128 (remote-proxy.net)
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(2731): AH00949: send_http_connect: response from the forward proxy: HTTP/1.1 200 Connection established\r\n\r\n
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(3218): AH00962: HTTPS: connection complete to 192.18.191.131:3128 (remote-proxy.net)
[proxy:error] [pid 21616:tid 140692231767808] (20014)Internal error (specific information not available): [client 111.222.33.444:20435] AH01084: pass request body failed to 192.18.191.131:3128 (remote-proxy.net)
[proxy:error] [pid 21616:tid 140692231767808] [client 111.222.33.444:20435] AH00898: Error during SSL Handshake with remote server returned by /booking/test-request
[proxy_http:error] [pid 21616:tid 140692231767808] [client 111.222.33.444:20435] AH01097: pass request body failed to 192.18.191.131:3128 (remote-proxy.net) from 111.222.33.444 ()
[proxy:debug] [pid 21616:tid 140692231767808] proxy_util.c(2334): AH00943: HTTPS: has released connection for (booking-service.com)

ssl:trace7 的错误日志

我得到了两个网络服务器的以下信息:

[ssl:trace3] [pid 25298:tid 140395937773312] ssl_engine_kernel.c(2180): [remote 192.18.191.131:3128] OpenSSL: Handshake: start
[...]
[ssl:trace3] [pid 25298:tid 140395937773312] ssl_engine_kernel.c(2189): [remote 192.18.191.131:3128] OpenSSL: Loop: before/connect initialization
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: write 517/517 bytes to BIO#7fb05c009ba0 [mem: 7fb05c011070] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 16 03 01 02 00 01 00 01-fc 03 03 c5 c2 b9 30 65  ..............0e |
[...]
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0140: 03 00 0f 00 01 01 00 15-00 bb                    ..........       |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2179): [remote 192.18.191.131:3128] | 0517 - <SPACES/NULS>
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace3] [pid 25298:tid 140395937773312] ssl_engine_kernel.c(2189): [remote 192.18.191.131:3128] OpenSSL: Loop: SSLv2/v3 write client hello A
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: read 7/7 bytes from BIO#7fb05c00cc70 [mem: 7fb05c0165d0] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 16 03 03 00 41 02                                ....A.           |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2179): [remote 192.18.191.131:3128] | 0007 - <SPACES/NULS>
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: read 63/63 bytes from BIO#7fb05c00cc70 [mem: 7fb05c0165da] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 00 3d 03 03 f8 86 f8 5b-c5 71 0e 3f d6 fb 37 1d  .=.....[.q.?..7. |
[...]
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0030: 00 00 00 00 0b 00 04 03-00 01 02 00 23           ............#    |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2179): [remote 192.18.191.131:3128] | 0063 - <SPACES/NULS>
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace3] [pid 25298:tid 140395937773312] ssl_engine_kernel.c(2189): [remote 192.18.191.131:3128] OpenSSL: Loop: unknown state
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: read 5/5 bytes from BIO#7fb05c00cc70 [mem: 7fb05c026da3] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 16 03 03 0d ce                                   .....            |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace4] [pid 25298:tid 140395937773312] ssl_engine_io.c(2214): [remote 192.18.191.131:3128] OpenSSL: read 3534/3534 bytes from BIO#7fb05c00cc70 [mem: 7fb05c026da8] (BIO dump follows)
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2137): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0000: 0b 00 0d ca 00 0d c7 00-07 12 30 82 07 0e 30 82  ..........0...0. |
[...]
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2175): [remote 192.18.191.131:3128] | 0dc0: ca 5b e0 d5 f6 6c 23 9d-20 29 55 cd 3a c5        .[...l#. )U.:.   |
[ssl:trace7] [pid 25298:tid 140395937773312] ssl_engine_io.c(2181): [remote 192.18.191.131:3128] +-------------------------------------------------------------------------+

BAD网络服务器突然停止在这里,没有“证书验证”,也没有“握手:完成”,即没有与此客户端请求相关的进一步

ssl:...
日志条目。

相比之下,GOOD Web 服务器执行以下操作:

[ssl:debug] [pid 9659:tid 140475999237888] ssl_engine_kernel.c(1738): [remote 192.18.191.131:3128] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=...]
[ssl:debug] [pid 9659:tid 140475999237888] ssl_engine_kernel.c(1738): [remote 192.18.191.131:3128] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=...]
[...]
[ssl:trace3] [pid 9659:tid 140475999237888] ssl_engine_kernel.c(2184): [remote 192.18.191.131:3128] OpenSSL: Handshake: done
[...]

失败的实验

到目前为止我尝试过的:

  • 添加以下设置(即使其他网络服务器可以在没有它们的情况下工作,我知道......我很绝望:D):
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1
SSLProxyCACertificateFile /etc/ssl/certs/<the-ca-cert>.crt [afaik should be considered anyway b/c in /etc/ssl/certs]
  • 重新启动apache2.service
  • 重新启动整个 Linux 机器
  • 使用 curl 请求:有效
    • curl --request POST 'https://booking-service.com/api/test-request' --header 'Content-Type: application/json' --header 'X-Api-Key: ...' --proxy 'http://remote-proxy.net:3128' --data '@/tmp/request-body.txt' -iv
  • 使用 openssl 进行调试:看起来不错并且两台服务器都是相同的
    • openssl-1_1 s_client -connect booking-service.com -proxy remote-proxy.net:3128 -state -debug

应用程序版本(两台服务器上相同)

  • Linux:
    lsb_release -a
LSB Version:    n/a
Distributor ID: SUSE
Description:    SUSE Linux Enterprise Server 12 SP5
Release:        12.5
Codename:       n/a
  • 阿帕奇:
    httpd -v
Server version: Apache/2.4.38 (Linux/SUSE)
Server built:   2019-02-08 01:59:10.000000000 +0000
  • OpenSSL:
    openssl version
OpenSSL 1.0.2p-fips  14 Aug 2018
apache proxy openssl mod-proxy mod-ssl
1个回答
0
投票

我会检查所有服务器中的 TLS/SSL 证书是否相同。

默认情况下,httpd 在每次安装中都会生成一个自签名证书。

TLS 通信集群中的所有服务器/主机必须共享相同的证书才能相互信任。

我建议将私钥和公共证书从主机 #1 复制到其他主机。

© www.soinside.com 2019 - 2024. All rights reserved.