Bug 62293 - [Windows] [2.4.29 -> 2.4.33] Can't connect backend http server without ssl from reverse proxy server with ssl enabled.
Summary: [Windows] [2.4.29 -> 2.4.33] Can't connect backend http server without ssl fr...
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_http (show other bugs)
Version: 2.4.33
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-04-12 14:52 UTC by Hikaru
Modified: 2018-08-20 15:47 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hikaru 2018-04-12 14:52:43 UTC
Problems:
	Can't connect backend source http server without ssl from reverse proxy server with ssl enabled.

When it occurs:
	Always (Connect reverse proxy from client)

Error messages (Client side):
	Gateway Timeout
	The gateway did not receive a timely response from the upstream server or application.

Error logs (Server side):
	[Thu Apr 12 22:57:01.642278 2018] [proxy:error] [pid 2748:tid 1180] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  : [client 10.254.0.55:9221] AH01084: pass request body failed to 10.254.0.15:80 (sv05.example.com)
	[Thu Apr 12 22:57:01.642278 2018] [proxy_http:error] [pid 2748:tid 1180] [client 10.254.0.55:9221] AH01097: pass request body failed to 10.254.0.15:80 (sv05.example.com) from 10.254.0.55 ()

Solution in my environments:
	Revert changes in "mod_proxy_http.c" function "proxy_http_handler" to version 2.4.29.
	Then, run perfectly.

	@@ -1948,8 +1948,8 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
	 
	         /* Step Three: Create conn_rec */
	         if (!backend->connection) {
	-            if ((status = ap_proxy_connection_create_ex(proxy_function,
	-                                                        backend, r)) != OK)
	+            if ((status = ap_proxy_connection_create(proxy_function, backend,
	+                                                     c, r->server)) != OK)


My environments:
	Windows 7 x86 on Hyper-V
	Windows Server 2016 x64 on Hyper-V


Configurations (Reverse proxy):
	# If change "SSLEngine" to "off" and access reverse proxy server via non-ssl http, will connect successful.
	# But this is not solution. I lost access from TLS clients.

	<VirtualHost *:443>
		ServerAdmin network@example.com
		DocumentRoot "/Test/"

		ServerName ssl.example.com

		ProxyRequests Off
		ProxyPreserveHost On
		ProxyPass / http://sv05.example.com/
		ProxyPassReverse / http://sv05.example.com/

		SSLEngine on
		SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
		SSLHonorCipherOrder off
		SSLCipherSuite +NULL:EDH:RSA:!DH:ADH:DSS:HIGH:!EXP:!Low:!SHA1:!MD5:!RC4:!DES:!IDEA:!CAMELLIA:!SEED:!SSLv2:!SSLv3

		SSLCertificateFile conf/SSL/Site.cer
		SSLCertificateKeyFile conf/SSL/Site.key
		SSLCACertificateFile conf/SSL/CA.cer
	</VirtualHost>
Comment 1 Ruediger Pluem 2018-04-12 19:11:42 UTC
Does http://svn.apache.org/viewvc?view=revision&revision=1828735 also fix your issue?
Comment 2 ssr 2018-08-17 16:11:37 UTC
I am also getting same error. 

Bad Gateway
The proxy server received an invalid response from an upstream server.

I am using the Apache 2.4.33 and seeing same error.

[Fri Aug 17 15:59:53.628596 2018] [proxy:error] [pid 8120:tid 140701937407744] (70014)End of file found: [client 3.20.216.100:58660] AH01084: pass request body failed t
o 10.91.250.224:8080 (10.91.250.224)
[Fri Aug 17 15:59:53.628612 2018] [proxy_http:error] [pid 8120:tid 140701937407744] [client 3.20.216.100:58660] AH01097: pass request body failed to 10.91.250.224:8080
(10.91.250.224) from 3.20.216.100 ()

When I tried to do TCPDUMP, i see the request is not having PUSH packet to the backend TOMCAT when the request is done on HTTPS:443 from Apache to TOMCAT.

We need to fix this as i am stuck with this issue.
Comment 3 William A. Rowe Jr. 2018-08-17 16:22:23 UTC
Please retest with 2.4.34 current release and report back?
Comment 4 ssr 2018-08-20 08:27:38 UTC
Yes, Apache 2.4.34 is working perfectly fine. Thanks much William.