Hallo,

I have a problem with Apache Server (Apache/2.2.14 (Win32) mod_ssl/2.2.14 O=
penSSL/0.9.8k):

I want to set up that the server controll a client-cert and, if it is OK, c=
onnect with a ProxyPass to the right server.

The config:

LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_alias_module modules/mod_authn_alias.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule dumpio_module modules/mod_dumpio.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule filter_module modules/mod_filter.so
LoadModule headers_module modules/mod_headers.so
#LoadModule ident_module modules/mod_ident.so
#LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
#LoadModule ldap_module modules/mod_ldap.so
#LoadModule logio_module modules/mod_logio.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
LoadModule ssl_module modules/mod_ssl.so
#LoadModule status_module modules/mod_status.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule unique_id_module modules/mod_unique_id.so
#LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule version_module modules/mod_version.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so

<Proxy *>
Order Deny,Allow
Deny from all
</Proxy>

ProxyRequests Off

NameVirtualHost <My IP>:443

<VirtualHost <My IP>:443>
DocumentRoot "C:/Program Files/Webserver/Apache/htdocs"
ServerName <web address>
ServerAlias <My IP, for test>

SSLEngine on
SSLCertificateFile <Path of the cert>
SSLCertificateKeyFile <Path of the key>
SSLCACertificateFile <Path of the CA-cert>
SSLVerifyClient require
SSLVerifyDepth 10

ProxyPreserveHost On
ProxyPass / <end server>
ProxyPassReverse / <end server>
</VirtualHost>


When I connect to the server now, the browser loads some time and then give=
s me a timeout. What do I wrong?

Viele Grüße
Jan=

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

> -----Original Message-----
> From: Jan Luca Naumann [mailto:jan [at] naumannsfamily.de]
> Sent: Tuesday, December 08, 2009 3:53 PM
> To: users [at] httpd.apache.org
> Subject: [users [at] httpd] Problems with mod_ssl and mod_proxy
>
> Hallo,
>
> I have a problem with Apache Server (Apache/2.2.14 (Win32)
> mod_ssl/2.2.14 OpenSSL/0.9.8k):
>
> I want to set up that the server controll a client-cert and,
> if it is OK, connect with a ProxyPass to the right server.
>
> ...
>
> <Proxy *>
> Order Deny,Allow
> Deny from all
> </Proxy>
>
> ProxyRequests Off
>
> NameVirtualHost <My IP>:443
>
> <VirtualHost <My IP>:443>
> DocumentRoot "C:/Program Files/Webserver/Apache/htdocs"
> ServerName <web address>
> ServerAlias <My IP, for test>
>
> SSLEngine on
> SSLCertificateFile <Path of the cert>
> SSLCertificateKeyFile <Path of the key>
> SSLCACertificateFile <Path of the CA-cert>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> ProxyPreserveHost On
> ProxyPass / <end server>
> ProxyPassReverse / <end server>
> </VirtualHost>
>
>
> When I connect to the server now, the browser loads some time
> and then gives me a timeout. What do I wrong?

Break the problem into two parts and get the ProxyPass working before =
worrying about the SSL client verification. What happens if you comment =
out all the SSL stuff and try to get to the back-end server with a plain =
HTTP virtual host?

If that times out, what happens if you try to access the back-end =
directly (from a client that has TCP/IP access, obviously)?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

>
> Viele Grüße
> Jan
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
> " from the digest: users-digest-unsubscribe [at] httpd.apache.org
> For additional commands, e-mail: users-help [at] httpd.apache.org
>
>

This message is for the named person's use only. It may contain =
confidential, proprietary or legally privileged information. If you =
receive this message in error, please notify the sender urgently and =
then immediately delete the message and any copies of it from your =
system. Please also immediately destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail =
communications through their networks.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

Hi,

without all SSL stuff I geta timeout, too, but the right webserver is OK.

Viele Grüße
Jan

________________________________________
Von: Boyle Owen [Owen.Boyle [at] six-group.com]
Gesendet: Dienstag, 8. Dezember 2009 16:51
An: users [at] httpd.apache.org
Betreff: RE: [users [at] httpd] Problems with mod_ssl and mod_proxy

> -----Original Message-----
> From: Jan Luca Naumann [mailto:jan [at] naumannsfamily.de]
> Sent: Tuesday, December 08, 2009 3:53 PM
> To: users [at] httpd.apache.org
> Subject: [users [at] httpd] Problems with mod_ssl and mod_proxy
>
> Hallo,
>
> I have a problem with Apache Server (Apache/2.2.14 (Win32)
> mod_ssl/2.2.14 OpenSSL/0.9.8k):
>
> I want to set up that the server controll a client-cert and,
> if it is OK, connect with a ProxyPass to the right server.
>
> ...
>
> <Proxy *>
> Order Deny,Allow
> Deny from all
> </Proxy>
>
> ProxyRequests Off
>
> NameVirtualHost <My IP>:443
>
> <VirtualHost <My IP>:443>
> DocumentRoot "C:/Program Files/Webserver/Apache/htdocs"
> ServerName <web address>
> ServerAlias <My IP, for test>
>
> SSLEngine on
> SSLCertificateFile <Path of the cert>
> SSLCertificateKeyFile <Path of the key>
> SSLCACertificateFile <Path of the CA-cert>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> ProxyPreserveHost On
> ProxyPass / <end server>
> ProxyPassReverse / <end server>
> </VirtualHost>
>
>
> When I connect to the server now, the browser loads some time
> and then gives me a timeout. What do I wrong?

Break the problem into two parts and get the ProxyPass working before worry=
ing about the SSL client verification. What happens if you comment out all =
the SSL stuff and try to get to the back-end server with a plain HTTP virtu=
al host?

If that times out, what happens if you try to access the back-end directly =
(from a client that has TCP/IP access, obviously)?

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.

>
> Viele Grüße
> Jan
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
> " from the digest: users-digest-unsubscribe [at] httpd.apache.org
> For additional commands, e-mail: users-help [at] httpd.apache.org
>
>

This message is for the named person's use only. It may contain confidentia=
l, proprietary or legally privileged information. If you receive this messa=
ge in error, please notify the sender urgently and then immediately delete =
the message and any copies of it from your system. Please also immediately =
destroy any hardcopies of the message.
The sender's company reserves the right to monitor all e-mail communication=
s through their networks.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org=

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

Jan Luca Naumann wrote:
>>

Some additional tips :

You also need a line

Listen <My IP>:443
....

>> NameVirtualHost <My IP>:443
>>
>> <VirtualHost <My IP>:443>


Start Apache.
Open a command window, and enter : netstat -an | more
You should see a line like :

TCP <My IP>:443 0.0.0.0:0 ABHÖREN

do you ?

Is the Windows firewall enabled ?
If yes, does it allow incoming connections on port 443 ?
(or turn off the firewall)



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org