Header image

It's full of stars

Where documentation meets reality

Apache reverse proxy AH00898 - Error during SSL Handshake with remote server

By Tobias Hofmann June 24, 2021 Posted in SAP
Tags: ah00890 apache certificate proxypreservehost reverse-proxy sslproxycheckpeername sslproxyverify

Reading time: 2 min read

Problem

Apache is configured as a reverse proxy. The proxied backend is accessed via HTTPS. Accessing the proxied URL is resulting in an error message: proxy error.

Apache log:

AH00898: Error during SSL Handshake with remote server returned by /url

Browser:

Root cause

The apache configuration is erroneous. Apache cannot establish a connection to the HTTPS backend.

<VirtualHost *:80>
  SSLProxyEngine On
  ProxyPreserveHost On
  ProxyRequests Off
  ProxyPass /url https://server
  ProxyPassReverse /url https://server
</VirtualHost>

Solution

Several Apache configuration parameters define how to connect to a HTTPS backend. Normally the misconfiguration is solved by adjusting three parameters:

ProxyPreserveHost

In the above example, the parameter ProxyPreserveHost is set to on, meaning that the host name of the client is send to the backend. As the proxy is accessed by localhost, this name is forwarded to the backend. Setting this value to Off ensures Apache is sending the server name of the target server in the HTTP header. This is important as more and more servers are running in a virtualized environment that needs the host name for selecting the correct server.

SSLProxyVerify

This parameter checks to TLS certificate đź”— send by the backend. In case the certificate is invalid, expired, self-signed, etc, Apache is refusing to connect. If you know that the certificate is valid (e.g. internal one) and you cannot make it valid for Apache (import CA), this parameter instructs Apache to accept the certificate.

SSLProxyCheckPeerName

This parameter checks if the CN name matches the FQDN 🔗 of the server. Be aware of wildcard certificate handling as described in the documentation. “*.example.org will match foo.example.org, but will not match foo.bar.example.org”.

Working proxy configuration

Below example is a configuration that will allow Apache to connect to the backend. Most security checks are disabled, so this should only be used in a short living demo environment.

<VirtualHost *:80>
  SSLProxyEngine On
  ProxyPreserveHost Off
  SSLProxyVerify none
  SSLProxyCheckPeerName off
  ProxyRequests Off
  ProxyPass /url https://server
  ProxyPassReverse /url https://server
</VirtualHost>