Apache reverse proxy AH00898 – Error during SSL Handshake with remote server
Problem
Apache is configured as a reverse proxy. The proxied backend is accessed via HTTPS. Accessing the proxied URL is resulting in an error message: proxy error.
Apache log:
AH00898: Error during SSL Handshake with remote server returned by /url
Browser:
Root cause
The apache configuration is erroneous. Apache cannot establish a connection to the HTTPS backend.
<VirtualHost *:80> SSLProxyEngine On ProxyPreserveHost On ProxyRequests Off ProxyPass /url https://server ProxyPassReverse /url https://server </VirtualHost>
Solution
Several Apache configuration parameters define how to connect to a HTTPS backend. Normally the misconfiguration is solved by adjusting three parameters:
- ProxyPreserveHost
- SSLProxyVerify
- SSLProxyCheckPeerName
ProxyPreserveHost
In the above example, the parameter ProxyPreserveHost is set to on, meaning that the host name of the client is send to the backend. As the proxy is accessed by localhost, this name is forwarded to the backend. Setting this value to Off ensures Apache is sending the server name of the target server in the HTTP header. This is important as more and more servers are running in a virtualized environment that needs the host name for selecting the correct server.
SSLProxyVerify
This parameter checks to TLS certificate send by the backend. In case the certificate is invalid, expired, self-signed, etc, Apache is refusing to connect. If you know that the certificate is valid (e.g. internal one) and you cannot make it valid for Apache (import CA), this parameter instructs Apache to accept the certificate.
SSLProxyCheckPeerName
This parameter checks if the CN name matches the FQDN of the server. Be aware of wildcard certificate handling as described in the documentation. “*.example.org will match foo.example.org, but will not match foo.bar.example.org”.
Working proxy configuration
Below example is a configuration that will allow Apache to connect to the backend. Most security checks are disabled, so this should only be used in a short living demo environment.
<VirtualHost *:80> SSLProxyEngine On ProxyPreserveHost Off SSLProxyVerify none SSLProxyCheckPeerName off ProxyRequests Off ProxyPass /url https://server ProxyPassReverse /url https://server </VirtualHost>
1 Comment
Alexander · October 13, 2021 at 20:59
Thanks, it works! Unlike many suggestions from Stackoverflow and Serverfault.
Greetings!