Apache reverse proxy AH00898 – Error during SSL Handshake with remote server

Published by Tobias Hofmann on

2 min read

Problem

Apache is configured as a reverse proxy. The proxied backend is accessed via HTTPS. Accessing the proxied URL is resulting in an error message: proxy error.

Apache log:

AH00898: Error during SSL Handshake with remote server returned by /url

Browser:

Root cause

The apache configuration is erroneous. Apache cannot establish a connection to the HTTPS backend.

<VirtualHost *:80>
  SSLProxyEngine On
  ProxyPreserveHost On
  ProxyRequests Off
  ProxyPass /url https://server
  ProxyPassReverse /url https://server
</VirtualHost>

Solution

Several Apache configuration parameters define how to connect to a HTTPS backend. Normally the misconfiguration is solved by adjusting three parameters:

  • ProxyPreserveHost
  • SSLProxyVerify
  • SSLProxyCheckPeerName

ProxyPreserveHost

In the above example, the parameter ProxyPreserveHost is set to on, meaning that the host name of the client is send to the backend. As the proxy is accessed by localhost, this name is forwarded to the backend. Setting this value to Off ensures Apache is sending the server name of the target server in the HTTP header. This is important as more and more servers are running in a virtualized environment that needs the host name for selecting the correct server.

SSLProxyVerify

This parameter checks to TLS certificate send by the backend. In case the certificate is invalid, expired, self-signed, etc, Apache is refusing to connect. If you know that the certificate is valid (e.g. internal one) and you cannot make it valid for Apache (import CA), this parameter instructs Apache to accept the certificate.

SSLProxyCheckPeerName

This parameter checks if the CN name matches the FQDN of the server. Be aware of wildcard certificate handling as described in the documentation. “*.example.org will match foo.example.org, but will not match foo.bar.example.org”.

Working proxy configuration

Below example is a configuration that will allow Apache to connect to the backend. Most security checks are disabled, so this should only be used in a short living demo environment.

<VirtualHost *:80>
  SSLProxyEngine On
  ProxyPreserveHost Off
  SSLProxyVerify none
  SSLProxyCheckPeerName off
  ProxyRequests Off
  ProxyPass /url https://server
  ProxyPassReverse /url https://server
</VirtualHost>
Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.