Hello,
I set two-way SSL between Apigee Proxy and Apache backend server.
For example,
the url of apigee proxy is "https://apigee.com/proxy_test"
the url of apache backend is "https://example.com"
When I hit "https://apigee.com/proxy_test", it is redirected to "https://example.com".
URL address on web browser shows "https://example.com".
I want to show Apigee proxy address on the browser instead of actual url.
On ssl.conf file on Apache server, I comment out all ProxyPass and ProxyPassReverse as below.
and I stop and restarted Apache server.
How do I hide actual URL?
<VirtualHost *:443> ... </VirtualHost>
<TargetEndpoint name="dev"> ... </TargetEndpoint>
Solved! Go to Solution.
That shouldn't happen. Because Browser to Apigee is a different connection than Apigee to your target.
I am wondering if mod_rewrite is doing a redirection. Could you switch RewriteEngine to off and retry?
That shouldn't happen. Because Browser to Apigee is a different connection than Apigee to your target.
I am wondering if mod_rewrite is doing a redirection. Could you switch RewriteEngine to off and retry?
After turning off RewriteEngine or change rewriterule to 'https://%{HTTP_HOST}%{REQUEST_URI}, api proxy does not work.
It returns 500 error or ERR_BAD_SSL_CLIENT_AUTH_CERT error.
I imported all certs such as server's cert, chain files, apigee's certs on the server to validate apigee's certs. I refer them on ssl.conf file.
I don't know why it does not work.
When I hit apigee proxy address by using curl -v -k "address",
it returns message as below:
* Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
I think the problems are unrelated. Turning off RewriteEngine shouldn't cause TLS handshake to fail.Can you debug the TLS handshake? Take a TCP Dump or enable debugging
First, All certs files are verified by following cmds on the link.
Second, when I use ssl logging, it shows these debug logs. It seems fine, I don't know why it returns 500 error.
...
Did you make an HTTPS request when capturing these logs? Because i can't tell which log lines correspond to an HTTPS request. As you said, everything seems fine. I don't see a BAD_CERT error which shows up in your response.
I hit 'https:// apigee proxy address' .
Is this not making https request?
Since apigee proxy is targeting 'https:// target point address' with 443 port.
I just hit base apigee proxy address without using target point.
ex. https://apigeeproxy.com/proxyname
target url : https://example.com
Do you think SSL handshake works well?
[client XX.XXX.XXX.XX:45630] AH01964: Connection to child 4 established (server example.com:443) ssl_engine_kernel.c(1890): [client XX.XXX.XXX.XX:45630] AH02043: SSL virtual host for servername example.com found ssl_engine_kernel.c(1360): [client XX.XXX.XXX.XX:45630] AH02275: Certificate Verification, depth 2, CRL checking mode: none [subject: OU= XXX / notbefore: Aug 8 19:36:17 2016 GMT / notafter: Aug 8 20:06:17 2036 GMT] ssl_engine_kernel.c(1360): [client XX.XXX.XXX.XX:45630] AH02275: Certificate Verification, depth 1, CRL checking mode: none [subject: OU= XXX / notbefore: Aug 8 20:05:40 2016 GMT / notafter: Jul 8 20:35:40 2036 GMT] ssl_engine_kernel.c(1360): [client XX.XXX.XXX.XX:45630] AH02275: Certificate Verification, depth 0, CRL checking mode: none [subject: CN= apigee's cert / notbefore: May 5 18:40:04 2017 GMT / notafter: May 5 19:10:04 2020 GMT] ssl_engine_kernel.c(1823): [client XX.XXX.XXX.XX:45630] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits) ssl_engine_kernel.c(225): [client XX.XXX.XXX.XX:45630] AH02034: Initial (No.1) HTTPS request received for child 4 (server example.com:443) mod_authz_core.c(809): [client XX.XXX.XXX.XX:45630] AH01626: authorization result of Require all granted: granted mod_authz_core.c(809): [client XX.XXX.XXX.XX:45630] AH01626: authorization result of <RequireAny>: granted mod_authz_core.c(809): [client XX.XXX.XXX.XX:45630] AH01626: authorization result of Require all granted: granted mod_authz_core.c(809): [client XX.XXX.XXX.XX:45630] AH01626: authorization result of <RequireAny>: granted
If this is the full log, then yes.
Does the request show up in the target endpoint application log? Does your target application code actually get executed?
Because, i see the handshake executing fine, yet your client gets a bad cert error.
That is odd
I think if there is any /targetpoint on api-proxy url address, 500 error is occurred.
Then check your message processor log for errors, see if its invalidating the handshake.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |