Solved: Apigee <-SSL-> Apache Server How to hide actual u...

Report Inappropriate Content · 04-23-2018 09:15 AM

Hello,

I set two-way SSL between Apigee Proxy and Apache backend server.

For example,

the url of apigee proxy is "https://apigee.com/proxy_test"

the url of apache backend is "https://example.com"

When I hit "https://apigee.com/proxy_test", it is redirected to "https://example.com".

URL address on web browser shows "https://example.com".
I want to show Apigee proxy address on the browser instead of actual url.

On ssl.conf file on Apache server, I comment out all ProxyPass and ProxyPassReverse as below.

and I stop and restarted Apache server.

How do I hide actual URL?

<VirtualHost *:443>
	...
</VirtualHost>

 <TargetEndpoint name="dev">
   ...
</TargetEndpoint>

rmishra

That shouldn't happen. Because Browser to Apigee is a different connection than Apigee to your target.

I am wondering if mod_rewrite is doing a redirection. Could you switch RewriteEngine to off and retry?

View solution in original post

rmishra

That shouldn't happen. Because Browser to Apigee is a different connection than Apigee to your target.

I am wondering if mod_rewrite is doing a redirection. Could you switch RewriteEngine to off and retry?

Report Inappropriate Content

After turning off RewriteEngine or change rewriterule to 'https://%{HTTP_HOST}%{REQUEST_URI}, api proxy does not work.

It returns 500 error or ERR_BAD_SSL_CLIENT_AUTH_CERT error.

I imported all certs such as server's cert, chain files, apigee's certs on the server to validate apigee's certs. I refer them on ssl.conf file.

I don't know why it does not work.

When I hit apigee proxy address by using curl -v -k "address",
it returns message as below:

* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

rmishra

I think the problems are unrelated. Turning off RewriteEngine shouldn't cause TLS handshake to fail.Can you debug the TLS handshake? Take a TCP Dump or enable debugging

https://wiki.apache.org/httpd/DebuggingSSLProblems

Report Inappropriate Content

First, All certs files are verified by following cmds on the link.

Second, when I use ssl logging, it shows these debug logs. It seems fine, I don't know why it returns 500 error.

...

rmishra

Did you make an HTTPS request when capturing these logs? Because i can't tell which log lines correspond to an HTTPS request. As you said, everything seems fine. I don't see a BAD_CERT error which shows up in your response.

Report Inappropriate Content

I hit 'https:// apigee proxy address' .

Is this not making https request?

Since apigee proxy is targeting 'https:// target point address' with 443 port.

Report Inappropriate Content

I just hit base apigee proxy address without using target point.

ex. https://apigeeproxy.com/proxyname

target url : https://example.com

Do you think SSL handshake works well?

[client XX.XXX.XXX.XX:45630] AH01964: Connection to child 4 established (server example.com:443)
ssl_engine_kernel.c(1890): [client XX.XXX.XXX.XX:45630] AH02043: SSL virtual host for servername example.com found
ssl_engine_kernel.c(1360): [client XX.XXX.XXX.XX:45630] AH02275: Certificate Verification, depth 2, CRL checking mode: none [subject: OU= XXX  / notbefore: Aug  8 19:36:17 2016 GMT / notafter: Aug  8 20:06:17 2036 GMT]
ssl_engine_kernel.c(1360): [client XX.XXX.XXX.XX:45630] AH02275: Certificate Verification, depth 1, CRL checking mode: none [subject: OU= XXX  / notbefore: Aug  8 20:05:40 2016 GMT / notafter: Jul  8 20:35:40 2036 GMT]
ssl_engine_kernel.c(1360): [client XX.XXX.XXX.XX:45630] AH02275: Certificate Verification, depth 0, CRL checking mode: none [subject: CN= apigee's cert / notbefore: May  5 18:40:04 2017 GMT / notafter: May  5 19:10:04 2020 GMT]
ssl_engine_kernel.c(1823): [client XX.XXX.XXX.XX:45630] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 (256/256 bits)
ssl_engine_kernel.c(225): [client XX.XXX.XXX.XX:45630] AH02034: Initial (No.1) HTTPS request received for child 4 (server example.com:443)
mod_authz_core.c(809): [client XX.XXX.XXX.XX:45630] AH01626: authorization result of Require all granted: granted
mod_authz_core.c(809): [client XX.XXX.XXX.XX:45630] AH01626: authorization result of <RequireAny>: granted
mod_authz_core.c(809): [client XX.XXX.XXX.XX:45630] AH01626: authorization result of Require all granted: granted
mod_authz_core.c(809): [client XX.XXX.XXX.XX:45630] AH01626: authorization result of <RequireAny>: granted

rmishra

If this is the full log, then yes.

Does the request show up in the target endpoint application log? Does your target application code actually get executed?

Because, i see the handshake executing fine, yet your client gets a bad cert error.

That is odd

Report Inappropriate Content

I think if there is any /targetpoint on api-proxy url address, 500 error is occurred.

rmishra

Then check your message processor log for errors, see if its invalidating the handshake.

Apigee <-SSL-> Apache Server How to hide actual url?