Proxy Error with https - Apache2


(Giwenn Launay) #1

Hello,

I contact you because I have a problem with Apache.
When I use Apache without http it works correctly but when that pass in http the following error appears:

Proxy Error
The proxy server received an invalid
response from an upstream server.

The proxy server could not handle the request GET /.
Reason: Error reading from remote server

Apache/2.4.10 (Debian) Server at graylog.services.cordonweb.com Port 443

Except(Off) I connect well with the addresse to inform in "RequestHeader"
Thus here is the Apache configuration of my waiter(server):

<VirtualHost *:443>
    ServerName graylog.services.cordonweb.com
    ProxyRequests Off
    SSLEngine on
    SSLCertificateFile "/etc/graylog/certificat2/graylogcert.pem"
    SSLCertificateKeyFile "/etc/graylog/certificat2/graykey.pem"

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    <Location />
        RequestHeader set X-Graylog-Server-URL "https://graylog.services.XXXXXXX.com/api/"
        ProxyPass http://127.0.0.1:9000/
        ProxyPassReverse http://127.0.0.1:9000/
    </Location>
</VirtualHost>

Furthermore when I go to the logs of appache ( error.log ) here is the error message which I meet:

[Tue Apr 11 12:19:08.318976 2017] [proxy_http:error] [pid 3290:tid 140176919619328] (20014)Internal error: [client 135.9.10.7:59270] AH01102: error reading status line from remote server 127.0.0.1:9000
[Tue Apr 11 12:19:08.319004 2017] [proxy:error] [pid 3290:tid 140176919619328] [client 135.9.10.7:59270] AH00898: Error reading from remote server returned by /

Can anybody help me?

Thank you

Giwlau


JerseyService won't start after enabling https
(Jochen) #2

There are working examples for how to do this at http://docs.graylog.org/en/2.2/pages/configuration/web_interface.html.

Please post the configuration and the logs of your Graylog node.

You can use triple backticks to retain the formatting of your text snippets:

```
Text
```

(Giwenn Launay) #3

Here is the configuration of graylog server:

is_master = true
node_id_file = /etc/graylog/server/node-id
root_username = admin
rest_listen_uri = http://127.0.0.1:9000/api/
rest_transport_uri = https://graylog.services.XXXXX.com/api/
rest_enable_cors = true
rest_enable_tls = true
rest_tls_cert_file = /etc/graylog/XXXX/XXX/graycert.pem
rest_tls_key_file = /etc/graylog/XXX/XXXX/graykey.pem
rest_tls_key_password = XXXXXX
web_listen_uri = -http://127.0.0.1:9000
web_endpoint_uri = -https://graylog.services.XXXXX.com:443/api
web_enable_tls = true
web_tls_cert_file = /etc/graylog/XXXX/XXX/graycert.pem
web_tls_key_file = /etc/graylog/XXXX/XXXX/graykey.pem
web_tls_key_password = XXXXXX
elasticsearch_shards = 1
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_highlighting = false
elasticsearch_cluster_name = graylog
elasticsearch_node_name = node1
elasticsearch_discovery_zen_ping_unicast_hosts = 127.0.0.1:9300
elasticsearch_discovery_zen_ping_multicast_enabled = false
elasticsearch_network_host = 127.0.0.1

I did not put everything as the parameters of mongodb, etc.

If besion of something else does not hesitate has to tell it to me and thank you for your answers

PS: I put “-” in front of http to avoid that ca is links


(Jochen) #4

As I said before, you can use triple backticks to retain formatting…


(Jochen) #5

This won’t work with the Apache httpd configuration you’ve posted.

HTTPS termination happens in your Apache httpd, you don’t need to do that in Graylog.


(Giwenn Launay) #6

For what I look has credit note it is to reach has the Web interface without putting the number of the port has every time of the blow I set up one put back proxy It is not that it is necessary to make?


(Jochen) #7

Please elaborate, I don’t understand your question.


(Giwenn Launay) #8

Sorry I’m French and I’m bad in English

HTTPS that I configured in graylog is functional. I have set up apache so that when I connect to the web interface I do not need to re-enter the port number each time.
Is setting up Apache useful?

Also if I use Apache, I do not need to reiseigner:
rest_tls_cert_file and rest_tls_key_file
Did I understand right ?


(Jochen) #9

It can be, depending on your requirements.

The problem is that your ProxyPass and ProxyPassReverse settings are wrong for the Graylog configuration you’ve posted (hint: https:// vs. http://).


(Giwenn Launay) #10

Je me suis rendu compte que c’était les paramètres ProxyPass et ProxyPassReverse, Je mis les deux paramètres suivent en https mais voici les erreur que j’obtient :

[Wed Apr 12 09:57:45.872297 2017] [ssl:error] [pid 3279:tid 140448123913984] [remote 127.0.0.1:9000] AH01961: SSL Proxy requested for graylog.services.XXXXXX.com:443 but not enabled [Hint: SSLProxyEngine]
[Wed Apr 12 09:57:45.872380 2017] [proxy:error] [pid 3279:tid 140448123913984] AH00961: HTTPS: failed to enable ssl support for 127.0.0.1:9000 (127.0.0.1)
In the Apache error.log file


(Giwenn Launay) #11

Should the ProxyPass and ProxyPassReverse parameters be removed?


(Jochen) #12

No, but you have to use the correct URIs as parameters…


(Giwenn Launay) #13

I found the error, this is because of the Apache version
SSLEngine We are not correct, we must put SSlProxyEngine On
In addition, add “/” after Proxypass and ProxyPassReverse as below:

<VirtualHost *:443>
    ServerName graylog.services.XXXX.com
    ProxyRequests Off
    SSLProxyEngine on
    SSLCertificateFile "/etc/graylog/XXXX/graylogcert.pem"
    SSLCertificateKeyFile "/etc/graylog/XXXXX/graykey.pem"

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
        RequestHeader set X-Graylog-Server-URL "https://graylog.XXXXXXX.XXXXXX.com/api/"
        ProxyPass / https://graylog.services.XXXXXXX.com:9000/
        ProxyPassReverse / https://graylog.services.XXXXX.com:9000/
</VirtualHost>

ProxyPass and ProxyPassReverse must also be set to HTTPS

The configuration on the site http://docs.graylog.org/en/2.2/pages/configuration/web_interface.html#single-or-separate-listeners-for-web-interface-and-rest-api is not Totally correct

Thank you very much Jochen for your help


(Jan Doberstein) #14

You are always welcomed to send a correction of the documentation via pr over github.