Univention Bugzilla – Bug 43813
HTTPS access to docker sites doesn't work
Last modified: 2017-04-04 18:29:24 CEST
The HTTPS access to docker based sites doesn't work. After installing dudle, I get the following browser message: ----------------------------------------------------------------------- Proxy Error The proxy server could not handle the request GET /dudle/. Reason: Error during SSL Handshake with remote server ----------------------------------------------------------------------- The apache log: ----------------------------------------------------------------------- [Sat Mar 11 01:09:29.517204 2017] [proxy:error] [pid 11567] (502)Unknown error 502: [client 10.205.1.178:33742] AH01084: pass request body failed to 127.0.0.1:40001 (127.0.0.1) [Sat Mar 11 01:09:29.517742 2017] [proxy:error] [pid 11567] [client 10.205.1.178:33742] AH00898: Error during SSL Handshake with remote server returned by /dudle/ [Sat Mar 11 01:09:29.517941 2017] [proxy_http:error] [pid 11567] [client 10.205.1.178:33742] AH01097: pass request body failed to 127.0.0.1:40001 (127.0.0.1) from 10.205.1.178 () -----------------------------------------------------------------------
The test case 80_docker/55_app_modproxy shows the error.
The following options need to be set in /etc/apache2/sites-enabled/default-ssl.conf: SSLProxyCheckPeerCN off SSLProxyCheckPeerName off
univention-apache: r77608: * The SSL proxy check peer cn and peer name need to be disabled since the docker container web interfaces are available via 127.0.0.1 and not via FQDN (Bug #43813)
(In reply to Stefan Gohmann from comment #2) > The following options need to be set in > /etc/apache2/sites-enabled/default-ssl.conf: > > SSLProxyCheckPeerCN off > SSLProxyCheckPeerName off It's a global configuration which affects all customers/third-party-apps apache configurations. In the recent version of apache httpd (in trunk/) these options can also be set in the proxy-section but not in our version. Maybe we can switch this somewhen.
(In reply to Florian Best from comment #4) > (In reply to Stefan Gohmann from comment #2) > > The following options need to be set in > > /etc/apache2/sites-enabled/default-ssl.conf: > > > > SSLProxyCheckPeerCN off > > SSLProxyCheckPeerName off > It's a global configuration which affects all customers/third-party-apps > apache configurations. In the recent version of apache httpd (in trunk/) > these options can also be set in the proxy-section but not in our version. > Maybe we can switch this somewhen. Yes, that would be helpful: Bug #43832 It looks like previous mod_proxy versions didn't check the these values. Changelog: r77647 + r77648
OK: Changelog OK: proxying to docker works OK: does not have side effects on e.g. UMC as this only uses HTTP. OK: Bug #43832 will fix it somewhen
UCS 4.2 has been released: https://docs.software-univention.de/release-notes-4.2-0-en.html https://docs.software-univention.de/release-notes-4.2-0-de.html If this error occurs again, please use "Clone This Bug".