Bug 43813 - HTTPS access to docker sites doesn't work
HTTPS access to docker sites doesn't work
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Apache
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Stefan Gohmann
Florian Best
: interim-3
Depends on:
Blocks: 43832
  Show dependency treegraph
 
Reported: 2017-03-11 12:18 CET by Stefan Gohmann
Modified: 2017-04-04 18:29 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2017-03-11 12:18:05 CET
The HTTPS access to docker based sites doesn't work. After installing dudle, I get the following browser message:
-----------------------------------------------------------------------
Proxy Error

The proxy server could not handle the request GET /dudle/.
Reason: Error during SSL Handshake with remote server
-----------------------------------------------------------------------

The apache log:
-----------------------------------------------------------------------
[Sat Mar 11 01:09:29.517204 2017] [proxy:error] [pid 11567] (502)Unknown error 502: [client 10.205.1.178:33742] AH01084: pass request body failed to 127.0.0.1:40001 (127.0.0.1)
[Sat Mar 11 01:09:29.517742 2017] [proxy:error] [pid 11567] [client 10.205.1.178:33742] AH00898: Error during SSL Handshake with remote server returned by /dudle/
[Sat Mar 11 01:09:29.517941 2017] [proxy_http:error] [pid 11567] [client 10.205.1.178:33742] AH01097: pass request body failed to 127.0.0.1:40001 (127.0.0.1) from 10.205.1.178 ()
-----------------------------------------------------------------------
Comment 1 Stefan Gohmann univentionstaff 2017-03-11 12:20:25 CET
The test case 80_docker/55_app_modproxy shows the error.
Comment 2 Stefan Gohmann univentionstaff 2017-03-11 12:26:04 CET
The following options need to be set in /etc/apache2/sites-enabled/default-ssl.conf:

SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
Comment 3 Stefan Gohmann univentionstaff 2017-03-11 13:35:46 CET
univention-apache: r77608:
* The SSL proxy check peer cn and peer name need to be disabled since
  the docker container web interfaces are available via 127.0.0.1 and
  not via FQDN (Bug #43813)
Comment 4 Florian Best univentionstaff 2017-03-13 14:09:40 CET
(In reply to Stefan Gohmann from comment #2)
> The following options need to be set in
> /etc/apache2/sites-enabled/default-ssl.conf:
> 
> SSLProxyCheckPeerCN off
> SSLProxyCheckPeerName off
It's a global configuration which affects all customers/third-party-apps apache configurations. In the recent version of apache httpd (in trunk/) these options can also be set in the proxy-section but not in our version. Maybe we can switch this somewhen.
Comment 5 Stefan Gohmann univentionstaff 2017-03-13 15:40:31 CET
(In reply to Florian Best from comment #4)
> (In reply to Stefan Gohmann from comment #2)
> > The following options need to be set in
> > /etc/apache2/sites-enabled/default-ssl.conf:
> > 
> > SSLProxyCheckPeerCN off
> > SSLProxyCheckPeerName off
> It's a global configuration which affects all customers/third-party-apps
> apache configurations. In the recent version of apache httpd (in trunk/)
> these options can also be set in the proxy-section but not in our version.
> Maybe we can switch this somewhen.

Yes, that would be helpful: Bug #43832

It looks like previous mod_proxy versions didn't check the these values.

Changelog: r77647 + r77648
Comment 6 Florian Best univentionstaff 2017-03-20 14:09:47 CET
OK: Changelog
OK: proxying to docker works
OK: does not have side effects on e.g. UMC as this only uses HTTP.
OK: Bug #43832 will fix it somewhen
Comment 7 Stefan Gohmann univentionstaff 2017-04-04 18:29:24 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".