1

I set up an Apache v2.4 reverse proxy on a CentOS 7 machine, serving requests to several vhosts; amongst these there are Atlassian application servers.

The proxy's private IP address is 10.0.0.77, its public IP address is 77.77.77.77, and several DNS A records map the public IP to various FQDN: foo.example.com, bar.example.com, etc.

There is a NAT in place:

77.77.77.77:10080 -> 10.0.0.77:80
77.77.77.77:10443 -> 10.0.0.77:443

which is necessary because the proxy's public IP address is used also for other services. The setup is the same as this other question.

Here below is an example of vhost configuration (simplified), /etc/httpd/conf.d/foo.conf:

<VirtualHost *:80>
    ServerName foo.example.com
    ProxyRequests       Off
    ProxyPreserveHost   Off
    SetEnv proxy-nokeepalive 1
    Redirect "/" "https://foo.example.com:10443/"
</VirtualHost>

<VirtualHost *:443>
    ServerName foo.example.com
    ServerSignature On
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    SSLEngine On
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    # SSLCipherSuite shortened here for simplicity
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384"
    SSLCertificateFile      /etc/httpd/ssl/proxy.crt
    SSLCertificateKeyFile   /etc/httpd/ssl/proxy.key
    SSLCACertificateFile    /etc/httpd/ssl/proxy.ca.crt
    ProxyRequests           Off
    ProxyPreserveHost       On
    ProxyPass           "/" "http://foo.example.com:8080/" 
    ProxyPassReverse    "/" "http://foo.example.com:8080/"
</VirtualHost>

This configuration works well with two Jira servers, a Stash server, a Confluence v6.10 server, and several other servers. However, the web browser fails loading a proxied Bamboo v6.4 server vhost and a Question2Answer platform.

On Firefox the reported error is NS_ERROR_NET_TIMEOUT. On IE the error is:

There was a temporary DNS error. Try refreshing the page.
Error Code: INET_E_RESOURCE_NOT_FOUND

On the httpd access log for each failing vhost there is nothing, not even on LogLevel trace8, so apparently the request doesn't even hit the proxy.

I can access Bamboo via curl from the proxy (a -L flag is necessary as Bamboo serves a 302):

[root@proxy]# curl -XGET http://bamboo.example.com:8085/

[root@proxy]# curl -v -XGET http://bamboo.example.com:8085/
* About to connect() to bamboo.example.com port 8085 (#0)
*   Trying 10.0.0.11...
* Connected to bamboo.example.com (10.0.0.11) port 8085 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: bamboo.example.com:8085
> Accept: */*
> 
< HTTP/1.1 302 Found
< Server: Apache-Coyote/1.1
< X-ASEN: SEN-4619603
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Vary: Accept-Encoding
< Set-Cookie: JSESSIONID=E4D13B8AD7D4D172F4E5F834D1E89710; Path=/; Secure; HttpOnly
< Cache-Control: no-store
< Location: /userlogin!doDefault.action?os_destination=%2Fstart.action
< Content-Language: en-US
< Content-Length: 0
< Date: Mon, 01 Oct 2018 15:06:19 GMT
< 
* Connection #0 to host bamboo.example.com left intact

[root@proxy]# curl -L -XGET http://bamboo.example.com:8085/
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
    <title>Log in as a Bamboo user</title>
    <meta http-equiv="X-UA-Compatible" content="IE=EDGE" />

    <meta http-equiv="Pragma" content="no-cache" />
    <meta http-equiv="Expires" content="-1" />

    <meta name="application-name" content="Bamboo" />
    (...)

The firewall on the destination servers is open from the server to the proxy (note that Atlassian applications run on nonstandard ports, e.g. Jira serves content on TCP/8080).

I am puzzled because almost all other vhosts work flawlessly. I have also carefully checked the URL path and it is correct.

  • What could be the cause of this problem?

  • Is there a way to trace the HTTP request in a better way? I use Firefox's add-on HTTP Header Live for now and I'd like to find some more complex tool.

Improve this question

2 Answers 2

Reset to default
2
+50

You should be able to see something in the Apache error log for the failed requests if the problem is in the config. Usually they are at /var/log/apache2/error.log or somewhere similar. Timeouts there would indicate not being able to reach the backend server in the config. Since you can reach it with curl, it would probably be a config issue.

If there's nothing in there or the access log (in the same location) for the requests you are making, then they probably aren't reaching the proxy to begin with. I'd check the DNS configuration for bamboo.example.com is correct, and pointing at your proxy as expected.

You could use curl to hit the proxy externally to see what's happening in more detail. Try dig or nslookup first to check the name is resolving to the IP you expect.

My guess would be it's a problem between client -> proxy, because if it was a timeout at the proxy -> backend you would likely get a 504 error code in the browser.

Improve this answer
0

The error reported by IE tipped me off. The DNS A records for the failing vhosts do not point to the proxy server but to the servers' private IPs.

I did not find the problem sooner because Firefox reported just a generic timeout.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.