Apache httpd reverse proxy returns SSL_ERROR_RX_RECORD_TOO_LONG when HTTP redirects to HTTPS

debugcn Published at Dev

dr_

I am setting up an Apache v2.4 httpd reverse proxy for another server hosting Atlassian Confluence.

The proxy's private IP address is 10.0.0.77, its public IP address is 77.77.77.77, and a DNS A record maps the public IP to confluence.example.com.

There is a NAT in place:

77.77.77.77:10080 -> 10.0.0.77:80
77.77.77.77:10443 -> 10.0.0.77:443

which is necessary because the proxy's public IP address is used also for other services.

Name resolution on the proxy is done via /etc/hosts, which maps confluence.example.com to 10.0.0.9, the private IP of the Confluence server.

Here's /etc/httpd/conf.d/confluence.conf (as you see, it also does a redirect from HTTP to HTTPS):

<VirtualHost *:80>
    ServerName confluence.example.com
    ProxyRequests off
    ProxyPreserveHost off
    SetEnv force-proxy-request 1
    SetEnv proxy-nokeepalive 1
    ProxyPass        "/" "http://confluence.example.com:8090/" 
    ProxyPassReverse "/" "http://confluence.example.com:8090/"
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>
    ServerName confluence.example.com
    ServerSignature On
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>
    SSLEngine on
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    # SSL cipher suite shortened for clarity
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384"
    SSLCertificateFile    /etc/httpd/ssl/example.crt
    SSLCertificateKeyFile /etc/httpd/ssl/example.key
    SSLCACertificateFile  /etc/httpd/ssl/example.crt
    ProxyRequests off
    ProxyPreserveHost on 
    ProxyPass        "/" "http://confluence.example.com:8090/" 
    ProxyPassReverse "/" "http://confluence.example.com:8090/"
</VirtualHost>

When accessing http://confluence.example.com:10080 (or even http://77.77.77.77:10080) from a browser, the URL changes to https://confluence.example.com:10080 but, instead of showing the Confluence login page, this error is returned:

Secure Connection Failed
An error occurred during a connection to 77.77.77.77:10080. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

This is what is logged (DEBUG level) to the http access log:

33.33.33.33 - - [17/Sep/2018:17:06:59 +0200] "GET / HTTP/1.1" 302 208 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0"
33.33.33.33 - - [17/Sep/2018:17:06:59 +0200] "\x16\x03\x01\x02" 400 226 "-" "-"

and to the http error log:

[Mon Sep 17 17:11:58.095085 2018] [core:debug] [pid 23120] protocol.c(1271): [client 33.33.33.33:49745] AH00566: request failed: malformed request line

I have set up separate https access and error logs, nothing is logged there. As you might have guessed, 33.33.33.33 is my outgoing public IP.

Accessing https://confluence.example.com:10443 works fine.

The same config works on another Apache v2.2 reverse proxy.

Any hint?

roaima

I do this for my Tomcat instances. (Formerly Confluence, now XWiki.)

The http → https vHost is a straight redirect, no proxies.
The https vHost manages the proxy rewrites for Tomcat, knowing that the URI has a sane pattern.

Here's a (slightly) edited version of my configuration:

<VirtualHost *:80>
        ServerAdmin [email protected]

        ServerName confluence.example.com

        DocumentRoot /home/www/confluence.example.com/docroot


        # Global protection
        #
        <Directory />
                Options none
                AllowOverride None
        </Directory>


        # Send users to canonical website
        #
        Redirect / https://confluence.example.com/


        # Logging
        #
        ServerSignature On
        LogLevel warn
        ErrorLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/public-error.log"
        CustomLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/public-access.log" combined

</VirtualHost>

<VirtualHost *:443>
        ServerAdmin [email protected]

        ServerName confluence.example.com

        DocumentRoot /home/www/confluence.example.com/docroot
        AddDefaultCharset UTF-8


        # Global protection
        #
        <Directory />
                Options none
                AllowOverride None
        </Directory>


        # Access to the application itself
        #
        ProxyPassMatch /(.*) http://confluence.example.com:8090/$1
        ProxyPassReverse / http://confluence.example.com:8090/
        ProxyPassReverseCookieDomain confluence.example.com confluence.example.com


        # Logging
        #
        ServerSignature On

        LogLevel warn rewrite:debug
        ErrorLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-error.log"
        CustomLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-access.log" combined

        #RewriteLogLevel 1
        #RewriteLog "|/usr/bin/cronolog /home/www/confluence.example.com/logs/%Y/%m/%d/secure-rewrite.log"


        # SSL
        #
        SSLEngine on

        SSLCertificateFile      "...crt"
        SSLCertificateKeyFile   "...key"
        SSLCertificateChainFile "...ca-bundle"

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2021-07-15

Comments

0 comments

From Dev

Related Related

Article

Apache httpd reverse proxy returns SSL_ERROR_RX_RECORD_TOO_LONG when HTTP redirects to HTTPS

Apache httpd reverse proxy returns SSL_ERROR_RX_RECORD_TOO_LONG when HTTP redirects to HTTPS

Apache proxy - HTTP to HTTPS

Weird Apache ssl_error_rx_record_too_long error

Weird Apache ssl_error_rx_record_too_long error

Moodle 3.7 & Apache & reverse proxy results ERR_TOO_MANY_REDIRECTS

Nginx rewrite http to https and proxy to another port, ERR_TOO_MANY_REDIRECTS error

How to enable Apache SSL Reverse Proxy on HTTP application

Ssl Certificate Http to Https too many redirects

Running Fiddler as HTTP to HTTPS reverse proxy

Error code: ssl_error_rx_record_too_long for https in nginx on ruby on rails application

Proxy http and https requests with one virtualhost in Apache

Apache mod_rewrite redirects to http with 302 instead of https

Magento 2: Too many redirects behind traefik reverse-proxy

Can't force 'https' and reverse proxy with Apache at the same time

how to handle nginx reverse proxy https to http scheme redirect

NGINX Reverse proxy with HTTPS

Rails/Puma with Apache HTTPD proxy?

httpd redirects with SSL and subdomains/vhosts

Apache camel as a reverse proxy

apache reverse proxy hhtps

Reverse Proxy using apache

URL Rewrite keeps original host Location when reverse proxy 301 redirects

URL Rewrite keeps original host Location when reverse proxy 301 redirects

NGINX reverse proxy to HTTP

Preemptive Proxy Authentication with HTTP Tunnel / HTTPS Connection in Apache HttpClient 4.3.1

Apache 403 Error with HTTP not with HTTPS

HTTP 500 error on forced HTTPS redirects with external logins

ERR_TOO_MANY_REDIRECTS Error to acess panel WordPress when i change to SSL (https)

Python Requests library can't handle redirects for HTTPS URLs when behind a proxy

Reverse proxy from NodeJS to Apache using node-http-proxy does not work