Forum

Reverse proxy Hiawatha to Hiawatha problem

chrisf
3 September 2014, 07:00


Hiawatha version: 9.7
Operating System: CentOS 6.5

Okay, another hit my head against the wall problem. I am trying to get a reverse proxy to work from Hiawatha to another Hiawatha server. I keep getting this error:

ERR_INCOMPLETE_CHUNKED_ENCODING

Which I had to debug, as in other browsers it just said unavailable. The reverse proxy is to a https://x.x.x.x:7777

Amy ideas?
chrisf
3 September 2014, 07:13
I changed the reverse proxy to http and it works, but i can not have this unsecure. Https just won't work.
Hugo Leisink
3 September 2014, 07:32
Please, try the patch at the end of this topic.
chrisf
3 September 2014, 07:57
Will do, but I did not have keep-alive on. Does this matter?

In testing, that error did occurr when I added keep-alive to a reverse proxy that was ssl and had previously worked, so I disabled the keep-alive again.

Is there anywhere else in your code that may need a similar change (no keep-alive)? Just asking...
Hugo Leisink
3 September 2014, 07:58
Hmm, in that case it doesn't matter. What part of the connection is SSL? Between client and proxy or between proxy and webserver?
chrisf
3 September 2014, 08:04
Both. The client to hiawatha frontend ssl, hiawatha reverse proxied to hiawatha (our control panel) over ssl.

This works when going hiawatha to lightppd, both ssl. But that is our virtualizer panel. Our webhosting panel uses hiawatha. Reverse proxy to it over ssl fails. Http works good.
Hugo Leisink
3 September 2014, 08:05
Ok, will do some testing myself.
chrisf
3 September 2014, 09:41
Well, I have tried everything I know of. In my tests I can get hiawatha frontend to reverse proxy ssl to lightppd and apache. If keep-alive is off. Turn it on, chunk error.

Hiawatha to hiawatha will not work over ssl no matter keep-alive setting. Hiawatha to hiawatha http does work.

In your hands now, think there is a bug somewhere.
Hugo Leisink
4 September 2014, 09:02
I've done some testing, but it all works fine here. Is it possible for me to connect directly to your webhosting panel (assuming that a password is required, so your security won't be compromised). If so, I configure a reverse proxy to that panel at my own server (141.138.201.249), so I can see what goes wrong inside the proxy.
chrisf
4 September 2014, 15:56
Sure, I see no security issue. Our firewall protects against 5 incorrect logins.

Here is my configuration for the vhosts:
VirtualHost {
        FollowSymlinks = no
        Hostname = cp1.convictionshosting.com
        RequiredBinding = port_nonssl_/home/kloxo/httpd/ssl/venet0_2___localhost,port_ssl_/home/kloxo/httpd/ssl/venet0_2___localhost
        WebsiteRoot = /home/admin/convictionshosting.com
        AccessLogfile = /home/httpd/convictionshosting.com/stats/convictionshosting.com-custom_log
        ErrorLogfile = /home/httpd/convictionshosting.com/stats/convictionshosting.com-error_log
        ReverseProxy ^/.* https://23.236.146.37:7777/ 300
}

VirtualHost {
        FollowSymlinks = no
        Hostname = cp3.convictionshosting.com
        RequiredBinding = port_nonssl_/home/kloxo/httpd/ssl/venet0_2___localhost,port_ssl_/home/kloxo/httpd/ssl/venet0_2___localhost
        WebsiteRoot = /home/admin/convictionshosting.com
        AccessLogfile = /home/httpd/convictionshosting.com/stats/convictionshosting.com-custom_log
        ErrorLogfile = /home/httpd/convictionshosting.com/stats/convictionshosting.com-error_log
        ReverseProxy ^/.* http://23.236.146.43:7778/ 300
}

The first one is ssl, fails, second http, doesn't.
Hugo Leisink
5 September 2014, 10:23
Thanks, will do testing and debugging this weekend.
Hugo Leisink
6 September 2014, 13:43
It works for me with keep-alive connections turned on:
ReverseProxy ^/.* https://23.236.146.37:7777/ Keep-Alive


Will see what goes wrong with close connections.
Hugo Leisink
6 September 2014, 13:55
Also the close-connections are also working fine here...
chrisf
6 September 2014, 16:19
How is that possible? Did you visit the url?
chrisf
6 September 2014, 16:33
I removed the '300' and turned on Keep-Alive, panel now loads, however, after switching a few pages images start to disappear, then I even got a 500 internal error.

This is 9.7 with your keep-alive patch.
chrisf
6 September 2014, 16:36
And now in testing a 504 Gateway Timeout.
Hugo Leisink
6 September 2014, 17:40
In src/ssl.c, change in function ssl_receive()
    if (result < 0) {

to
    if (result == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY) {
        return 0;
    } else if (result < 0) {

Please, let me know it this solves your issue.
chrisf
8 September 2014, 01:45
It appears to have solved the timeout issue

So it took both patches (keep-alive chunk and ssl above) to correct it. I will continue testing. Thank you Hugo!!
chrisf
8 September 2014, 17:24
Spoke too soon.

Further testing, although that helped, I had to add 15 after the proxy. Guess the default of 5 is too low for some actions. Since the php timeout is 30, thinking of raising this to 30.
Hugo Leisink
8 September 2014, 17:32
But, is it now working or not?
chrisf
9 September 2014, 02:38
Yup, with the timeout set to 15 no timeouts, no problems.
This topic has been closed.
Back
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.