I am trying to migrate a quite old proxy server with Apache httpd, running on AIX
The scenario is that my server accepts connections on http and proxies them to an SSL backend. This is done in a ProxyPass statement, as follows:
When I try to access this service, I get an internal server error and there is an entry in the error log:
[Fri Dec 20 08:51:53.194111 2019] [proxy:error] [pid 20250630:tid 6683] AH00961: HTTPS: failed to enable ssl support for 10.148.0.139:443 (mybackend.mycompany.com)
The httpd version is 2.4.39 (perzl.org), running on AIX 7.1
I suspect that I would need to install CA certificates to be able to establish SSL connection, however the default value for SSLVerifyCert is none.
Tried to set the logging to higher value, but no relevant info came up (LogLevel was set from warn to debug). Is there a way to produce some more detailed log on this type of ssl handshake?
Description: Controls the verbosity of the ErrorLog
Syntax: LogLevel [module:]level [module:level] ...
Default: LogLevel warn
Context: server config, virtual host, directory
Status: Core
Module: core
Compatibility: Per-module and per-directory configuration is available in Apache HTTP Server 2.3.6 and later
LogLevel adjusts the verbosity of the messages recorded in the error logs (see ErrorLog directive).
The following levels are available, in order of decreasing significance:
Level Description Example
emerg Emergencies - system is unusable. "Child cannot open lock file. Exiting"
alert Action must be taken immediately. "getpwuid: couldn't determine user name from uid"
crit Critical Conditions. "socket: Failed to get a socket, exiting child"
error Error conditions. "Premature end of script headers"
warn Warning conditions. "child process 1234 did not exit, sending another SIGHUP"
notice Normal but significant condition. "httpd: caught SIGBUS, attempting to dump core in ..."
info Informational. "Server seems busy, (you may need to increase StartServers, or Min/MaxSpareServers)..."
debug Debug-level messages "Opening config file ..."
trace1 Trace messages "proxy: FTP: control connection complete"
trace2 Trace messages "proxy: CONNECT: sending the CONNECT request to the remote proxy"
trace3 Trace messages "openssl: Handshake: start"
trace4 Trace messages "read from buffered SSL brigade, mode 0, 17 bytes"
trace5 Trace messages "map lookup FAILED: map=rewritemap key=keyname"
trace6 Trace messages "cache lookup FAILED, forcing new map lookup"
trace7 Trace messages, dumping large amounts of data "| 0000: 02 23 44 30 13 40 ac 34 df 3d bf 9a 19 49 39 15 |"
trace8 Trace messages, dumping large amounts of data "| 0000: 02 23 44 30 13 40 ac 34 df 3d bf 9a 19 49 39 15 |"
When a particular level is specified, messages from all other levels of higher significance will be reported as well.
E.g., when LogLevel info is specified, then messages with log levels of notice and warn will also be posted.
Using a level of at least crit is recommended.
For example:
LogLevel notice
Note
When logging to a regular file, messages of the level notice cannot be suppressed and thus are always logged. However, this doesn't apply when logging is done using syslog.
Specifying a level without a module name will reset the level for all modules to that level.
Specifying a level with a module name will set the level for that module only.
It is possible to use the module source file name, the module identifier, or the module identifier with the trailing _module omitted as module specification.
This means the following three specifications are equivalent:
LogLevel info ssl:warn
LogLevel info mod_ssl.c:warn
LogLevel info ssl_module:warn
It is also possible to change the level per directory:
LogLevel info
<Directory "/usr/local/apache/htdocs/app">
LogLevel debug
</Directory>
Per directory loglevel configuration only affects messages that are logged after the request has been parsed and that are associated