Join Log in
Score:0
Guillaume Filion avatar Server

Client can connect to reverse proxy running Debian 10 (Apache/2.4.38) but not Debian 11 (Apache/2.4.54)

cn flag
Guillaume Filion

I have a website hosted behind 2 reverse proxies running Apache on Debian. The client is an automated script and it's not easy to know what config/software they're using.

When both reverse proxies were running Debian 10 (Apache/2.4.38 (Debian) OpenSSL/1.1.1n) the client was able to connect fine. When I upgraded one proxy to Debian 11 (Apache/2.4.54 (Debian) OpenSSL/1.1.1n), the client started having random TCP timeouts when trying to query our website. I can connect fine using the new proxy with Firefox or Chrome.

After much head scratching, I disabled the Debian 11 proxy on the load balancer and the client timeout problems disappeared.

The apache config is shared between both proxies and is identical. What protocols/cyphers have been disabled between Debian 10 and 11 that my client must be using?

Here's the config, the client queries the /api/ path that triggers mod_rewrite. Sensitive information has been replaced by the word sanitized:

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCACertificateFile /opt/sanitized.cer 
SSLProxyCheckPeerName off 

Listen 10.10.3.52:443
<VirtualHost 10.10.3.52:443>
    ServerName https://sanitized:443
    DocumentRoot /var/www
    
    SSLEngine On

    SSLCertificateFile       certs/live/sanitized/fullchain.pem
    SSLCertificateKeyFile    certs/live/sanitized/privkey.pem

    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder     on
    SSLCompression          off
    SSLSessionTickets       off

    Header add Strict-Transport-Security "max-age=63072000"

    SSLUseStapling On
    SSLStaplingReturnResponderErrors off
    SSLStaplingFakeTryLater off

    RequestHeader append SSL Enabled

    Header always append X-Frame-Options SAMEORIGIN
    Header add Referrer-Policy "strict-origin-when-cross-origin"

    RewriteEngine On
    RewriteRule ^/api/sanitized/(.+)        https://10.10.4.126/api/sanitized=$1

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / balancer://sanitized/
    ProxyPassReverse / balancer://sanitized/
</VirtualHost>
42
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.