[Mod_nss-list] Mod_nss newbie here - issue with mod_proxy and mod_nss 1.0.8

[Rob Crittenden]

Mike Staver wrote:
> I'm running Solaris 10 with self compiled:
> 
> Apache 2.2.15
> mod_nss 1.0.8
> nss 3.12.6
> nspr 4.8.4
> 
> I have all of those successfully compiled and working together, for the
> most part. I compiled apache so that I had axps and all the proxy modules.
> I now have all my CRLs updated in the NSS database, and Apache is working
> very nicely with it that way. The problem comes into play when I try to
> set up a proxy. I've set up a lot of proxies before here with mod_ssl, and
> everything was cool. However, now I'm trying to get it to work with
> mod_nss, and I don't *think* I have mod_ssl even compiled in on this box,
> and I certainly don't have it loading the config file which just showed up
> by default. The error I'm getting is:
> 
> [error] proxy: pass request body failed to 10.0.0.25:443 (10.0.0.25) from
> 10.0.0.75 ()
> 
> I can get to the 10.0.0.75 box fine from a web browser over SSL. I can
> ping and see the open port 443 from the proxy web server, so it's not a
> network issue or anything like that.
> 
> I've read that the problem could stem from some existing mod_ssl libraries
> being loaded somewhere. Can somebody tell me how to check for that, and
> possibly remedy that? Or do I possibly have another problem here that I'm
> not seeing?

mod_proxy provides a single interface for registering the SSL functions 
it needs. Since mod_ssl blindly registers when it loads mod_nss skips it 
if it detects mod_ssl. So yes, merely having a 'LoadModule ssl_module 
modules/mod_ssl.so' somewhere in the configuration is enough to make 
mod_nss not work with mod_proxy.

Note that some recent changes for the mod_nss/mod_proxy interaction were 
pushed out to the source HEAD recently. You'll probably want to pull the 
source from CVS if you're using the 1.0.8 tarball. This will let mod_nss 
work with mod_proxy as a reverse SSL proxy.

rob