Issue with Apache/SNI - site works on inside network, but not from outside thru haproxy
by chudster from LinuxQuestions.org on (#5F2T9)
I have a strange issue that I have not been able to solve for several days now.
I have a LAMP server running RHEL 7.8 and Apache 2.4.6, serving up a secure Wordpress site we'll call news.mysite.edu .
The site works fine when browsed from our local campus network.
However from the outside, it serves up a RedHat test page. If I disable/rename welcome.conf, and comment out the default vhost in ssl.conf, it then returns 403 forbidden and the apache logs show:
AH01630: client denied by server configuration: /var/www/html/favicon.ico, referer: https://news.mysite.edu/
The way we allow traffic in from the outside is I have an haproxy server (RHEL 7.9 and HA-Proxy version 1.5.18) with haproxy running in tcp mode, so it is just a pass-through (no examination or manipulation of http headers). This haproxy server handles 6 sites, sending traffic to the appropriate internal web server for each site. They all work except for this Wordpress site on this LAMP server, it is the only one that doesn't work.
This is apparently an haproxy issue, but it is strange that it is just for this one site. I am thinking this is some kind of SNI issue or certificate issue on the LAMP server that haproxy doesn't like. Again, the site comes up locally, just not when going through haproxy from the outside. It's like Apache is serving the wrong vhost when coming in through haproxy from the outside.
My haproxy config and Apache config are here: https://dpaste.org/DhVV
Any thoughts or ideas would be appreciated. Thanks.
I have a LAMP server running RHEL 7.8 and Apache 2.4.6, serving up a secure Wordpress site we'll call news.mysite.edu .
The site works fine when browsed from our local campus network.
However from the outside, it serves up a RedHat test page. If I disable/rename welcome.conf, and comment out the default vhost in ssl.conf, it then returns 403 forbidden and the apache logs show:
AH01630: client denied by server configuration: /var/www/html/favicon.ico, referer: https://news.mysite.edu/
The way we allow traffic in from the outside is I have an haproxy server (RHEL 7.9 and HA-Proxy version 1.5.18) with haproxy running in tcp mode, so it is just a pass-through (no examination or manipulation of http headers). This haproxy server handles 6 sites, sending traffic to the appropriate internal web server for each site. They all work except for this Wordpress site on this LAMP server, it is the only one that doesn't work.
This is apparently an haproxy issue, but it is strange that it is just for this one site. I am thinking this is some kind of SNI issue or certificate issue on the LAMP server that haproxy doesn't like. Again, the site comes up locally, just not when going through haproxy from the outside. It's like Apache is serving the wrong vhost when coming in through haproxy from the outside.
My haproxy config and Apache config are here: https://dpaste.org/DhVV
Any thoughts or ideas would be appreciated. Thanks.