[Mod_nss-list] Redirect to Maintenance Page

Cohen, Laurence lcohen at novetta.com
Tue Mar 29 17:10:53 UTC 2016 

Hi everyone,

I have what I hope is a simple question with a simple answer that I'm just
overlooking.  I have a need to temporarily put our application in
maintenance mode, and display a static page from our web server stating
that the application is temporarily unavailable.

The Web Server is Apache 2.2, and it contains Include lines for
rewrite.conf and nss.conf.

Here are those files respectively.

rewrite.conf

# When maintenance mode is enabled, ALL requests are redirected to the
# maintenance page, except for the page itself and the images on the page.

RewriteEngine on

RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

RewriteCond %{SERVER_PROTOCOL}  !https
RewriteCond %{REQUEST_URI}      !^/favicon.ico
RewriteCond %{REQUEST_URI}      !^/dseLogo.png
RewriteCond %{REQUEST_URI}      !^/maintenance.html$
RewriteRule ^/(.*)$
https://testweb01.novetta.com/maintenance.html [L,R]


nss.conf

Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

NSSPassPhraseDialog file:/etc/httpd/.password.conf
#NSSPassPhraseDialog  builtin

NSSPassPhraseHelper /usr/sbin/nss_pcache

NSSSessionCacheSize 10000
NSSSessionCacheTimeout 100
NSSSession3CacheTimeout 86400
NSSSessionTickets off

NSSRandomSeed startup builtin


<VirtualHost _default_:443>

DocumentRoot "/var/www/docroot"
NSSProxyCheckPeerCN Off
NSSEngine on
NSSProxyEngine on
NSSEnforceValidCerts off
NSSRenegotiation on
NSSRequireSafeNegotiation on

NSSCipherSuite
+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

NSSProxyCipherSuite
+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha

NSSProtocol TLSv1
NSSNickname Server-Cert
NSSCertificateDatabase /etc/httpd/alias
NSSFIPS on
NSSOCSP off

ProxyPreserveHost On


<Location />
NSSRenegBufferSize 26214400
      NSSVerifyClient optional
      NSSOptions +ExportCertData +StdEnvVars
      ProxyPass https://testweb01.novetta.com/maintenance.html
      ProxyPassReverse https://testweb01.novetta.com/maintenance.html
</Location>

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    NSSOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    NSSOptions +StdEnvVars
</Directory>


# initialize the SSL headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_CERT ""
RequestHeader set SSL_CIPHER ""
RequestHeader set SSL_SESSION_ID ""
RequestHeader set SSL_CIPHER_USEKEYSIZE ""

RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"

CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_CLIENT_CERT}x
%{SSL_CLIENT_S_DN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
LogLevel info

Finally, here is the maintenance page in docroot

<html>
<head>
<title>DoD Data Services Environment Maintenance</title>
</head>
<body><font face="Arial">
    <center>
        <p>
                <img src=dseLogo.png><br>
                <br>
            The Data Services Environment is temporarily unavailable while
site maintenance is being performed.
            <br>
            <br>
            <br>
        </p>
    </center>
</font></body>
</html>

What I'm getting in the error log when I try to bring this up in a browser
is the following.

[Sat Mar 26 05:11:22 2016] [info] Connection to child 5 established (server
testweb01.novetta.com:443, client x.x.16.58)
[Sat Mar 26 05:11:23 2016] [info] Initial (No.1) HTTPS request received for
child 5 (server testweb01.novetta.com:443)
[Sat Mar 26 05:11:23 2016] [info] Requesting connection re-negotiation
[Sat Mar 26 05:11:26 2016] [info] Connection to child 0 established (server
testweb01.novetta.com:443, client x.x.238.91)
[Sat Mar 26 05:11:26 2016] [info] Connection to child 3 established (server
testweb01.novetta.com:443, client x.x.238.91)
[Sat Mar 26 05:11:26 2016] [info] SSL input filter read failed.
[Sat Mar 26 05:11:26 2016] [error] SSL Library Error: -12195 Peer does not
recognize and trust the CA that issued your certificate
[Sat Mar 26 05:11:26 2016] [info] Connection to child 3 closed (server
testweb01.novetta.com:443, client x.x.238.91)
[Sat Mar 26 05:11:26 2016] [info] SSL library error -8172 writing data
[Sat Mar 26 05:11:26 2016] [info] SSL Library Error: -8172 Certificate is
signed by an untrusted issuer
[Sat Mar 26 05:11:26 2016] [error] (20014)Internal error: proxy: pass
request body failed to 10.3.238.91:443 (testweb01.novetta.com)
[Sat Mar 26 05:11:26 2016] [error] proxy: pass request body failed to
x.x..238.91:443 (testweb01.novetta.com) from x.x.16.58 ()
[Sat Mar 26 05:11:26 2016] [info] Connection to child 5 closed (server...

I have tried this with :443 for the port in the nss.conf ProxyPass and
ProxyPassReverse statements, but it still doesn't work.  Any ideas?


Thanks,

Larry Cohen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/mod_nss-list/attachments/20160329/c634052f/attachment.htm>

More information about the Mod_nss-list mailing list