SSL Passthrough without acl 403 Forbidden


#1

Hi,
I have a bunch of domains pointing to my LB and balancing over 2 apache servers that handle vhosts for those domains, so I am getting 403 Forbidden from the webservers. Am I missing something?

frontend www_domain
  bind 10.11.6.41:80
  option forwardfor
  mode tcp
  default_backend www_domain_back
  description www.domain.de
  log global
  maxconn 8000
  option tcplog
  timeout client 30s
backend www_domain_back
  mode tcp
  balance roundrobin
  email-alert mailers domain_mailers
  email-alert from it@domain.de
  email-alert to xx@domain.de
  option prefer-last-server
  option redispatch
  retries 2
  timeout connect 5s
  timeout server 31s
  server web1b 10.11.4.215:80 check inter 5s fall 4 rise 3
  server web1c 10.11.4.70:80 check inter 5s fall 4 rise 3

This is the log from Apache:

- - [11/Jul/2018:14:50:25 +0200] "GET / HTTP/1.1" 403 202 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/66.0.3359.181 Chrome/66.0.3359.181 Safari/537.36"

This is the log from HAProxy:

haproxy[120245]: 10.11.109.4:47784 [11/Jul/2018:15:45:14.476] www_domain www_domain_back/web1c 1/0/24743 818 -- 2/1/0/0/0 0/0


#2

As you can see from the Apache log, the 403 is generated on the webserver. Haproxy just passes the server generated error to the browser.

Why the 403 is generated, that is a question that can be solved only by looking at the Apache configuration (possibly even the application).