fbpx

Schannel Again in 2024

Getting loads of schannel errors in my log server every day, I decided to hunt them down.

Turns out that under Internet Options a GPO was misconfigured to allow sslv3 traffic.

Disabling this SSLv3 as shown below with a GPO or individually solves this log entry spam.

Apache Reverse Proxy Detail

edit the proxy.conf – vi /etc/httpd/conf.modules.d/00-proxy.conf

Load necessary modules

LoadModule rewrite_module modules/mod_rewrite.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

Load lbmethod modules

LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so

Load additional proxy modules

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
~

Edit your sites’ .conf file – vi /etc/httpd/sites-enabled/service.domainname.com.conf

VirtualHost *:443
ServerName service.domainname.com

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/yourcert.crt
SSLCertificateKeyFile /etc/pki/tls/private/yourprivatekey_privatekey.key
SSLCertificateChainFile /etc/pki/tls/certs/bundle.crt

RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule /(.*) "ws://backendserverIP:portnumber/$1" [P,L]

ProxyPreserveHost On
ProxyPass / http://backendserverIP:portnumber/
ProxyPassReverse / http://backendserverIP:portnumber/

ErrorLog /var/log/httpd/service.domainname.com/error.log
CustomLog /var/log/httpd/service.domainname.com/access.log combined

VirtualHost

Restart HTTPD and test out your new site!