5

We are currently bringing reverse proxy solution between internet and application server. I have completed the simple reverse proxy setup and I am successfully able to reach application server from reverse proxy. But when I try to perform a health check from F5 to reverse proxy, it fails and there are no errors in the error_log except the following in access_log

XX.XXX.XX.X - - [07/Feb/2020:15:33:27 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:28 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:32 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:33 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:37 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:38 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:42 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:43 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:47 -0700] "\x16\x03\x01" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:48 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:52 -0700] "\x16\x03\x01\x02" 400 226 "-" "-"
XX.XXX.XX.X - - [07/Feb/2020:15:33:53 -0700] "\x16\x03\x01" 400 226 "-" "-"

vasppla
  • 53
  • 1
  • 1
  • 4

2 Answers2

23

Instead of HTTP methods (which is the first thing a HTTP client will send), you are getting strings starting with \x16, which is the start of a TLS handshake.

This means that your client is trying to use HTTPS to speak to a HTTP server. Just starting a server on port 443 doesn't make it HTTPS. The quick way to confirm this is probably to change a url such as https://foo to http://foo:443

Evert
  • 93,428
  • 18
  • 118
  • 189
  • Hi Evert, thanks for your quick response. So you are suggesting to change the URL at F5 host to `http://foo:443`? Also, for successful F5 HTTPS request to Apache, should I enable SSL/TLS? – vasppla Feb 10 '20 at 05:49
  • The question is, do you care about the traffic between your F5 instance and apache to be encrypted. If it's all local traffic, maybe it's not important and you should just switch to `http`. – Evert Feb 10 '20 at 05:51
  • That makes perfect sense! I will check with my IT guy to see if it has to be encrypted but if it is not, then can I still use port 443 or recommended to change 80? – vasppla Feb 10 '20 at 05:52
  • Switching to port 80 is the least surprising thing to do. If you're running on port 443 I expect a HTTPS server, not a HTTP server. – Evert Feb 10 '20 at 05:53
  • Ok thanks! If it needs to be encrypted that leads me to enable SSL handshake between F5 and apache. – vasppla Feb 10 '20 at 05:56
  • I had also few other questions on the configurations above, would you mind to help me with that as well as I am new to setting up apache httpd server. `The above proxy pass is only to redirect the test.html page but the above configuration may not work with original full context (for eg. http://application_ip/soa/test/test.html). In this case, how do I redirect with single configuration, Does Rewrite be helpful 4.What does the above message from access_log mean 5.Is there anything else am I missing here to have successful F5 health check` – vasppla Feb 10 '20 at 05:57
  • It would be good if you can point me to a best link which will help me setup Apache with SSL enabled. – vasppla Feb 10 '20 at 05:59
  • @vsellapp, I don't give free consulting, I just enjoy answering questions here. If you have more questions, open more stackoverflow questions. – Evert Feb 10 '20 at 06:10
2

I had the same problem "\ x16 \ x03 \ x01" 400 226 "-" "-". My mistake was in my DNAT firewall. I caught communication on both 80 and 443 and DNAT only to IP: 80. This rule redirects all traffic from http and https to TCP / 80. That's why the request "\ x16 .." was recorded in the log. Maybe my experience will help someone :-)

user17420020
  • 21
  • 1