Re: [users@httpd] Problem with mod_proxy and chunked content

[Blomme Dieter <Di...@digipolis.be>]

Hi,

Thanks everybody for the input. We traced the problem further, and apparently, the problem lies in the F5 load balancer, which does not handle responses with chunked encoding correctly when chunking is set to selective there. When we set response chunking to unchunk, everything seems fixed.

We have to investigate the change in policy further, but it seems Apache did nothing wrong. The command from Frederik helped us trace this further, so thanks a lot for this!

have a great week.

Dieter


On 18 Nov 2014, at 13:17, Jeff Trawick <tr...@gmail.com>> wrote:

On Mon, Nov 17, 2014 at 4:50 AM, Blomme Dieter <Di...@digipolis.be>> wrote:
We have fixed this problem temporarily. What I've noticed is that the header isn't there and inserting it (e.g. with burp or fiddler), fixes the problem. I've then tried to insert the header in the vhost that acts as a proxy, but the header didn't appear. I think that mod_proxy strips that header as the last part of the request.

I don't know if this was mentioned before:

In the original message you showed, the content was chunked but the response had a content-length header.  If a proxy received a response from upstream with both a transfer-encoding and content-length, it *must* strip one.  (Having different components choose a different message boundary mechanism to respect enables certain attacks.)

I guess this means that it was bad coming out of the backend httpd+PHP?



We've now fixed the problem by making sure our load balancer enforces http 1.0 for the requests that were problematic. Later on we'll take another look at this problem when we have more time.

Thans Stefan for the hint! ;)

kind regards,

On 13 Nov 2014, at 19:08, Blomme Dieter <Di...@digipolis.be>> wrote:

> Yes, but I thought that if that header is missing, it should still check if the data is chunked, is that incorrect?
>
>> On 13 Nov 2014, at 18:52, Stefan Magnus Landrø <st...@gmail.com>> wrote:
>>
>> The transfer encoding header is missing, right?
>>
>> Sendt fra min iPhone
>>
>>> Den 13. nov. 2014 kl. 18.13 skrev Blomme Dieter <Di...@digipolis.be>>:
>>>
>>> Hi,
>>>
>>> We have a problem with mod_proxy and chunked content.
>>> We use mod_proxy to selectively request pages from a second site, the ProxyPass and ProxyPassReverse statements are in the vhost file. Nearly all requests are OK, Except for one type of request which can't be handled properly. We use SAML SSO and upon logging out, the response from a simplesaml service provider is not correct. It is chunked, but is not parseable. The problem is the chunk part within the SAML Response. This is also visible in the response (see below). I have googled this and searched Apache's bugzilla, but there is no solution I've tried that works.
>>> Not forcing http1.0, sendcl, ...
>>>
>>> Can anybody please help with this issue?
>>>
>>> Thanks very much in advance!
>>>
>>>
>>> HTTP/1.1 200 OK
>>> Date: Thu, 13 Nov 2014 16:23:02 GMT
>>> Server: Apache/2.2.15 (Red Hat)
>>> X-Powered-By: PHP/5.3.3
>>> X-Robots-Tag: noindex,noarchive
>>> Content-Type: text/html; charset=UTF-8
>>> X-Robots-Tag: noindex,noarchive
>>> Keep-Alive: timeout=5, max=100
>>> Connection: Keep-Alive
>>> Vary: Accept-Encoding
>>> Content-Length: 7460
>>>
>>> 132
>>> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
>>>      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
>>> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
>>> <head>
>>>  <meta http-equiv="content-type" content="text/html; charset=utf-8" /><script type="text/javascript">
>>> 36d
>>> window.NREUM||(NREUM={}),__nr_require=function(t,e,n){function r(n){if(!e[n]){var o=e[n]={exports:{}};t[n][0].call(o.exports,function(e){var o=t[n][1][e];return r(o?o:e)},o,o.exports)}return e[n].exports}if("function"==typeof __nr_require)return __nr_require;for(var o=0;o<n.length;o++)r(n[o]);return r}({QJf3ax:[function(t,e){function n(t){function e(e,n,a){t&&t(e,n,a),a||(a={});for(var c=u(e),f=c.length,s=i(a,o,r),p=0;f>p;p++)c[p].apply(s,n);return s}function a(t,e){f[t]=u(t).concat(e)}function u(t){return f[t]||[]}function c(){return n(e)}var f={};return{on:a,emit:e,create:c,listeners:u,_events:f}}function r(){return{}}var o="nr@context",i=t("gos");e.exports=n()},{gos:"7eSDFh"}],ee:[function(t,e){e.exports=t("QJf3ax")},{}],gos:[function(t,e){e.exports=t("7eSDFh")},{}],"7eSDFh":[function(t,e){function n(t,e,n){if(r.call(t,e))return t[e];var o=n();if(Object.definePr
>>> 5a8
>>> operty&&Object.keys)try{return Object.defineProperty(t,e,{value:o,writable:!0,enumerable:!1}),o}catch(i){}return t[e]=o,o}var r=Object.prototype.hasOwnProperty;e.exports=n},{}],D5DuLP:[function(t,e){function n(t,e,n){return r.listeners(t).length?r.emit(t,e,n):(o[t]||(o[t]=[]),void o[t].push(e))}var r=t("ee").create(),o={};e.exports=n,n.ee<http://n.ee/>=r,r.q=o},{ee:"QJf3ax"}],handle:[function(t,e){e.exports=t("D5DuLP")},{}],XL7HBI:[function(t,e){function n(t){var e=typeof t;return!t||"object"!==e&&"function"!==e?-1:t===window?0:i(t,o,function(){return r++})}var r=1,o="nr@id",i=t("gos");e.exports=n},{gos:"7eSDFh"}],id:[function(t,e){e.exports=t("XL7HBI")},{}],loader:[function(t,e){e.exports=t("G9z0Bl")},{}],G9z0Bl:[function(t,e){function n(){var t=l.info<http://l.info/>=NREUM.info;if(t&&t.agent&&t.licenseKey&&t.applicationID&&c&&c.body){l.proto="https"===p.split(":")[0]||t.sslForHttp?"https://":"http://",a("mark",["onload",i()]);var e=c.createElement("script");e.src=l.proto+t.agent,c.body.appendChild(e)}}function r(){"complete"===c.readyState&&o()}function o(){a("mark",["domContent",i()])}function i(){return(new Date).getTime()}var a=t("handle"),u=window,c=u.document,f="addEventListener",s="attachEvent",p=(""+location).split("?")[0],l=e.exports={offset:i(),origin:p,features:{}};c[f]?(c[f]("DOMContentLoaded",o,!1),u[f]("load",n,!1)):(c[s]("onreadystatechange",r),u[s]("onload",n)),a("mark",["firstbyte",i()])},{handle:"D5DuLP"}]},{},["G9z0Bl"]);</script>
>>>  <t
>>> 27c
>>> itle>POST data</title>
>>> </head>
>>> <body onload="document.getElementsByTagName('input')[0].click();">
>>>
>>>  <noscript>
>>>      <p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the button below once to proceed.</p>
>>>  </noscript>
>>>
>>>  <form method="post" action="https://qa.aether.gent.be/saml/idp/profile/post/slr">
>>>  <!-- Need to add this element and call click method, because calling submit()
>>>  on the form causes failed submission if the form has another element with name or id of submit.
>>>  See: https://developer.mozilla.org/en/DOM/form.submit#Specification -->
>>>  <input type="submit" style="display:none;" />
>>>
>>> 8d4
>>> <input type="hidden" name="SAMLResponse" value="
>>> <<<First part of samlresponse>>>>
>>> 75e
>>> <<<Second part of samlresponse>>>>
>>> " />
>>>      <noscript>
>>>          <input type="submit" value="Submit" />
>>>      </noscript>
>>>  </form>
>>>
>>> <<<<removed content>>>>>
>>> 0
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ma...@httpd.apache.org>
>>> For additional commands, e-mail: users-help@httpd.apache.org<ma...@httpd.apache.org>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ma...@httpd.apache.org>
>> For additional commands, e-mail: users-help@httpd.apache.org<ma...@httpd.apache.org>
>>
>
>  B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB� � [��X��ܚX�K  K[XZ[ � \�\��][��X��ܚX�P      �\ X� K�ܙ�B��܈ Y  ] [ۘ[  ��[X[� �  K[XZ[ � \�\��Z [        �\ X� K�ܙ�B




--
Born in Roswell... married an alien...
http://emptyhammock.com/



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org