You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Lars Eilebrecht <La...@unix-ag.org> on 1997/11/09 18:38:45 UTC
[BUG] strange fullURI problems!
Hi,
some days ago someone posted about having problems with wrong REMOTE_HOST
values... I just tested it and it appears that it is related to the
fullURI handling.
Example setup:
main server is 'server' and we have one IP-based virtual host ('proxy')
used as a proxy. ProxyRequests is turned off for the main_server
and enabled for the virtual host.
Let's look at the following requests sent from the 'client' to the
'TARGET' host/interface:
TARGET GET REMOTE_HOST REQUEST_URI
------------------------------------------------------------------------------
proxy http://proxy/cgi-bin/printenv client http://proxy/cgi-bin/printenv
proxy http://server/cgi-bin/printenv server /cgi-bin/printenv
server http://proxy/cgi-bin/printenv client http://proxy/cgi-bin/printenv
server http://server/cgi-bin/printenv server /cgi-bin/printenv
The first entry/result is correct, but all others are not...
The second entry has a wrong REMOTE_HOST. I expected to see 'proxy' instead
of 'server' as REMOTE_HOST.
The third request is processed although 'ProxyRequests Off' was set for
main_server. IMHO the request should be denied, because we haven't connected
to the 'proxy' address.
And the last entry is wrong too, because REMOTE_HOST should contain 'client'
instead of 'server'.
When I look at the access.log I see that only the second requests is
processed as a real proxy request, that is I see an access from 'client'
with the full URI and a second request from 'server' with the URI-path
(as noted above it shouldn't be 'server' but 'proxy').
For all other requests I see only one access in the logfile with 'client'
as the remote host. Note that I see 'client' in the access.log for the last
request, but REMOTE_HOST is set to 'server'.
I especially see a security problem with the third example-request, because it
was handled internally although ProxyRequests was turned off for the
main_server.
Can anyone confirm this?
BTW, I tested with 1.3b3-dev.
ciao...
--
Lars Eilebrecht - "Too clever is dumb." (Ogden Nash)
sfx@unix-ag.org
http://www.si.unix-ag.org/~sfx/
Re: [BUG] strange fullURI problems!
Posted by Dean Gaudet <dg...@arctic.org>.
[Another old one from Lars]
On Sun, 9 Nov 1997, Lars Eilebrecht wrote:
> Hi,
>
> some days ago someone posted about having problems with wrong REMOTE_HOST
> values... I just tested it and it appears that it is related to the
> fullURI handling.
>
> Example setup:
>
> main server is 'server' and we have one IP-based virtual host ('proxy')
> used as a proxy. ProxyRequests is turned off for the main_server
> and enabled for the virtual host.
>
> Let's look at the following requests sent from the 'client' to the
> 'TARGET' host/interface:
>
>
> TARGET GET REMOTE_HOST REQUEST_URI
> ------------------------------------------------------------------------------
> proxy http://proxy/cgi-bin/printenv client http://proxy/cgi-bin/printenv
> proxy http://server/cgi-bin/printenv server /cgi-bin/printenv
> server http://proxy/cgi-bin/printenv client http://proxy/cgi-bin/printenv
> server http://server/cgi-bin/printenv server /cgi-bin/printenv
>
>
> The first entry/result is correct, but all others are not...
> The second entry has a wrong REMOTE_HOST. I expected to see 'proxy' instead
> of 'server' as REMOTE_HOST.
> The third request is processed although 'ProxyRequests Off' was set for
> main_server. IMHO the request should be denied, because we haven't connected
> to the 'proxy' address.
> And the last entry is wrong too, because REMOTE_HOST should contain 'client'
> instead of 'server'.
>
> When I look at the access.log I see that only the second requests is
> processed as a real proxy request, that is I see an access from 'client'
> with the full URI and a second request from 'server' with the URI-path
> (as noted above it shouldn't be 'server' but 'proxy').
>
> For all other requests I see only one access in the logfile with 'client'
> as the remote host. Note that I see 'client' in the access.log for the last
> request, but REMOTE_HOST is set to 'server'.
>
> I especially see a security problem with the third example-request, because it
> was handled internally although ProxyRequests was turned off for the
> main_server.
>
> Can anyone confirm this?
Yup I can confirm that there was brokenness. But I disagree with your
expected results.
The first request we both agree on.
The second request says "server" for REMOTE_HOST because the proxy
"queries itself" -- on a different address, and I'm guessing your box is a
linux box. Linux boxes when connecting to local sockets use the same ip
address. Note that I think our proxy is missing a directive ProxyBindAddr
to force it to bind the local address of outgoing requests.
A proxy can't query an address that matches the proxy itself... but it can
certainly query the same httpd on a different ip:port, or even the same
ip:port but for a different name vhost. Incidentally, the REQUEST_URI
currently says "http://server/cgi-bin/printenv". (There is an obvious
optimization here that I'm not interested in exploring... others should
feel free to explore it though. It's probably just a matter of beefing up
internal_redirect().)
The third still produces what you list above, and it is correct because
server is not a proxy server... so it's free to do whatever if wants with
the absoluteURI you supply it. And since it's not a namevhost it just
ignores the host:port and serves everything.
The fourth produces the correct REMOTE_HOST now.
Note that I had to correct some code to get these results, so you should
update before testing that I fixed it.
Dean
RE: [BUG] strange fullURI problems!
Posted by Lars Eilebrecht <La...@unix-ag.org>.
According to Lars Eilebrecht:
Hmmm... I'm still wondering if anyone can confirm the
fullURI problems I described in my mail??
ciao...
--
Lars Eilebrecht - Avoid hangovers, stay drunk!
sfx@unix-ag.org
http://www.si.unix-ag.org/~sfx/