You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2015/10/05 12:01:44 UTC
[Bug 58479] New: In mod ssl httpd still decodes %2f%2f even if
allowencodedslashes is On or NoDecode.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58479
Bug ID: 58479
Summary: In mod ssl httpd still decodes %2f%2f even if
allowencodedslashes is On or NoDecode.
Product: Apache httpd-2
Version: 2.4.12
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: soulsina80@gmail.com
The following reverse proxy configuration is placed to my front end server:
AllowEncodedSlashes NoDecode
<Location /path-to-server-01/>
ProxyPass http://server-01-ip:8888/ nocanon retry=0 timeout=180
ProxyPassReverse http://server-01-ip:8888/
Order Deny,Allow
Deny from All
Allow from All
</Location>
http://front-end-server-ip/path-to-server-01/linka/156752%2F%2F156752%2F%2FENG
works without any problem.
https://front-end-server-ip/path-to-server-01/linka/156752%2F%2F156752%2F%2FENG
does not work at all because of %2F%2F that are in the URI.
https://front-end-server-ip/path-to-server-01/linka/156752 also work to proove
that the https mode works with my configuration.
I found the following in my ssl_error_log (when i made the Loglevel to trace8):
[Fri Oct 02 18:03:57.826073 2015] [core:info] [pid 6179] [client
address-ip:56842] AH00026: found %2f (encoded '/') in URI
(decoded='/linka/156752//156752//ENG'), returning 404
Last thing, i am in the labo, for that my reverse proxy has not domain name
FQDN and the https is self signed. I think these are not a problem.
I am on CentOS 6.7. The httpd servers that i tested for this are httpd 2.2.15
(AllowEncodedSlashes On) and httpd24-httpd-2.4.12 (AllowEncodedSlashes
NoDecode)
I am asking to my self: Why ssl forces the core to decode %2f%2f in the URI ?
Is there any security reason ?.
Thank's very much for your qick answer. I am so confused now by this problem.
Every thing is depending to it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58479] In mod ssl httpd still decodes %2f%2f even if
allowencodedslashes is On or NoDecode.
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58479
soulsina80@gmail.com <so...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from soulsina80@gmail.com <so...@gmail.com> ---
To fix this problem we have to put the following
"AllowEncodedSlashes NoDecode" or
"AllowEncodedSlashes On" in the ssl.conf file to ovoid ssl to decode the
slashes befoe sending te request to the internal server.
Sorry about that. The problem was me, not Apache.
Thank's.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org