You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2006/04/08 00:55:18 UTC
Security issue reporter acknolowedgements?
I just noticed with the mass of vulnerability reports, we threw in
just a blanket thank you to the reporters for 2.0.55, and should go
back and adjust that for posterity, e.g. as we had in this version;
https://svn.apache.org/viewcvs.cgi/httpd/httpd/dist/Announcement2.txt?rev=105304&view=markup
I also note that we drop the attributions in
http://httpd.apache.org/security/vulnerabilities_20.html
and it seems appropriate to restore that information, to help us
acknowledge (just as CHANGES acknowledges authors) those who are
vetting our software. Any objections to adding back in reporters?
Bill
Re: Bug in rewrite or proxy?
Posted by Ruediger Pluem <rp...@apache.org>.
On 04/08/2006 09:40 AM, Bjørn Stabell wrote:
>
> In Apache 2.2.1 (the release candidate) mod_proxy_balancer and
> mod_deflate seems ok, but either mod_proxy or mod_rewrite is breaking
> badly. Here's what the trimmed down config file looks like (it still
> exhibits the same problem):
>
> Listen 192.168.100.22:80
> <VirtualHost 192.168.100.22:80>
> ServerName www.domain.com
>
> RewriteEngine On
> RewriteRule ^/external/(.*)
> http://192.168.100.66:8099/$1 [P]
> RewriteRule ^/(.*) http://127.0.0.1:8080/$1 [P]
> </VirtualHost>
>
> What happens is:
>
> SCENARIO 1:
>
> 1. Restart Apache
>
> 2. Access http://www.domain.com/
> -> is proxied to 127.0.0.1:8080 as expected
>
> 3. Access http://www.domain.com/external/ (and all subsequent requests)
> -> is still proxied to 127.0.0.1:8080, although rewrite_log shows it
> matches the /external rule
>
[..cut..]
>
> Any ideas? (Btw, I don't have mod_proxy_balancer loaded.)
I can confirm this issue. For ease of reference and documentation could you please open
a bug report in bugzilla? I will take care of it then.
Regards
Rüdiger
Re: Bug in rewrite or proxy?
Posted by Bjørn Stabell <bj...@exoweb.net>.
On Apr 9, 2006, at 03:34, Ruediger Pluem wrote:
> As I investigated this one thing came up to my mind:
>
> If you use the proxy in the way described above the '*' worker will
> be used which
> will be created automatically. Having the generic '*' available is
> a good thing, BUT
> this is not optimal from the performance point of view in these
> situations as the '*'
> worker has changing remote addresses and thus does not benefit from
> keepalives to the
> backend as much as it could. OTOH ProxyPass which creates explicit
> workers does not
> know regular expressions and is not well suited for more complex
> situations. The only
> other way to create a worker for a defined target is to add a
> BalancerMember to a
> balanced backend.
> So what about adding a directive called ProxyAddWorker that just
> defines a worker?
> This would enable the following configuration:
>
> Listen 192.168.100.22:80
>
> ProxyAddWorker http://192.168.100.66:8099/ max=10
> ProxyAddWorker http://127.0.0.1:8080/ max=20
>
> <VirtualHost 192.168.100.22:80>
> ServerName www.domain.com
>
> RewriteEngine On
> RewriteRule ^/external/(.*) http://
> 192.168.100.66:8099/$1 [P]
> RewriteRule ^/(.*) http://127.0.0.1:8080/
> $1 [P]
> </VirtualHost>
>
> Of course ProxyAddWorker should not be mandatory. If the worker is
> not defined
> the '*' worker should still be used.
You can get the same effect by using BalancerMember, right?
RewriteRule ^/external/(.*) balancer://external/$1 [P]
RewriteRule ^/(.*) balancer://main/$1 [P]
<Proxy balancer://external>
BalancerMember http://192.168.100.66:8099/ max=10
</Proxy>
<Proxy balancer://main>
BalancerMember http://127.0.0.1:8080/$1 max=20
</Proxy>
This is probably good enough, and it's also more flexible in that I
could have multiple workers for one proxy destination (maybe to
different web apps at different URIs on the same server) with
different settings.
It might be good to change the names of these, though, e.g.,
BalancerMember -> ProxyWorker, and perhaps Proxy -> ProxySet, so they
don't sound so "load-balancer" loaded (pun intended). :) (Then
balancer maybe should be proxy or set as well.)
I think a more important new feature would be to make 'max' be the
absolute max number of requests Apache will make to backends, not
just the max per process. It's quite confusing the way it is :
( (But I understand you mentioned this is a difficult change.)
Btw, Ruediger, if you ever happen to come by Beijing (where I'm now),
beers are on me for as long as you like :)
Rgds,
Bjorn
Re: Bug in rewrite or proxy?
Posted by Ruediger Pluem <rp...@apache.org>.
On 04/08/2006 09:40 AM, Bjørn Stabell wrote:
>
> In Apache 2.2.1 (the release candidate) mod_proxy_balancer and
> mod_deflate seems ok, but either mod_proxy or mod_rewrite is breaking
> badly. Here's what the trimmed down config file looks like (it still
> exhibits the same problem):
>
> Listen 192.168.100.22:80
> <VirtualHost 192.168.100.22:80>
> ServerName www.domain.com
>
> RewriteEngine On
> RewriteRule ^/external/(.*)
> http://192.168.100.66:8099/$1 [P]
> RewriteRule ^/(.*) http://127.0.0.1:8080/$1 [P]
> </VirtualHost>
>
> What happens is:
>
> SCENARIO 1:
>
> 1. Restart Apache
>
> 2. Access http://www.domain.com/
> -> is proxied to 127.0.0.1:8080 as expected
>
> 3. Access http://www.domain.com/external/ (and all subsequent requests)
> -> is still proxied to 127.0.0.1:8080, although rewrite_log shows it
> matches the /external rule
As I investigated this one thing came up to my mind:
If you use the proxy in the way described above the '*' worker will be used which
will be created automatically. Having the generic '*' available is a good thing, BUT
this is not optimal from the performance point of view in these situations as the '*'
worker has changing remote addresses and thus does not benefit from keepalives to the
backend as much as it could. OTOH ProxyPass which creates explicit workers does not
know regular expressions and is not well suited for more complex situations. The only
other way to create a worker for a defined target is to add a BalancerMember to a
balanced backend.
So what about adding a directive called ProxyAddWorker that just defines a worker?
This would enable the following configuration:
Listen 192.168.100.22:80
ProxyAddWorker http://192.168.100.66:8099/ max=10
ProxyAddWorker http://127.0.0.1:8080/ max=20
<VirtualHost 192.168.100.22:80>
ServerName www.domain.com
RewriteEngine On
RewriteRule ^/external/(.*) http://192.168.100.66:8099/$1 [P]
RewriteRule ^/(.*) http://127.0.0.1:8080/$1 [P]
</VirtualHost>
Of course ProxyAddWorker should not be mandatory. If the worker is not defined
the '*' worker should still be used.
Regards
Rüdiger
Bug in rewrite or proxy?
Posted by Bjørn Stabell <bj...@exoweb.net>.
Hi guys,
I'd like a setup with ssl + proxy + deflate (and hopefully
mod_proxy_balancer), but I'm running into problems:
In Apache 2.0.54 (Debian Stable) there's no way to do deflate + proxy
http://issues.apache.org/bugzilla/show_bug.cgi?id=31226
In Apache 2.2.1 (the release candidate) mod_proxy_balancer and
mod_deflate seems ok, but either mod_proxy or mod_rewrite is breaking
badly. Here's what the trimmed down config file looks like (it still
exhibits the same problem):
Listen 192.168.100.22:80
<VirtualHost 192.168.100.22:80>
ServerName www.domain.com
RewriteEngine On
RewriteRule ^/external/(.*) http://192.168.100.66:8099/$1 [P]
RewriteRule ^/(.*) http://127.0.0.1:8080/$1 [P]
</VirtualHost>
What happens is:
SCENARIO 1:
1. Restart Apache
2. Access http://www.domain.com/
-> is proxied to 127.0.0.1:8080 as expected
3. Access http://www.domain.com/external/ (and all subsequent requests)
-> is still proxied to 127.0.0.1:8080, although rewrite_log shows it
matches the /external rule
SCENARIO 2:
1. Restart Apache
2. Access http://www.domain.com/external/
-> is proxied to 192.168.100.66:8099 as expected
3. Access http://www.domain.com/external/ (and all subsequent requests)
-> is still proxied to 192.168.100.66:8099, although rewrite_log
shows it matches the / rule
Any ideas? (Btw, I don't have mod_proxy_balancer loaded.)
Rgds,
Bjorn