You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Manuel Martin <ma...@ferber-software.de> on 2005/10/20 18:06:26 UTC
[users@httpd] Apache 2.0.55/win32 + OpenSSL 0.9.8a & OWA Reverse Proxy Problems
Hello people,
since 2.0.55 a reverse SSL-proxy (on Windows 2000) which I setup for MS
Exchange 2003 Outlook Web Access makes problems. The users stumbled over the
problem that they cannot attach files to their emails. I tried it myself: the
attachment seems to be uploaded to the server, but is not "registered" by
Exchange.
If I downgrade to 2.0.54 + OpenSSL 0.9.8 (I changed Apache while back to make
that compilation possible) it works fine again.
I really suspect this change to be the culprit:
"SECURITY: CAN-2005-2088 (cve.mitre.org)
proxy: Correctly handle the Transfer-Encoding and Content-Length
headers. Discard the request Content-Length whenever T-E: chunked
is used, always passing one of either C-L or T-E: chunked whenever
the request includes a request body. Resolves an entire class of
proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]"
Has anyone run or _not_ run into this problem with this configuration?
Here's part of the conf:
LoadModule proxy_module modules/mod_proxy.so
ProxyRequests Off
LoadModule proxy_http_module modules/mod_proxy_http.so
<VirtualHost _default_:443>
ServerName owa.server
SSLEngine On
SSLProxyEngine on
ProxyVia On
ProxyPass / https://owa.server
ProxyPassReverse / https://owa.server
SSLCertificateKeyFile c:/apache/conf/ssl/owa.pem
SSLCertificateFile c:/apache/conf/ssl/owa.crt
CustomLog "|c:/apache/bin/rotatelogs.exe c:/log/%Y%m%d_owa.log 86400"
combined
<Location />
Allow from All
AuthType Basic
AuthName "OWA"
AuthUserFile conf/owa-passwords
Require valid-user
</Location>
</VirtualHost>
The internal ip of "owa.server" is setup in the hosts file to facilitate the
generation of correct URLs by Exchange (as suggested in
http://www.soft-land.org/articoli/exch).
Regards, Manuel Martin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2.0.55/win32 + OpenSSL 0.9.8a & OWA Reverse
Proxy Problems
Posted by Michele Marcionelli <mi...@math.ethz.ch>.
Hello,
I run exactly in the same problem, but with another architecture:
Red Hat Enterprise Linux AS release 3+4
Apache 2.0.55
OpenSSL 0.9.7a
I'm using Apache also as a SSL-Proxy for a Zope server and some
operations especially with FORMs doesn't work anymore.
Thanks for a feedback,
Michele
On 20.10.2005, at 18:06, Manuel Martin wrote:
> Hello people,
>
> since 2.0.55 a reverse SSL-proxy (on Windows 2000) which I setup for MS
> Exchange 2003 Outlook Web Access makes problems. The users stumbled
> over the
> problem that they cannot attach files to their emails. I tried it
> myself: the
> attachment seems to be uploaded to the server, but is not "registered"
> by
> Exchange.
> If I downgrade to 2.0.54 + OpenSSL 0.9.8 (I changed Apache while back
> to make
> that compilation possible) it works fine again.
> I really suspect this change to be the culprit:
> "SECURITY: CAN-2005-2088 (cve.mitre.org)
> proxy: Correctly handle the Transfer-Encoding and Content-Length
> headers. Discard the request Content-Length whenever T-E: chunked
> is used, always passing one of either C-L or T-E: chunked whenever
> the request includes a request body. Resolves an entire class of
> proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]"
>
> Has anyone run or _not_ run into this problem with this configuration?
>
> Here's part of the conf:
>
> LoadModule proxy_module modules/mod_proxy.so
> ProxyRequests Off
> LoadModule proxy_http_module modules/mod_proxy_http.so
> <VirtualHost _default_:443>
> ServerName owa.server
> SSLEngine On
> SSLProxyEngine on
> ProxyVia On
> ProxyPass / https://owa.server
> ProxyPassReverse / https://owa.server
> SSLCertificateKeyFile c:/apache/conf/ssl/owa.pem
> SSLCertificateFile c:/apache/conf/ssl/owa.crt
> CustomLog "|c:/apache/bin/rotatelogs.exe c:/log/%Y%m%d_owa.log 86400"
> combined
> <Location />
> Allow from All
> AuthType Basic
> AuthName "OWA"
> AuthUserFile conf/owa-passwords
> Require valid-user
> </Location>
> </VirtualHost>
>
> The internal ip of "owa.server" is setup in the hosts file to
> facilitate the
> generation of correct URLs by Exchange (as suggested in
> http://www.soft-land.org/articoli/exch).
>
> Regards, Manuel Martin
--
michele.marcionelli@math.ethz.ch / phone: +41 44 632 6193
eth zentrum / hg g 14 / raemistrasse 101 - ch-8092 zurich
!DSPAM:435891e280741364917618!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache 2.0.55/win32 + OpenSSL 0.9.8a & OWA Reverse Proxy Problems
Posted by Helmut Schneider <ju...@gmx.de>.
Helmut Schneider (jumper99@gmx.de) wrote:
> Manuel Martin (martin@ferber-software.de) wrote:
>
>> since 2.0.55 a reverse SSL-proxy (on Windows 2000) which I setup for MS
>> Exchange 2003 Outlook Web Access makes problems. The users stumbled over
>> the problem that they cannot attach files to their emails. I tried it
>> myself: the attachment seems to be uploaded to the server, but is not
>> "registered" by Exchange.
>> If I downgrade to 2.0.54 + OpenSSL 0.9.8 (I changed Apache while back to
>> make that compilation possible) it works fine again.
>> I really suspect this change to be the culprit:
>> "SECURITY: CAN-2005-2088 (cve.mitre.org)
>> proxy: Correctly handle the Transfer-Encoding and Content-Length
>> headers. Discard the request Content-Length whenever T-E: chunked
>> is used, always passing one of either C-L or T-E: chunked whenever
>> the request includes a request body. Resolves an entire class of
>> proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]"
>>
>> Has anyone run or _not_ run into this problem with this configuration?
>
> Same problem here using apache 2.0.55 on FreeBSD 5.4.
http://issues.apache.org/bugzilla/attachment.cgi?id=16744 works fine.
--
Please do not feed my mailbox, Swen still does his job well
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Apache 2.0.55/win32 + OpenSSL 0.9.8a & OWA Reverse Proxy Problems
Posted by Helmut Schneider <ju...@gmx.de>.
Manuel Martin (martin@ferber-software.de) wrote:
> since 2.0.55 a reverse SSL-proxy (on Windows 2000) which I setup for MS
> Exchange 2003 Outlook Web Access makes problems. The users stumbled over
> the problem that they cannot attach files to their emails. I tried it
> myself: the attachment seems to be uploaded to the server, but is not
> "registered" by Exchange.
> If I downgrade to 2.0.54 + OpenSSL 0.9.8 (I changed Apache while back to
> make that compilation possible) it works fine again.
> I really suspect this change to be the culprit:
> "SECURITY: CAN-2005-2088 (cve.mitre.org)
> proxy: Correctly handle the Transfer-Encoding and Content-Length
> headers. Discard the request Content-Length whenever T-E: chunked
> is used, always passing one of either C-L or T-E: chunked whenever
> the request includes a request body. Resolves an entire class of
> proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]"
>
> Has anyone run or _not_ run into this problem with this configuration?
Same problem here using apache 2.0.55 on FreeBSD 5.4.
--
Please do not feed my mailbox, Swen still does his job well
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org