You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Szőts Ákos <sz...@gmail.com> on 2012/01/04 12:36:17 UTC
[users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Hi All,
There's a frequent error message in my Apache error_log (v2.2.21 under
openSUSE 12.1):
"Invalid URI in request OPTIONS * HTTP/1.0"
I know this is an internal dummy connection to test if the server is alive
or not. But every time, Apache tries to connect to itself, it writes
instead of the error log.
Here is the full request:
OPTIONS * HTTP/1.0
User-Agent: Apache (internal dummy connection)
Response:
HTTP/1.1 400 Bad Request
Vary: accept-language,accept-charset,User-Agent
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Expires: Tue, 03 Jan 2012 19:31:04 GMT
Here is the full "debug" log:
[error] [client 194.38.104.110] Invalid URI in request OPTIONS * HTTP/1.0
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid
URI in request" at WEBSERVER_ERROR_LOG.
I tried to telnet to my server on port 80, and when I write "OPTIONS *", I
get a 400 error, but when I write "OPTIONS /", I got 200 OK.
RFC says the * is acceptable, so I don't understand why the error.
I tried to use Google, but had no luck, unfortunately.
Could you please, help me resolving this issue?
Best regards,
Ákos Szőts
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Szőts Ákos <sz...@gmail.com>.
Is there any ticket for this bug, or is it fixed internally?
I just want to check whether it's really a bug, before I start to debug for
some hours.
If it's convenient for you, I can also check the source RPM (just tell me
what should I search).
Ákos
2012. január 6. 09:34:22 dátummal Eric Covener ezt írta:
> Looks like a recent bug backported into your 2.2.21
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Eric Covener <co...@gmail.com>.
Looks like a recent bug backported into your 2.2.21
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 01/06/2012 10:23 AM, Szőts Ákos wrote:
> No, I don't think so; ModSecurity just get triggered because something in
> the error_log.
>
> "As to the OPTIONS * request failing - make sure there are no hidden
> rewrite rules or other URI mangling going on."
>
> Thank you for the tip. Is there any (easy) way to debug which rewrite rules
> were applied to a query? The server is in use, so unfortunately I cannot
Enable the rewritelog and see what it says:
RewriteLog /some/location
RewriteLogLevel 1
If RewriteLogLevel 1 does not show you what you need to see, increase it
until you do see something, but I would advise you not to run at a high
loglevel for long on a production system, as it will cause a massive
performance hit.
> turn on/off the rules randomly.
>
> Ákos
>
> 2012. január 5. 13:49:30 dátummal Igor Cicimov ezt írta:
>
> [error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid
> URI in request" at WEBSERVER_ERROR_LOG. ModSecurity? Protection against
> using * in the URI?
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See<URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
J.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Szőts Ákos <sz...@gmail.com>.
No, I don't think so; ModSecurity just get triggered because something in
the error_log.
"As to the OPTIONS * request failing - make sure there are no hidden
rewrite rules or other URI mangling going on."
Thank you for the tip. Is there any (easy) way to debug which rewrite rules
were applied to a query? The server is in use, so unfortunately I cannot
turn on/off the rules randomly.
Ákos
2012. január 5. 13:49:30 dátummal Igor Cicimov ezt írta:
[error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid
URI in request" at WEBSERVER_ERROR_LOG. ModSecurity? Protection against
using * in the URI?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Igor Cicimov <ic...@gmail.com>.
[error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid
URI in request" at WEBSERVER_ERROR_LOG.
ModSecurity? Protection against using * in the URI?
On Thu, Jan 5, 2012 at 6:17 AM, Jeroen Geilman <je...@adaptr.nl> wrote:
> On 01/04/2012 12:36 PM, Szőts Ákos wrote:
>
>> Hi All,
>>
>> There's a frequent error message in my Apache error_log (v2.2.21 under
>> openSUSE 12.1):
>> "Invalid URI in request OPTIONS * HTTP/1.0"
>>
>> I know this is an internal dummy connection to test if the server is alive
>> or not. But every time, Apache tries to connect to itself, it writes
>> instead of the error log.
>>
>> Here is the full request:
>> OPTIONS * HTTP/1.0
>> User-Agent: Apache (internal dummy connection)
>>
>> Response:
>> HTTP/1.1 400 Bad Request
>> Vary: accept-language,accept-**charset,User-Agent
>> Accept-Ranges: bytes
>> Connection: close
>> Content-Type: text/html; charset=iso-8859-1
>> Content-Language: en
>> Expires: Tue, 03 Jan 2012 19:31:04 GMT
>>
>> Here is the full "debug" log:
>> [error] [client 194.38.104.110] Invalid URI in request OPTIONS * HTTP/1.0
>> [debug] mod_headers.c(756): headers: ap_headers_output_filter()
>> [debug] mod_headers.c(756): headers: ap_headers_output_filter()
>> [debug] mod_headers.c(756): headers: ap_headers_output_filter()
>> [debug] mod_headers.c(756): headers: ap_headers_output_filter()
>> [error] [client 194.38.104.110] ModSecurity: Warning. String match
>> "Invalid
>> URI in request" at WEBSERVER_ERROR_LOG.
>>
>> I tried to telnet to my server on port 80, and when I write "OPTIONS *", I
>> get a 400 error, but when I write "OPTIONS /", I got 200 OK.
>> RFC says the * is acceptable, so I don't understand why the error.
>>
>>
> An internal dummy connection will originate from localhost (127.0.0.1),
> not 194.138.104.110:
>
>
> [error] [client 194.38.104.110] ModSecurity: Warning. String match
> "Invalid URI in request" at WEBSERVER_ERROR_LOG.
>
>
> As to the OPTIONS * request failing - make sure there are no hidden
> rewrite rules or other URI mangling going on.
>
>
>
> --
> J.
>
>
>
> ------------------------------**------------------------------**---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/**userslist.html<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<us...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@**httpd.apache.org<us...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Jeroen Geilman <je...@adaptr.nl>.
On 01/04/2012 12:36 PM, Szőts Ákos wrote:
> Hi All,
>
> There's a frequent error message in my Apache error_log (v2.2.21 under
> openSUSE 12.1):
> "Invalid URI in request OPTIONS * HTTP/1.0"
>
> I know this is an internal dummy connection to test if the server is alive
> or not. But every time, Apache tries to connect to itself, it writes
> instead of the error log.
>
> Here is the full request:
> OPTIONS * HTTP/1.0
> User-Agent: Apache (internal dummy connection)
>
> Response:
> HTTP/1.1 400 Bad Request
> Vary: accept-language,accept-charset,User-Agent
> Accept-Ranges: bytes
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> Content-Language: en
> Expires: Tue, 03 Jan 2012 19:31:04 GMT
>
> Here is the full "debug" log:
> [error] [client 194.38.104.110] Invalid URI in request OPTIONS * HTTP/1.0
> [debug] mod_headers.c(756): headers: ap_headers_output_filter()
> [debug] mod_headers.c(756): headers: ap_headers_output_filter()
> [debug] mod_headers.c(756): headers: ap_headers_output_filter()
> [debug] mod_headers.c(756): headers: ap_headers_output_filter()
> [error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid
> URI in request" at WEBSERVER_ERROR_LOG.
>
> I tried to telnet to my server on port 80, and when I write "OPTIONS *", I
> get a 400 error, but when I write "OPTIONS /", I got 200 OK.
> RFC says the * is acceptable, so I don't understand why the error.
>
An internal dummy connection will originate from localhost (127.0.0.1),
not 194.138.104.110:
[error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid URI in request" at WEBSERVER_ERROR_LOG.
As to the OPTIONS * request failing - make sure there are no hidden
rewrite rules or other URI mangling going on.
--
J.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Fwd: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 1/6/2012 8:32 AM, Eric Covener wrote:
> Looks like SuSE backported the trunk fix which misfires on the
> internally dummy conn.
>
> STATUS says we were thinking of flipping this to declined. Looks like
> a good idea?
This is consistent with failing to populate
https://dist.apache.org/repos/dist/release/httpd/patches/apply_to_2.2.21/
with the right security patches, leaving the world to guess at a fix.
I'm volunteering to roll 2.2.22 Monday or as quickly thereafter as
1. all known [and undisclosed] vulnerabilities fixes are committed, and
2. all those patches reside in apply_to_2.2.21/
Likewise, I'm offering the same for 2.0.65 on the same or following day
(whatever that turns out to be).
I'm casting my -1 on all 2.3.x/2.4.0 candidates which have security patches
that had not been recorded in the corresponding
https://dist.apache.org/repos/dist/release/httpd/patches/apply_to_2.3.16/
since we asked users to deploy that beta; we owe them that courtesy.
We've gotten really, really schlocky about getting the code into users hands,
releases themselves notwithstanding.
Re: Fwd: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Eric Covener <co...@gmail.com>.
On Fri, Jan 6, 2012 at 10:02 AM, Ruediger Pluem <rp...@apache.org> wrote:
>
>
> Eric Covener wrote:
>> On Fri, Jan 6, 2012 at 9:46 AM, Ruediger Pluem <rp...@apache.org> wrote:
>>>
>>>
>>> Eric Covener wrote:
>>>> Looks like SuSE backported the trunk fix which misfires on the
>>>> internally dummy conn.
>>>>
>>>> STATUS says we were thinking of flipping this to declined. Looks like
>>>> a good idea?
>>>
>>> Could you please provide some more pointers?
>>
>>
>> I assume SuSe backported our trunk solution inside of mod_rewrite and
>> mod_proxy, which is proposed for 2.2.x
>
> But the trunk code looks like
>
>
> Index: mod_rewrite.c
> ===================================================================
> --- mod_rewrite.c (revision 1209431)
> +++ mod_rewrite.c (revision 1209432)
> @@ -4419,6 +4419,18 @@
> return DECLINED;
> }
>
> + if (strcmp(r->unparsed_uri, "*") == 0) {
> + /* Don't apply rewrite rules to "*". */
> + return DECLINED;
> + }
> +
> + /* Check that the URI is valid. */
> + if (!r->uri || r->uri[0] != '/') {
> + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
> + "Invalid URI in request %s", r->the_request);
> + return HTTP_BAD_REQUEST;
> + }
> +
> /*
> * add the SCRIPT_URL variable to the env. this is a bit complicated
> * due to the fact that apache uses subrequests and internal redirects
>
>
> So IMHO this error should not happen as I assume that the value of r->unparsed_uri should be "*" in this case.
>
Whoops, I zoomed in on the 2nd block only.
Re: Fwd: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Ruediger Pluem <rp...@apache.org>.
Eric Covener wrote:
> On Fri, Jan 6, 2012 at 9:46 AM, Ruediger Pluem <rp...@apache.org> wrote:
>>
>>
>> Eric Covener wrote:
>>> Looks like SuSE backported the trunk fix which misfires on the
>>> internally dummy conn.
>>>
>>> STATUS says we were thinking of flipping this to declined. Looks like
>>> a good idea?
>>
>> Could you please provide some more pointers?
>
>
> I assume SuSe backported our trunk solution inside of mod_rewrite and
> mod_proxy, which is proposed for 2.2.x
But the trunk code looks like
Index: mod_rewrite.c
===================================================================
--- mod_rewrite.c (revision 1209431)
+++ mod_rewrite.c (revision 1209432)
@@ -4419,6 +4419,18 @@
return DECLINED;
}
+ if (strcmp(r->unparsed_uri, "*") == 0) {
+ /* Don't apply rewrite rules to "*". */
+ return DECLINED;
+ }
+
+ /* Check that the URI is valid. */
+ if (!r->uri || r->uri[0] != '/') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid URI in request %s", r->the_request);
+ return HTTP_BAD_REQUEST;
+ }
+
/*
* add the SCRIPT_URL variable to the env. this is a bit complicated
* due to the fact that apache uses subrequests and internal redirects
So IMHO this error should not happen as I assume that the value of r->unparsed_uri should be "*" in this case.
Regards
Rüdiger
Re: Fwd: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Eric Covener <co...@gmail.com>.
On Fri, Jan 6, 2012 at 9:46 AM, Ruediger Pluem <rp...@apache.org> wrote:
>
>
> Eric Covener wrote:
>> Looks like SuSE backported the trunk fix which misfires on the
>> internally dummy conn.
>>
>> STATUS says we were thinking of flipping this to declined. Looks like
>> a good idea?
>
> Could you please provide some more pointers?
I assume SuSe backported our trunk solution inside of mod_rewrite and
mod_proxy, which is proposed for 2.2.x
> Looking at 2.2.x I cannot see a reason why we get this error.
>
> Regards
>
> Rüdiger
>
--
Eric Covener
covener@gmail.com
Re: Fwd: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Ruediger Pluem <rp...@apache.org>.
Eric Covener wrote:
> Looks like SuSE backported the trunk fix which misfires on the
> internally dummy conn.
>
> STATUS says we were thinking of flipping this to declined. Looks like
> a good idea?
Could you please provide some more pointers?
Looking at 2.2.x I cannot see a reason why we get this error.
Regards
Rüdiger
Fwd: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
Posted by Eric Covener <co...@gmail.com>.
Looks like SuSE backported the trunk fix which misfires on the
internally dummy conn.
STATUS says we were thinking of flipping this to declined. Looks like
a good idea?
---------- Forwarded message ----------
From: Szőts Ákos <sz...@gmail.com>
Date: Wed, Jan 4, 2012 at 6:36 AM
Subject: [users@httpd] Invalid URI in request OPTIONS * HTTP/1.0
To: users@httpd.apache.org
Hi All,
There's a frequent error message in my Apache error_log (v2.2.21 under
openSUSE 12.1):
"Invalid URI in request OPTIONS * HTTP/1.0"
I know this is an internal dummy connection to test if the server is alive
or not. But every time, Apache tries to connect to itself, it writes
instead of the error log.
Here is the full request:
OPTIONS * HTTP/1.0
User-Agent: Apache (internal dummy connection)
Response:
HTTP/1.1 400 Bad Request
Vary: accept-language,accept-charset,User-Agent
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Expires: Tue, 03 Jan 2012 19:31:04 GMT
Here is the full "debug" log:
[error] [client 194.38.104.110] Invalid URI in request OPTIONS * HTTP/1.0
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[debug] mod_headers.c(756): headers: ap_headers_output_filter()
[error] [client 194.38.104.110] ModSecurity: Warning. String match "Invalid
URI in request" at WEBSERVER_ERROR_LOG.
I tried to telnet to my server on port 80, and when I write "OPTIONS *", I
get a 400 error, but when I write "OPTIONS /", I got 200 OK.
RFC says the * is acceptable, so I don't understand why the error.
I tried to use Google, but had no luck, unfortunately.
Could you please, help me resolving this issue?
Best regards,
Ákos Szőts
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
--
Eric Covener
covener@gmail.com