You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Sylvain Perrot <Sy...@b-i.com> on 2007/01/10 00:52:54 UTC
[mp2] Perl Auth Handlers and mod_proxy : losing querystring on remote server (BUG?)
Hi,
After 2 days trying to resolve my problem, I am close to think about a
bug in mod_perl used with mod_proxy.
let summarize my problem in case someone could help me :
CLIENT ------> Reverse-Proxy -------> Application Servers
Reverse-Proxy is : Linux, Apache 2.0.59, mod_perl 2.0.3
Application Servers are :
- Windows 2003, IIS 6, .Net 2.0
- Linux, Apache 2.0.59, php 5.2.0
Configured as Reverse Proxy only, Apache is serving correctly the
request to the Application Servers
httpd.conf :
------------------------------------------------------------------------
------
<VirtualHost *:80>
ServerAdmin admin@domain.tld
ServerName www.domain.tld
ProxyPreserveHost On
ProxyPass / http://10.0.0.100/
ProxyPassReverse / http://10.0.0.100/
CustomLog /www/doma.tld/logs/access_log combined
ErrorLog /www/doma.tld/logs/error_log
</VirtualHost>
------------------------------------------------------------------------
------
I wanted to use the PerlAuthenHandler and PerlAuthzHandler in order to
protect some areas of my Application servers directly at the reverse
proxy level
Perl module : AuthConst.pm
------------------------------------------------------------------------
------
#
# AuthConst.pm
#
package Apache2::AuthConst;
use strict;
use Apache2::Const -compile => qw(HTTP_UNAUTHORIZED FORBIDDEN DECLINED
OK);
1;
__END__
------------------------------------------------------------------------
------
httpd.conf :
------------------------------------------------------------------------
------
PerlModule Apache2::AuthConst
<VirtualHost *:80>
ServerAdmin admin@domain.tld
ServerName www.domain.tld <http://www.domain.tld/>
ProxyPreserveHost On
ProxyPass / http://10.0.0.100/
ProxyPassReverse / http://10.0.0.100/
CustomLog /www/doma.tld/logs/access_log combined
ErrorLog /www/doma.tld/logs/error_log
<LocationMatch /(?i)protected/>
PerlAuthenHandler Apache2::Const::OK
Require foobar
</LocationMatch>
</VirtualHost>
------------------------------------------------------------------------
------
Normaly, Apache should allow connection to the remote application server
for all request without calling the PerlHandler if the path is not part
of /protected.
But when a page in http://www.domain.tld/protected/ is called, the
PerlAuthenHandler is called in order to check the Authentication.
For now, my module just returns standard Apache2::Const::OK value, which
result in allowing Apache to proxy the request to the remote application
server.
This is correctly performed (anybody can test to confirm or not) ...
the problem comes when a protected page is called with a querystring :
http://www.domain.tld/protected/test.php?test=true or
http://www.domain.tld/protected/test.aspx?test=true
the remote application server receives the request, but with no
querystring !!! it is removed after the call to the PerlAuthenHandler.
If I create some more "complex" handler to log the request (URI +
QueryString) ... I can see the querystring in the Handler, but not in
the remote application server.
Just by deactivating the call to the Handler (by commenting out the
Require foobar line) ... the querystring is correctly received by the
remote application server.
Does anybody already face this problem ???
Best regards
Sylvain
PS: here is an extract of mp2bug on my installation :
===============================================
1. Problem Description:
[DESCRIBE THE PROBLEM HERE] => See my email content :-)
2. Used Components and their Configuration:
*** mod_perl version 2.000003
*** using
/usr/lib/perl5/site_perl/5.8.8/i486-linux/Apache2/BuildConfig.pm
*** Makefile.PL options:
MP_APR_LIB => aprext
MP_APXS => /usr/local/apache-2.0/bin/apxs
MP_COMPAT_1X => 1
MP_GENERATE_XS => 1
MP_LIBNAME => mod_perl
MP_USE_DSO => 1
*** The httpd binary was not found
*** (apr|apu)-config linking info
-L/usr/local/apache-2.0//lib -laprutil-0 -lexpat
-L/usr/local/apache-2.0//lib -lapr-0 -lrt -lm -lcrypt -lnsl -lpthread
-ldl
*** /usr/bin/perl -V
Summary of my perl5 (revision 5 version 8 subversion 8) configuration:
Platform:
osname=linux, osvers=2.4.33.3, archname=i486-linux
uname='linux tree 2.4.33.3 #1 fri sep 1 01:48:52 cdt 2006 i686
athlon-4 i386 gnulinux '
config_args='-de -Dprefix=/usr -Dcccdlflags=-fPIC
-Dinstallprefix=/usr -Doptimize=-O2 -march=i486 -mtune=i686
-Dinc_version_list=5.8.7 5.8.6 5.8.5 5.8.4 5.8.3 5.8.2 5.8.1 5.8.0
-Darchname=i486-linux'
hint=recommended, useposix=true, d_sigaction=define
usethreads=undef use5005threads=undef useithreads=undef
usemultiplicity=undef
useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
use64bitint=undef use64bitall=undef uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-fno-strict-aliasing -pipe
-Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
optimize='-O2 -march=i486 -mtune=i686',
cppflags='-fno-strict-aliasing -pipe -Wdeclaration-after-statement
-I/usr/local/include'
ccversion='', gccversion='3.4.6', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=4, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib
libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
libc=/lib/libc-2.3.6.so, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.3.6'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'
Characteristics of this binary (from libperl):
Compile-time options: PERL_MALLOC_WRAP USE_LARGE_FILES USE_PERLIO
Built under linux
Compiled at Sep 1 2006 23:31:27
%ENV:
PERL_LWP_USE_HTTP_10="1"
@INC:
/usr/lib/perl5/5.8.8/i486-linux
/usr/lib/perl5/5.8.8
/usr/lib/perl5/site_perl/5.8.8/i486-linux
/usr/lib/perl5/site_perl/5.8.8
/usr/lib/perl5/site_perl
.
*** Packages of interest status:
Apache2 : -
Apache2::Request : 2.08
CGI : 3.25
ExtUtils::MakeMaker: 6.31
LWP : 5.805
mod_perl : -
mod_perl2 : 2.000003
3. This is the core dump trace: (if you get a core dump):
[CORE TRACE COMES HERE]
This report was generated by /usr/bin/mp2bug on Tue Jan 9 23:56:09 2007
GMT.
Re: [mp2] Perl Auth Handlers and mod_proxy : losing querystring on
remote server (BUG?)
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
Geoffrey Young wrote:
>> <LocationMatch /(?i)protected/>
>> AuthType Basic
>> AuthName "Test Authentication"
>> AuthUserFile /www/xperience.ch/conf/.htpasswd
>> require valid-user
>> </LocationMatch>
>
>
> next test -
I won't be able to do any more work tonight, so if this doesn't work
here's what I'd suggest...
are you running any other mod_perl things other than authen? if not,
please take a working .htpasswd config and add in a PerlInitHandler of
any sort - I don't think it could really be authen that's tripping stuff
up, but I know we do some things for proxy requests, so it might be the
mere presence of mod_perl in the mix that is affecting you.
next, I know it's asking a lot, but I doubt anyone will have the free
tuits to create a proxy setup that mimics your problem. however, if you
can create a self-contained test scenario using this
http://people.apache.org/~geoff/bug-reporting-skeleton-mp2.tar.gz
I'll be sure to run it and see what I can do. be sure to create a case
that works and one that doesn't so I know exactly what you're trying to do.
--Geoff
Re: [mp2] Perl Auth Handlers and mod_proxy : losing querystring on
remote server (BUG?)
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
Sylvain Perrot wrote:
> Hi,
>
> This is working !!!
> Good point... But how to handle the authentication as I wanted (no http
> authentication but my own authentication module ...)
you can always use your own authentication module, but you need to be
sure to follow the proper steps. what those are depend on what you're
trying to do...
if you're trying to do user-based authentication but not Basic
authentication then you need to follow the same set of rules rules, such
as setting $r->auth_type(), etc - you can't setup a
PerlAuthenHandler/Require and just expect that everything works without
calling the underlying API that httpd is expecting. with a
PerlAccessHandler, on the other hand, you can do just that.
a good read on this is all of
http://www.modperlcookbook.org/chapters/ch13.pdf
but particularly recipe 13.7.
HTH
--Geoff
RE: [mp2] Perl Auth Handlers and mod_proxy : losing querystring on remote server (BUG?)
Posted by Sylvain Perrot <Sy...@b-i.com>.
Hi,
This is working !!!
Good point... But how to handle the authentication as I wanted (no http
authentication but my own authentication module ...)
Sylvain
-----Original Message-----
From: Geoffrey Young [mailto:geoff@modperlcookbook.org]
Sent: mercredi, 10. janvier 2007 01:47
To: Sylvain Perrot
Cc: Modperl Mailing List
Subject: Re: [mp2] Perl Auth Handlers and mod_proxy : losing querystring
on remote server (BUG?)
> <LocationMatch /(?i)protected/>
> AuthType Basic
> AuthName "Test Authentication"
> AuthUserFile /www/xperience.ch/conf/.htpasswd
> require valid-user
> </LocationMatch>
next test - keep all that the same but substitute
PerlAuthenHandler My::Authen
for
AuthUserFile /www/xperience.ch/conf/.htpasswd
and use this handler:
package My::Authen;
use Apache2::RequestRec ();
use Apache2::Access ();
use Apache2::Const -compile => qw(OK AUTH_REQUIRED);
use strict;
sub handler {
my $r = shift;
my ($status, $password) = $r->get_basic_auth_pw;
return $status unless $status == Apache2::Const::OK;
if ($r->user eq 'foo' && $password eq 'bar') {
return Apache2::Const::OK;
}
$r->note_basic_auth_failure;
return Apache2::Const::AUTH_REQUIRED;
}
1;
just using Apache2::Const::OK in your httpd.conf bypasses some
httpd-core API calls that authen might be expecting. this setup
exercises everything pretty much the way the default file authen handler
does.
--Geoff
Re: [mp2] Perl Auth Handlers and mod_proxy : losing querystring on
remote server (BUG?)
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
> <LocationMatch /(?i)protected/>
> AuthType Basic
> AuthName "Test Authentication"
> AuthUserFile /www/xperience.ch/conf/.htpasswd
> require valid-user
> </LocationMatch>
next test - keep all that the same but substitute
PerlAuthenHandler My::Authen
for
AuthUserFile /www/xperience.ch/conf/.htpasswd
and use this handler:
package My::Authen;
use Apache2::RequestRec ();
use Apache2::Access ();
use Apache2::Const -compile => qw(OK AUTH_REQUIRED);
use strict;
sub handler {
my $r = shift;
my ($status, $password) = $r->get_basic_auth_pw;
return $status unless $status == Apache2::Const::OK;
if ($r->user eq 'foo' && $password eq 'bar') {
return Apache2::Const::OK;
}
$r->note_basic_auth_failure;
return Apache2::Const::AUTH_REQUIRED;
}
1;
just using Apache2::Const::OK in your httpd.conf bypasses some
httpd-core API calls that authen might be expecting. this setup
exercises everything pretty much the way the default file authen handler
does.
--Geoff
RE: [mp2] Perl Auth Handlers and mod_proxy : losing querystring on remote server (BUG?)
Posted by Sylvain Perrot <Sy...@b-i.com>.
Hi,
I tried the following in httpd.conf :
------------------------------------------------------------------------
------
<VirtualHost *:80>
ServerAdmin admin@domain.tld
ServerName www.domain.tld
ProxyPreserveHost On
ProxyPass / http://10.0.0.100/
ProxyPassReverse / http://10.0.0.100/
CustomLog /www/doma.tld/logs/access_log combined
ErrorLog /www/doma.tld/logs/error_log
<LocationMatch /(?i)protected/>
AuthType Basic
AuthName "Test Authentication"
AuthUserFile /www/xperience.ch/conf/.htpasswd
require valid-user
</LocationMatch>
</VirtualHost>
------------------------------------------------------------------------
------
And it is working fine ... After Authentication (Basic http Auth) ... I
got the querystring passed to the application server correctly !
If I reset the virtualhost to use the PerlHandler ... The querystring is
not passed to the application server !
If someone could perform a quick test by setting up an environment to
test if he got the same problem, it would be great !
Best regards
Sylvain
-----Original Message-----
From: Geoffrey Young [mailto:geoff@modperlcookbook.org]
Sent: mercredi, 10. janvier 2007 01:16
To: Perrin Harkins
Cc: Sylvain Perrot; Modperl Mailing List
Subject: Re: [mp2] Perl Auth Handlers and mod_proxy : losing querystring
on remote server (BUG?)
Perrin Harkins wrote:
> Does it help any if you use ProxyMatch instead of LocationMatch?
also, try substituting your PerlAuthenHandler for normal .htpasswd-style
authentication at the same place - mod_perl doesn't do much to interact
with the request record, which is where the query string is stored, so
I'd be surprised if the fault is in mod_perl core.
--Geoff
Re: [mp2] Perl Auth Handlers and mod_proxy : losing querystring on
remote server (BUG?)
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
Perrin Harkins wrote:
> Does it help any if you use ProxyMatch instead of LocationMatch?
also, try substituting your PerlAuthenHandler for normal .htpasswd-style
authentication at the same place - mod_perl doesn't do much to interact
with the request record, which is where the query string is stored, so
I'd be surprised if the fault is in mod_perl core.
--Geoff
RE: [mp2] Perl Auth Handlers and mod_proxy : losing querystring onremote server (BUG?)
Posted by Sylvain Perrot <Sy...@b-i.com>.
Hi,
It was a nice try ...
I setup the VirtualHost with a ProxyMatch directive :
httpd.conf :
------------------------------------------------------------------------
------
<VirtualHost *:80>
ServerAdmin admin@domain.tld
ServerName www.domain.tld
ProxyPreserveHost On
ProxyPass / http://10.0.0.100/
ProxyPassReverse / http://10.0.0.100/
CustomLog /www/domain.tld/logs/access_log combined
ErrorLog /www/domain.tld/logs/error_log
<ProxyMatch /(?i)protected/>
PerlAuthenHandler Apache2::Const::OK
Require foobar
</ProxyMatch>
</VirtualHost>
------------------------------------------------------------------------
------
And it also failed to pass the querystring to the remote server !!!
Sylvain
-----Original Message-----
From: Perrin Harkins [mailto:perrin@elem.com]
Sent: mercredi, 10. janvier 2007 01:10
To: Sylvain Perrot
Cc: Modperl Mailing List
Subject: Re: [mp2] Perl Auth Handlers and mod_proxy : losing querystring
onremote server (BUG?)
Does it help any if you use ProxyMatch instead of LocationMatch?
- Perrin
>
Re: [mp2] Perl Auth Handlers and mod_proxy : losing querystring on
remote server (BUG?)
Posted by Perrin Harkins <pe...@elem.com>.
Does it help any if you use ProxyMatch instead of LocationMatch?
- Perrin
>