You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Lars Slettjord <la...@cc.uit.no> on 1999/05/12 13:06:03 UTC

general/4393: Apache without mod_proxy does not give an error when it gets a proxy-request.

>Number:         4393
>Category:       general
>Synopsis:       Apache without mod_proxy does not give an error when it gets a proxy-request.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Wed May 12 04:10:01 PDT 1999
>Last-Modified:
>Originator:     lars.slettjord@cc.uit.no
>Organization:
apache
>Release:        1.3.6
>Environment:
I don't think this problem depends on the environment. Anyway, I've seen it
on Linux 2.0.x, 2.2.x, HP-UX 10.20/9.05 and IRIX 6.x.
>Description:
I run Apache and Squid on the same server, and sometimes clients are 
misconfigured, and tries to use the Apache server as a web-proxy/cache.
The Apache server is _not_ configured to handle this, mod_proxy is 
_not_ compiled in or configured. I prefer to use Squid as a
proxy/cache instead.

When a client tries to fetch a URL through Apache by i.e
"GET http://www.apache.org/bug_report.html HTTP/1.0" the following 
happens:

 * Apache seems to strip the protocol and server from the
   request, and ends up with "/bug_report.html".
 * If this path should happen to exist on my local server the
   client will get this document. I.e when the request ends up
   as "/" it will get our homepage, which is wrong.
 * The client gets an ordinary 404 when our server don't have
   the requested path.

I think Apache should return a '400 Bad Request' when it gets
a request of the form 
"GET http|ftp|gopher:server.name:port/path HTTP/1.0".
>How-To-Repeat:
Try to contact www.uit.no by telnet and do a

  GET http://www.apache.org/ HTTP/1.0  

and 

  GET http://www.apache.org/foo.html HTTP/1.0

I have implemented a custom warning by using a cgi-script. When 
a 404 occurs, and the request starts with http I send out a customized
error message. So you should try this on a regular Apache server which 
do not use mod_proxy.
>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]