You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2019/02/14 17:06:51 UTC
[Bug 63176] New: Wrong backend is used
https://bz.apache.org/bugzilla/show_bug.cgi?id=63176
Bug ID: 63176
Summary: Wrong backend is used
Product: Apache httpd-2
Version: 2.4.38
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
Assignee: bugs@httpd.apache.org
Reporter: luhliari@redhat.com
Target Milestone: ---
Hello all,
I'm experiencing following issue. Let's create two files:
echo HIT > /var/www/html/test-hit.html
echo MISS > /var/www/html/test-miss.html
Content of /etc/httpd/conf.d/test.conf:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ProxyPass /test/ http://localhost/
ProxyRemoteMatch http://localhost/.*hit.html http://localhost:8080
Listen 8080
<VirtualHost *:8080>
ProxyRequests on
<Proxy "*">
Require all denied
</Proxy>
</VirtualHost>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
And then start httpd. Depending on request order, I'm receiving different
content:
[root@host-8-249-187 ~]# curl http://localhost/test/test-miss.html
MISS
[root@host-8-249-187 ~]# curl http://localhost/test/test-hit.html
HIT
[root@host-8-249-187 ~]# systemctl restart httpd
[root@host-8-249-187 ~]# curl http://localhost/test/test-hit.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access http://localhost/test-hit.html
on this server.<br />
</p>
</body></html>
[root@host-8-249-187 ~]# curl http://localhost/test/test-miss.html
MISS
I debugged it a bit and depending on request order, in
ap_proxy_acquire_connection, function apr_reslist_acquire acquiring different
values.
Correct case:
(gdb)
2292 if (worker->s->hmax && worker->cp->res) {
2293 rv = apr_reslist_acquire(worker->cp->res, (void **)conn);
2294 }
(gdb) p **conn
$10 = {connection = 0x0, r = 0x0, worker = 0x55555586df58, pool =
0x55555594cb78,
hostname = 0x0, addr = 0x0, scpool = 0x7fffb8007018, sock = 0x0, data = 0x0,
forward = 0x0, flags = 0, port = 0, is_ssl = 0, close = 0, need_flush = 0,
inreslist = 1, uds_path = 0x0, ssl_hostname = 0x0, tmp_bb = 0x0}
Whereas in wrong case:
(gdb) p **conn
$9 = {connection = 0x7fffb80072e0, r = 0x0, worker = 0x55555586df58,
pool = 0x55555594cb78, hostname = 0x55555594cc60 "localhost",
addr = 0x5555558e47c0, scpool = 0x7fffb8007018, sock = 0x7fffb8007090, data =
0x0,
forward = 0x0, flags = 0, port = 80, is_ssl = 0, close = 0, need_flush = 0,
inreslist = 1, uds_path = 0x0, ssl_hostname = 0x0, tmp_bb = 0x7fffb80072a0}
Also found out, that this was working in 2.4.34 and stopped to work in 2.4.37.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63176] Wrong backend is used
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63176
--- Comment #1 from Lubos Uhliarik <lu...@redhat.com> ---
OK, this bug is even present in 2.4.34, but it occurs less often:
# curl -v http://localhost/test/test-miss.html; curl -v
http://localhost/test/test-hit.html
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /test/test-miss.html HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 18 Feb 2019 16:23:45 GMT
< Server: Apache/2.4.34 (Fedora)
< Last-Modified: Mon, 18 Feb 2019 12:14:31 GMT
< ETag: "5-5822a1126202f"
< Accept-Ranges: bytes
< Content-Length: 5
< Content-Type: text/html; charset=UTF-8
<
MISS
* Connection #0 to host localhost left intact
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /test/test-hit.html HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Mon, 18 Feb 2019 16:23:45 GMT
< Server: Apache/2.4.34 (Fedora)
< Content-Length: 238
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access http://localhost/test-hit.html
on this server.<br />
</p>
</body></html>
* Connection #0 to host localhost left intact
[root@host-8-248-205 ~]# curl -v http://localhost/test/test-miss.html; curl -v
http://localhost/test/test-hit.html
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /test/test-miss.html HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 18 Feb 2019 16:23:46 GMT
< Server: Apache/2.4.34 (Fedora)
< Last-Modified: Mon, 18 Feb 2019 12:14:31 GMT
< ETag: "5-5822a1126202f"
< Accept-Ranges: bytes
< Content-Length: 5
< Content-Type: text/html; charset=UTF-8
<
MISS
* Connection #0 to host localhost left intact
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /test/test-hit.html HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Mon, 18 Feb 2019 16:23:47 GMT
< Server: Apache/2.4.34 (Fedora)
< Content-Length: 238
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access http://localhost/test-hit.html
on this server.<br />
</p>
</body></html>
* Connection #0 to host localhost left intact
[root@host-8-248-205 ~]# curl -v http://localhost/test/test-miss.html; curl -v
http://localhost/test/test-hit.html
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /test/test-miss.html HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 18 Feb 2019 16:23:48 GMT
< Server: Apache/2.4.34 (Fedora)
< Last-Modified: Mon, 18 Feb 2019 12:14:31 GMT
< ETag: "5-5822a1126202f"
< Accept-Ranges: bytes
< Content-Length: 5
< Content-Type: text/html; charset=UTF-8
<
MISS
* Connection #0 to host localhost left intact
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /test/test-hit.html HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Date: Mon, 18 Feb 2019 16:23:48 GMT
< Server: Apache/2.4.34 (Fedora)
< Content-Length: 238
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access http://localhost/test-hit.html
on this server.<br />
</p>
</body></html>
* Connection #0 to host localhost left intact
[root@host-8-248-205 ~]# curl -v http://localhost/test/test-miss.html; curl -v
http://localhost/test/test-hit.html
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /test/test-miss.html HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 18 Feb 2019 16:23:49 GMT
< Server: Apache/2.4.34 (Fedora)
< Last-Modified: Mon, 18 Feb 2019 12:14:31 GMT
< ETag: "5-5822a1126202f"
< Accept-Ranges: bytes
< Content-Length: 5
< Content-Type: text/html; charset=UTF-8
<
MISS
* Connection #0 to host localhost left intact
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> GET /test/test-hit.html HTTP/1.1
> Host: localhost
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 18 Feb 2019 16:23:49 GMT
< Server: Apache/2.4.34 (Fedora)
< Last-Modified: Mon, 18 Feb 2019 12:14:26 GMT
< ETag: "4-5822a10df9597"
< Accept-Ranges: bytes
< Content-Length: 4
< Content-Type: text/html; charset=UTF-8
<
HIT
* Connection #0 to host localhost left intact
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63176] Wrong backend is used
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63176
--- Comment #6 from Yann Ylavic <yl...@gmail.com> ---
The alternative would be to (re-)validate the reused URL (from the reused
proxy_conn_rec) against the ProxyRemoteMatch (if any involved for the new
request). Not sure how to do this though, since we don't really store the path
segment in proxy_conn_rec for now (only the hostname/port AFAICT), but should
be possible..
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63176] Wrong backend is used
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63176
--- Comment #2 from Lubos Uhliarik <lu...@redhat.com> ---
In 2.4.18, it is still failing. In 2.4.16, it passed 100 iterations (so
probably, it is working here).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63176] Wrong backend is used
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63176
--- Comment #4 from Ruediger Pluem <rp...@apache.org> ---
(In reply to Yann Ylavic from comment #3)
> > ProxyPass /test/ http://localhost/
> > ProxyRemoteMatch http://localhost/.*hit.html http://localhost:8080
> >
> > Listen 8080
> >
> > <VirtualHost *:8080>
> > ProxyRequests on
> > <Proxy "*">
> > Require all denied
> > </Proxy>
> > </VirtualHost>
>
> What is this configuration supposed to achieve, reverse-proxying to a
> forward-proxy? What is "Listen"ing on port 80?
Apart from the weird setup which purpose I struggle to understand as well I
guess I know what is happening. As the configuration uses a remote proxy for
certain URL's of the backend and not for others (.*hit.html on the backend
requires the usage of a remote proxy all other URL's do not) we get into
trouble with our connection reusing. Once the worker for a backend returns a a
usable connection for a backend we no longer check whether this particular URL
should go directly or via a proxy. We just take what we have and use it.
Currently the above could be fixed by either disabling the reuse of connections
or by having a separate ProxyPassMatch ^(/test/.*hit.html)$ http://localhost$1
that is configured before the ProxyPass.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63176] Wrong backend is used
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63176
--- Comment #3 from Yann Ylavic <yl...@gmail.com> ---
> ProxyPass /test/ http://localhost/
> ProxyRemoteMatch http://localhost/.*hit.html http://localhost:8080
>
> Listen 8080
>
> <VirtualHost *:8080>
> ProxyRequests on
> <Proxy "*">
> Require all denied
> </Proxy>
> </VirtualHost>
What is this configuration supposed to achieve, reverse-proxying to a
forward-proxy? What is "Listen"ing on port 80?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 63176] Wrong backend is used
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63176
--- Comment #5 from Joe Orton <jo...@redhat.com> ---
The config is perhaps a bit artificial, it is an internal test case we had for
bug 33170; the point is merely to test that the ProxyRemoteMatch is applied
correctly for some URLs and not others.
I figured this was a connection re-use issue, but wasn't sure where. Maybe
ProxyRemoteMatch shouldn't allow a URL path segment other than "/" if it cannot
reliably be applied differently to different paths? (Or we should warn for
this case?)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org