You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Tom Wilkie <to...@gmail.com> on 2009/08/06 19:50:40 UTC
bug in mod_proxy(_connect)?
Hi
Bear with me, I'm new to this list. I think I've found a bug in
mod_proxy / mod_proxy_connect.
I'm running apache in both forward and reverse proxy mode. The idea
is :- reverse proxy gives people outside firewall access to websites
on different VMs inside via one IP, and forward proxy is to allow them
to log in via ssh.
A trimmed down conf file:
======
NameVirtualHost *:443
SSLCertificateFile /etc/apache2/ssl/default-ssl
LogLevel debug
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
<VirtualHost *:443>
SSLEngine on
ServerName proxy.domain.com
ProxyRequests on
AllowCONNECT 22
ProxyVia on
<Proxy *.domain.com>
AuthType Basic
AuthBasicProvider ldap
AuthName "Domain"
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com
"
Require valid-user
</Proxy>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
ServerName wiki.domain.com
ProxyPass / http://wiki.domain.com/
<Location />
AuthType Basic
AuthBasicProvider ldap
AuthName "Domain"
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com
"
Require valid-user
</Location>
</VirtualHost>
=======
SSH connects fine if the second <VirtualHost> clause isn't there, but
fails if it is:
=======
# ssh somehost.domain.com
SSL client to proxy enabled
Local proxy proxy.domain.com resolves to XXX
Connected to proxy.domain.com:443 (local proxy)
Tunneling to somehost.domain.com:22 (destination)
Communication with local proxy:
-> CONNECT somehost.domain.com:22 HTTP/1.0
-> Proxy-Connection: Keep-Alive
<- HTTP/1.1 403 Proxy Error
HTTP return code: 403 Proxy Error
<- Date: Thu, 06 Aug 2009 17:16:26 GMT
<- Content-Length: 396
<- Connection: close
<- Content-Type: text/html; charset=iso-8859-1
ssh_exchange_identification: Connection closed by remote host
=======
In my apache logs:
=======
[Thu Aug 06 18:25:15 2009] [info] Initial (No.1) HTTPS request
received for child 0 (server somehost.domain.com:443)
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(70): proxy:
CONNECT: canonicalising URL somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] proxy_util.c(1497): [client XXX]
proxy: *: found forward proxy worker for somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy.c(966): Running scheme
somehost.domain.com handler (attempt 0)
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(154): proxy:
CONNECT: serving URL somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(171): proxy:
CONNECT: connecting somehost.domain.com:22 to somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(194): proxy:
CONNECT: connecting to remote proxy somehost.domain.com on port 22
[Thu Aug 06 18:25:15 2009] [error] [client 87.127.96.17] proxy:
Connect to remote machine blocked2 returned by somehost.domain.com:22
<<<<<========
[Thu Aug 06 18:25:15 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL:
Write: SSL negotiation finished successfully
[Thu Aug 06 18:25:15 2009] [info] [client 87.127.96.17] Connection
closed to child 0 with standard shutdown (server proxy.domain.com:443)
=======
I've recompiled apache so I could tell which error message this was (3
messages the same in mod_proxy_connect.c - nice):
=======
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: CONNECT: connecting to remote proxy %s on port %d",
connectname, connectport);
/* check if ProxyBlock directive on this host */
if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
return ap_proxyerror(r, HTTP_FORBIDDEN,
"Connect to remote machine blocked1");
}
/* Check if it is an allowed port */
if (conf->allowed_connect_ports->nelts == 0) {
/* Default setting if not overridden by AllowCONNECT */
switch (uri.port) {
case APR_URI_HTTPS_DEFAULT_PORT:
case APR_URI_SNEWS_DEFAULT_PORT:
break;
default:
return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote
machine blocked2");
}
} else if(!allowed_port(conf, uri.port)) {
return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine
blocked3");
}
=======
And its failing on the conf->allowed_connect_ports->nelts == 0, ie
there are no AllowCONNECTs defined (although there obviously are!)
I think there must be something wrong in set_allowed_ports in
mod_proxy.c, perhaps it is getting the wrong server_rec?
Some details of my system: Debian Lenny, apache 2.2.9-10+lenny4 (all
the debian patches) + a patch fromhttps://issues.apache.org/bugzilla/
show_bug.cgi?id=29744(https://issues.apache.org/bugzilla/attachment.cgi?id=22248
) to make http connect work over HTTPS.
As for all the ldap stuff in my config, if works fine for the Reverse
Proxy (ie the wiki.domain.com) but haven't got it working for the
forward, CONNECT proxy. I think it has nothing to do with it though,
because ssh works if I remove the reverse proxies, just without
prompting for the ldap password.
So... Any ideas?
Thanks
Tom
Re: bug in mod_proxy(_connect)?
Posted by Ruediger Pluem <rp...@apache.org>.
On 08/06/2009 07:50 PM, Tom Wilkie wrote:
> Hi
>
> Bear with me, I'm new to this list. I think I've found a bug in
> mod_proxy / mod_proxy_connect.
>
> I'm running apache in both forward and reverse proxy mode. The idea is
> :- reverse proxy gives people outside firewall access to websites on
> different VMs inside via one IP, and forward proxy is to allow them to
> log in via ssh.
>
> A trimmed down conf file:
>
> ======
>
> NameVirtualHost *:443
>
> SSLCertificateFile /etc/apache2/ssl/default-ssl
>
> LogLevel debug
> ErrorLog /var/log/apache2/error.log
> CustomLog /var/log/apache2/access.log combined
>
> <VirtualHost *:443>
> SSLEngine on
> ServerName proxy.domain.com
>
> ProxyRequests on
> AllowCONNECT 22
> ProxyVia on
>
> <Proxy *.domain.com>
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "Domain"
>
> AuthzLDAPAuthoritative off
> AuthLDAPURL
> "ldap://ldap.domain.com/ou=People,dc=domain,dc=com"
> Require valid-user
> </Proxy>
> </VirtualHost>
>
> <VirtualHost *:443>
> SSLEngine on
> ServerName wiki.domain.com
> ProxyPass / http://wiki.domain.com/
>
> <Location />
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "Domain"
>
> AuthzLDAPAuthoritative off
> AuthLDAPURL
> "ldap://ldap.domain.com/ou=People,dc=domain,dc=com"
> Require valid-user
> </Location>
> </VirtualHost>
>
> =======
>
> SSH connects fine if the second <VirtualHost> clause isn't there, but
> fails if it is:
Try reversing the order of the VirtualHosts in your config. The CONNECT
method always falls into the default virtual host.
Regards
RĂ¼diger
Re: bug in mod_proxy(_connect)?
Posted by Ruediger Pluem <rp...@apache.org>.
On 08/06/2009 08:40 PM, Tom Wilkie wrote:
> So I figured out why the forward proxy wasn't authenticating... I changed:
>
> <Proxy *.domain.com>
>
> to:
>
> <Proxy *>
>
> And it worked. Bug? Feature?
Have you tried <Proxy *.domain.com:22>?
Regards
RĂ¼diger
Re: bug in mod_proxy(_connect)?
Posted by Tom Wilkie <to...@gmail.com>.
So I figured out why the forward proxy wasn't authenticating... I
changed:
<Proxy *.domain.com>
to:
<Proxy *>
And it worked. Bug? Feature?
On 6 Aug 2009, at 18:50, Tom Wilkie wrote:
> Hi
>
> Bear with me, I'm new to this list. I think I've found a bug in
> mod_proxy / mod_proxy_connect.
>
> I'm running apache in both forward and reverse proxy mode. The idea
> is :- reverse proxy gives people outside firewall access to websites
> on different VMs inside via one IP, and forward proxy is to allow
> them to log in via ssh.
>
> A trimmed down conf file:
>
> ======
>
> NameVirtualHost *:443
>
> SSLCertificateFile /etc/apache2/ssl/default-ssl
>
> LogLevel debug
> ErrorLog /var/log/apache2/error.log
> CustomLog /var/log/apache2/access.log combined
>
> <VirtualHost *:443>
> SSLEngine on
> ServerName proxy.domain.com
>
> ProxyRequests on
> AllowCONNECT 22
> ProxyVia on
>
> <Proxy *.domain.com>
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "Domain"
>
> AuthzLDAPAuthoritative off
> AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com
> "
> Require valid-user
> </Proxy>
> </VirtualHost>
>
> <VirtualHost *:443>
> SSLEngine on
> ServerName wiki.domain.com
> ProxyPass / http://wiki.domain.com/
>
> <Location />
> AuthType Basic
> AuthBasicProvider ldap
> AuthName "Domain"
>
> AuthzLDAPAuthoritative off
> AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com
> "
> Require valid-user
> </Location>
> </VirtualHost>
>
> =======
>
> SSH connects fine if the second <VirtualHost> clause isn't there,
> but fails if it is:
>
> =======
>
> # ssh somehost.domain.com
>
> SSL client to proxy enabled
> Local proxy proxy.domain.com resolves to XXX
> Connected to proxy.domain.com:443 (local proxy)
>
> Tunneling to somehost.domain.com:22 (destination)
> Communication with local proxy:
> -> CONNECT somehost.domain.com:22 HTTP/1.0
> -> Proxy-Connection: Keep-Alive
> <- HTTP/1.1 403 Proxy Error
> HTTP return code: 403 Proxy Error
> <- Date: Thu, 06 Aug 2009 17:16:26 GMT
> <- Content-Length: 396
> <- Connection: close
> <- Content-Type: text/html; charset=iso-8859-1
> ssh_exchange_identification: Connection closed by remote host
>
> =======
>
> In my apache logs:
>
> =======
>
> [Thu Aug 06 18:25:15 2009] [info] Initial (No.1) HTTPS request
> received for child 0 (server somehost.domain.com:443)
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(70): proxy:
> CONNECT: canonicalising URL somehost.domain.com:22
> [Thu Aug 06 18:25:15 2009] [debug] proxy_util.c(1497): [client XXX]
> proxy: *: found forward proxy worker for somehost.domain.com:22
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy.c(966): Running scheme
> somehost.domain.com handler (attempt 0)
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(154): proxy:
> CONNECT: serving URL somehost.domain.com:22
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(171): proxy:
> CONNECT: connecting somehost.domain.com:22 to somehost.domain.com:22
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(194): proxy:
> CONNECT: connecting to remote proxy somehost.domain.com on port 22
> [Thu Aug 06 18:25:15 2009] [error] [client 87.127.96.17] proxy:
> Connect to remote machine blocked2 returned by somehost.domain.com:
> 22 <<<<<========
> [Thu Aug 06 18:25:15 2009] [debug] ssl_engine_kernel.c(1770):
> OpenSSL: Write: SSL negotiation finished successfully
> [Thu Aug 06 18:25:15 2009] [info] [client 87.127.96.17] Connection
> closed to child 0 with standard shutdown (server proxy.domain.com:443)
>
> =======
>
> I've recompiled apache so I could tell which error message this was
> (3 messages the same in mod_proxy_connect.c - nice):
>
> =======
>
> ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
> "proxy: CONNECT: connecting to remote proxy %s on port %d",
> connectname, connectport);
>
> /* check if ProxyBlock directive on this host */
> if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
> return ap_proxyerror(r, HTTP_FORBIDDEN,
> "Connect to remote machine blocked1");
> }
>
> /* Check if it is an allowed port */
> if (conf->allowed_connect_ports->nelts == 0) {
> /* Default setting if not overridden by AllowCONNECT */
> switch (uri.port) {
> case APR_URI_HTTPS_DEFAULT_PORT:
> case APR_URI_SNEWS_DEFAULT_PORT:
> break;
> default:
> return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote
> machine blocked2");
> }
> } else if(!allowed_port(conf, uri.port)) {
> return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine
> blocked3");
> }
>
> =======
>
> And its failing on the conf->allowed_connect_ports->nelts == 0, ie
> there are no AllowCONNECTs defined (although there obviously are!)
>
> I think there must be something wrong in set_allowed_ports in
> mod_proxy.c, perhaps it is getting the wrong server_rec?
>
> Some details of my system: Debian Lenny, apache 2.2.9-10+lenny4 (all
> the debian patches) + a patch fromhttps://issues.apache.org/bugzilla/
> show_bug.cgi?id=29744(https://issues.apache.org/bugzilla/attachment.cgi?id=22248
> ) to make http connect work over HTTPS.
>
> As for all the ldap stuff in my config, if works fine for the
> Reverse Proxy (ie the wiki.domain.com) but haven't got it working
> for the forward, CONNECT proxy. I think it has nothing to do with
> it though, because ssh works if I remove the reverse proxies, just
> without prompting for the ldap password.
>
> So... Any ideas?
>
> Thanks
>
> Tom
>
>
>