You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/07/12 15:25:59 UTC
DO NOT REPLY [Bug 40029] New: - mod_proxy should interoperate with RPC over HTTP
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40029>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40029
Summary: mod_proxy should interoperate with RPC over HTTP
Product: Apache httpd-2
Version: 2.2.2
Platform: PC
URL: http://some.server/rpc
OS/Version: FreeBSD
Status: NEW
Severity: normal
Priority: P4
Component: mod_proxy
AssignedTo: bugs@httpd.apache.org
ReportedBy: hans@red.roses.de
This is more of an enhancement request, and it might concern the core as well:
When Apache is used to proxy HTTP/1.1 requests and it encounters unknown
methods, it should relay the content of both the request and the response body
parts as they arrive - i.e. without any blocking, buffering or delaying.
Background:
I'm trying to grant road warrior users access to our company Exchange server
through RPC over HTTP. In my setup, an Apache 2.2.2 on a FreeBSD server in the
DMZ should act as a proxy between the Internet and the IIS on on the Exchange
server. The communication is SSL-encrypted in both directions (SSLEngine and
SSLProxyEngine On).
Unfortunately, the Outlook client just hangs when trying to access Exchange
through the proxy. The Apache error log shows these messages:
[Mon Jul 10 10:48:48 2006] [error] (70007)The timeout specified has expired:
proxy: prefetch request body failed to <exchangeip>:<port> (<exchange>) from
<clientip> ()
After working on this for quite some time, I believe I can rule out the usual
configuration and certificate problems that are described on various websites.
Also, I have a Linux in my internal network with an older version of Apache
(2.0.53) where the same proxy configuration works (not too stable and
performant, but it does work).
I did some analysis with ssldump on both proxies. Apparently, RPC over HTTP
opens two HTTP/1.1 requests: One with request method RPC_IN_DATA to send data
to the server, and one with method RPC_OUT_DATA to send data back to the client.
The body consists of raw binary data, and the connections are apparently
re-used for several RPCs.
I.e. after sending the headers for both connections, the client sends a request
on the IN connections, reads the response from the OUT connection, sends another
request on the IN connection and so on - which means that any buffering in the
proxy is absolutely deadly in this scenario.
Here's an example of an IN connection header:
RPC_IN_DATA /rpc/rpcproxy.dll?<exchange>:6002 HTTP/1.1
Accept: application/rpc
User-Agent: MSRPC
Host: <proxy>
Content-Length: 1073741824
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Authorization: Basic <user/passwd>
And here's an example of an OUT connection header:
RPC_OUT_DATA /rpc/rpcproxy.dll?<exchange>:6002 HTTP/1.1
Accept: application/rpc
User-Agent: MSRPC
Host: <proxy>
Content-Length: 76
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Authorization: Basic <user/passwd>
ssldump on the Apache 2.2.2 machine shows that the RPC_OUT_DATA is correctly
forwarded to the Exchange server. For the RPC_IN_DATA, OTOH, the proxy doesn't
even open a connection to the Exchange server. I can only guess that's it's
trying to read (prefetch?) a part or all of the 1073741824 bytes
(Content-Length) before opening the session to the Exchange server.
Unfortunately, the client only sends a small request (~ 100 bytes) on the IN
connection and starts waiting for a response on the OUT connection. It never
gets one, though, since the request hasn't reached the Exchange server yet.
On the Apache 2.0.53 server, however, both requests are forwarded to the
Exchange server, and the body bits are also relayed in a direct and timely
manner. I've tried an Apache 2.0.58 on the FreeBSD server, but that one doesn't
work, either.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40029] - mod_proxy should interoperate with RPC over HTTP
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40029>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40029
------- Additional Comments From hans@red.roses.de 2006-07-13 16:53 -------
(In reply to comment #4)
> Why is it timing out? Because it
> attempts to "prefetch" 8K and the 100 bytes sent are not enough?
Yes, I think so. Outlook sends 100 bytes, and then waits for a response on
the second connection before sending additional data. OTOH, Apache waits for
additional data before relaying the 100 bytes to the Exchange server in the
first place. Classic deadlock.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40029] - mod_proxy should interoperate with RPC over HTTP
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40029>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40029
------- Additional Comments From hans@red.roses.de 2006-07-12 16:11 -------
So, there's no chance for "be generous in what you accept"? (Apache is already
"strict in what it delivers")
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40029] - mod_proxy should interoperate with RPC over HTTP
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40029>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40029
------- Additional Comments From rpluem@apache.org 2006-07-12 20:57 -------
Sorry, not in this case as this opens up a security hole if we are not strict here.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40029] - mod_proxy should interoperate with RPC over HTTP
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40029>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40029
rpluem@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From rpluem@apache.org 2006-07-12 15:32 -------
(In reply to comment #0)
> ssldump on the Apache 2.2.2 machine shows that the RPC_OUT_DATA is correctly
> forwarded to the Exchange server. For the RPC_IN_DATA, OTOH, the proxy doesn't
> even open a connection to the Exchange server. I can only guess that's it's
> trying to read (prefetch?) a part or all of the 1073741824 bytes
> (Content-Length) before opening the session to the Exchange server.
Correct, we prefetch the whole body to avoid HTTP smuggling attacks with invalid
Content-Length headers. This is a security fix in 2.2.x and >= 2.0.55. (see
http://httpd.apache.org/security/vulnerabilities_20.html and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088). Correct me if I am
wrong but I do not think that RPC_IN_DATA and RPC_OUT_DATA are specfied in any RFC.
>
> Unfortunately, the client only sends a small request (~ 100 bytes) on the IN
> connection and starts waiting for a response on the OUT connection. It never
> gets one, though, since the request hasn't reached the Exchange server yet.
This is an incorrect use of the http protocol. Bad luck for Microsoft.
So I do not see any chance that we can do anything here. => Invalid
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40029] - mod_proxy should interoperate with RPC over HTTP
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40029>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40029
------- Additional Comments From jorton@redhat.com 2006-07-13 10:14 -------
The fix for CVE-2005-2088 was simply to discard the C-L header if a T-E header
was also present, that was a change to request.c and the changes to the proxy
are entirely unrelated.
I don't see why this shouldn't work; the requests are syntactically valid, the
proxy doesn't are about method semantics. Why is it timing out? Because it
attempts to "prefetch" 8K and the 100 bytes sent are not enough? That is pretty
icky.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org