You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/09/13 09:23:52 UTC
DO NOT REPLY [Bug 40492] New: - Set-Cookie by origin server gets lost when an Apache proxy connects using SSL (mod_ssl)
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40492>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40492
Summary: Set-Cookie by origin server gets lost when an Apache
proxy connects using SSL (mod_ssl)
Product: Apache httpd-2
Version: 2.0-HEAD
Platform: Other
OS/Version: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: ext-jukka.ukkonen@nokia.com
When an Apache proxy forwards requests to an origin server using SSL
any and all Set-Cookie headers are lost in the responses.
If the proxy connections use plaintext the Set-Cookie headers remain as is.
This also applies to situations in which the plaintext connection is made
to a localhost port to an stunnel instance which in turn implements the SSL
connection to the origin server.
Moreover it should be noted that using the above mentioned stunnel hack to
implement the SSL connection to the origin server makes the response times
quite a lot quicker than when using mod_ssl.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40492] - Set-Cookie by origin server gets lost when an Apache proxy connects using SSL (mod_ssl)
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40492>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40492
nick@webthing.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution| |DUPLICATE
------- Additional Comments From nick@webthing.com 2006-09-14 13:42 -------
OK, that's a reverse proxy. The simple solution is to upgrade to 2.2, which
fixes it for you. Otherwise, apply the patches under PR#10722
*** This bug has been marked as a duplicate of 10722 ***
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40492] - Set-Cookie by origin server gets lost when an Apache proxy connects using SSL (mod_ssl)
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40492>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40492
ext-jukka.ukkonen@nokia.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|DUPLICATE |
------- Additional Comments From ext-jukka.ukkonen@nokia.com 2006-09-14 14:11 -------
As much as you would like to see this as a duplicate of another problem
in mod_proxy I do not think it is simply that, because this case of lost
Set-Cookie headers only affects SSL connections.
When the connections are proxied over plain text connections the cookies
are not lost.
If this is really a problem in mod_proxy, it has to be aware of whether
the encapsulation used is plain text or SSL and treat these two alternatives
differently. That again makes no sense. Why should mod_proxy care about
the encapsulation?
If you have an explanation about how and why would mod_proxy destroy only
those Set-Cookie headers which are passed over SSL I will agree. Otherwise
I maintain that these are two different issues.
Secondly, if this really is a known problem with known patches available,
why are those patches not imported to the head of 2.0 branch?
I my eyes this would warrant releasing a new version 2.0.60 or something.
Using 2.2 is out of the question, because the authentication is done using
SiteMinder SSO tools. SiteMinder only supports 1.3.33 and higher or 2.0.54
and higher.
Going over to 2.2 breaks the module ABI, which means there is no SiteMinder
module for it.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40492] - Set-Cookie by origin server gets lost when an Apache proxy connects using SSL (mod_ssl)
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40492>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40492
------- Additional Comments From ext-jukka.ukkonen@nokia.com 2006-09-14 13:03 -------
OK - I will show you a snippet from the configuration file.
Maybe you understand better then...
<Location "/CKM/" >
RequestHeader unset Accept_Encoding
ProxyPass https://158.98.130.218/CKM/
ProxyPassReverse https://158.98.130.218/CKM/
ProxyPassReverse /CKM/
</Location>
We go through whole HTTP protocol parsing catching certain
path prefices which will then be forwarded to be handled by
an external server for further processing.
The apache instance is used as an authenticating proxy in
the middle which also tunnels the request over a potentially
hostile network using SSL connections.
When the responses then are on their way back to the users
the Set-Cookie headers are lost as long as the proxied
connections shown above are made using SSL.
If we drop the SSL changing the protocol in the ProxyPass
statements to plain "http" the Set-Cookie headers travel
through exactly as expected.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40492] - Set-Cookie by origin server gets lost when an Apache proxy connects using SSL (mod_ssl)
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40492>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40492
dlowry@bju.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dlowry@bju.edu
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40492] - Set-Cookie by origin server gets lost when an Apache proxy connects using SSL (mod_ssl)
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40492>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40492
dlowry@bju.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|mod_ssl |mod_proxy
------- Additional Comments From dlowry@bju.edu 2006-09-28 14:17 -------
Do you have ProxyErrorOverride turned on? If you do, Apache will overwrite the
response header from the reverse proxy which would get rid of any set-cookie
directives.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 40492] - Set-Cookie by origin server gets lost when an Apache proxy connects using SSL (mod_ssl)
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40492>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=40492
nick@webthing.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
------- Additional Comments From nick@webthing.com 2006-09-13 08:40 -------
Please specify the problem more carefully. A proxy in an SSL connection sees
an encrypted datastream. To make any changes, such as finding a Set-Cookie
header, it has to decrypt the data. I infer you haven't told us what you're
really doing.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org