httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: [BUG] strange fullURI problems!
Date Fri, 06 Mar 1998 07:58:10 GMT
[Another old one from Lars]

On Sun, 9 Nov 1997, Lars Eilebrecht wrote:

> Hi,
> 
> some days ago someone posted about having problems with wrong REMOTE_HOST
> values... I just tested it and it appears that it is related to the
> fullURI handling.
> 
> Example setup:
> 
> main server is 'server' and we have one IP-based virtual host ('proxy')
> used as a proxy. ProxyRequests is turned off for the main_server
> and enabled for the virtual host.
> 
> Let's look at the following requests sent from the 'client' to the
> 'TARGET' host/interface:
> 
> 
> TARGET  GET                           REMOTE_HOST    REQUEST_URI
> ------------------------------------------------------------------------------
> proxy   http://proxy/cgi-bin/printenv   client   http://proxy/cgi-bin/printenv
> proxy   http://server/cgi-bin/printenv  server   /cgi-bin/printenv
> server  http://proxy/cgi-bin/printenv   client   http://proxy/cgi-bin/printenv
> server  http://server/cgi-bin/printenv  server   /cgi-bin/printenv
> 
> 
> The first entry/result is correct, but all others are not...
> The second entry has a wrong REMOTE_HOST. I expected to see 'proxy' instead
> of 'server' as REMOTE_HOST.
> The third request is processed although 'ProxyRequests Off' was set for
> main_server. IMHO the request should be denied, because we haven't connected
> to the 'proxy' address.
> And the last entry is wrong too, because REMOTE_HOST should contain 'client'
> instead of 'server'.
> 
> When I look at the access.log I see that only the second requests is
> processed as a real proxy request, that is I see an access from 'client'
> with the full URI and a second request from 'server' with the URI-path
> (as noted above it shouldn't be 'server' but 'proxy').
> 
> For all other requests I see only one access in the logfile with 'client'
> as the remote host. Note that I see 'client' in the access.log for the last
> request, but REMOTE_HOST is set to 'server'.
> 
> I especially see a security problem with the third example-request, because it
> was handled internally although ProxyRequests was turned off for the
> main_server.
> 
> Can anyone confirm this?

Yup I can confirm that there was brokenness.  But I disagree with your
expected results. 

The first request we both agree on. 

The second request says "server" for REMOTE_HOST because the proxy
"queries itself" -- on a different address, and I'm guessing your box is a
linux box.  Linux boxes when connecting to local sockets use the same ip
address.  Note that I think our proxy is missing a directive ProxyBindAddr
to force it to bind the local address of outgoing requests. 

A proxy can't query an address that matches the proxy itself... but it can
certainly query the same httpd on a different ip:port, or even the same
ip:port but for a different name vhost. Incidentally, the REQUEST_URI
currently says "http://server/cgi-bin/printenv".  (There is an obvious
optimization here that I'm not interested in exploring... others should
feel free to explore it though.  It's probably just a matter of beefing up
internal_redirect().) 

The third still produces what you list above, and it is correct because
server is not a proxy server... so it's free to do whatever if wants with
the absoluteURI you supply it.  And since it's not a namevhost it just
ignores the host:port and serves everything. 

The fourth produces the correct REMOTE_HOST now. 

Note that I had to correct some code to get these results, so you should
update before testing that I fixed it. 

Dean



Mime
View raw message