httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Wilkie <tom.wil...@gmail.com>
Subject Re: bug in mod_proxy(_connect)?
Date Thu, 06 Aug 2009 18:40:38 GMT
So I figured out why the forward proxy wasn't authenticating...  I  
changed:

<Proxy *.domain.com>

to:

<Proxy *>

And it worked.  Bug? Feature?

On 6 Aug 2009, at 18:50, Tom Wilkie wrote:

> Hi
>
> Bear with me, I'm new to this list.  I think I've found a bug in  
> mod_proxy / mod_proxy_connect.
>
> I'm running apache in both forward and reverse proxy mode.  The idea  
> is :- reverse proxy gives people outside firewall access to websites  
> on different VMs inside via one IP, and forward proxy is to allow  
> them to log in via ssh.
>
> A trimmed down conf file:
>
> ======
>
> NameVirtualHost *:443
>
> SSLCertificateFile /etc/apache2/ssl/default-ssl
>
> LogLevel debug
> ErrorLog /var/log/apache2/error.log
> CustomLog /var/log/apache2/access.log combined
>
> <VirtualHost *:443>
>      SSLEngine on
>      ServerName proxy.domain.com
>
>      ProxyRequests on
>      AllowCONNECT 22
>      ProxyVia on
>
>      <Proxy *.domain.com>
>              AuthType Basic
>              AuthBasicProvider ldap
>              AuthName "Domain"
>
>              AuthzLDAPAuthoritative   off
>              AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com 
> "
>              Require valid-user
>      </Proxy>
> </VirtualHost>
>
> <VirtualHost *:443>
>      SSLEngine on
>      ServerName wiki.domain.com
>      ProxyPass / http://wiki.domain.com/
>
>      <Location />
>                 AuthType Basic
>                 AuthBasicProvider ldap
>                 AuthName "Domain"
>
>                 AuthzLDAPAuthoritative   off
>                 AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com 
> "
>                 Require valid-user
>      </Location>
> </VirtualHost>
>
> =======
>
> SSH connects fine if the second <VirtualHost> clause isn't there,  
> but fails if it is:
>
> =======
>
> # ssh somehost.domain.com
>
> SSL client to proxy enabled
> Local proxy proxy.domain.com resolves to XXX
> Connected to proxy.domain.com:443 (local proxy)
>
> Tunneling to somehost.domain.com:22 (destination)
> Communication with local proxy:
> -> CONNECT somehost.domain.com:22 HTTP/1.0
> -> Proxy-Connection: Keep-Alive
> <- HTTP/1.1 403 Proxy Error
> HTTP return code: 403 Proxy Error
> <- Date: Thu, 06 Aug 2009 17:16:26 GMT
> <- Content-Length: 396
> <- Connection: close
> <- Content-Type: text/html; charset=iso-8859-1
> ssh_exchange_identification: Connection closed by remote host
>
> =======
>
> In my apache logs:
>
> =======
>
> [Thu Aug 06 18:25:15 2009] [info] Initial (No.1) HTTPS request  
> received for child 0 (server somehost.domain.com:443)
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(70): proxy:  
> CONNECT: canonicalising URL somehost.domain.com:22
> [Thu Aug 06 18:25:15 2009] [debug] proxy_util.c(1497): [client XXX]  
> proxy: *: found forward proxy worker for somehost.domain.com:22
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy.c(966): Running scheme  
> somehost.domain.com handler (attempt 0)
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(154): proxy:  
> CONNECT: serving URL somehost.domain.com:22
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(171): proxy:  
> CONNECT: connecting somehost.domain.com:22 to somehost.domain.com:22
> [Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(194): proxy:  
> CONNECT: connecting to remote proxy somehost.domain.com on port 22
> [Thu Aug 06 18:25:15 2009] [error] [client 87.127.96.17] proxy:  
> Connect to remote machine blocked2 returned by somehost.domain.com: 
> 22 <<<<<========
> [Thu Aug 06 18:25:15 2009] [debug] ssl_engine_kernel.c(1770):  
> OpenSSL: Write: SSL negotiation finished successfully
> [Thu Aug 06 18:25:15 2009] [info] [client 87.127.96.17] Connection  
> closed to child 0 with standard shutdown (server proxy.domain.com:443)
>
> =======
>
> I've recompiled apache so I could tell which error message this was  
> (3 messages the same in mod_proxy_connect.c - nice):
>
> =======
>
> ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
>       "proxy: CONNECT: connecting to remote proxy %s on port %d",  
> connectname, connectport);
>
>  /* check if ProxyBlock directive on this host */
>  if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
>      return ap_proxyerror(r, HTTP_FORBIDDEN,
>                           "Connect to remote machine blocked1");
>  }
>
>  /* Check if it is an allowed port */
>  if (conf->allowed_connect_ports->nelts == 0) {
>  /* Default setting if not overridden by AllowCONNECT */
>      switch (uri.port) {
>          case APR_URI_HTTPS_DEFAULT_PORT:
>          case APR_URI_SNEWS_DEFAULT_PORT:
>              break;
>          default:
>      return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote  
> machine blocked2");
>      }
>  } else if(!allowed_port(conf, uri.port)) {
>  return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine  
> blocked3");
>  }
>
> =======
>
> And its failing on the conf->allowed_connect_ports->nelts == 0, ie  
> there are no AllowCONNECTs defined (although there obviously are!)
>
> I think there must be something wrong in set_allowed_ports in  
> mod_proxy.c, perhaps it is getting the wrong server_rec?
>
> Some details of my system: Debian Lenny, apache 2.2.9-10+lenny4 (all  
> the debian patches) + a patch fromhttps://issues.apache.org/bugzilla/ 
> show_bug.cgi?id=29744(https://issues.apache.org/bugzilla/attachment.cgi?id=22248 
> ) to make http connect work over HTTPS.
>
> As for all the ldap stuff in my config, if works fine for the  
> Reverse Proxy (ie the wiki.domain.com) but haven't got it working  
> for the forward, CONNECT proxy.  I think it has nothing to do with  
> it though, because ssh works if I remove the reverse proxies, just  
> without prompting for the ldap password.
>
> So... Any ideas?
>
> Thanks
>
> Tom
>
>
>


Mime
View raw message