httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Wilkie <tom.wil...@gmail.com>
Subject bug in mod_proxy(_connect)?
Date Thu, 06 Aug 2009 17:50:40 GMT
Hi

Bear with me, I'm new to this list.  I think I've found a bug in  
mod_proxy / mod_proxy_connect.

I'm running apache in both forward and reverse proxy mode.  The idea  
is :- reverse proxy gives people outside firewall access to websites  
on different VMs inside via one IP, and forward proxy is to allow them  
to log in via ssh.

A trimmed down conf file:

======

NameVirtualHost *:443

SSLCertificateFile /etc/apache2/ssl/default-ssl

LogLevel debug
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

<VirtualHost *:443>
       SSLEngine on
       ServerName proxy.domain.com

       ProxyRequests on
       AllowCONNECT 22
       ProxyVia on

       <Proxy *.domain.com>
               AuthType Basic
               AuthBasicProvider ldap
               AuthName "Domain"

               AuthzLDAPAuthoritative   off
               AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com 
"
               Require valid-user
       </Proxy>
</VirtualHost>

<VirtualHost *:443>
       SSLEngine on
       ServerName wiki.domain.com
       ProxyPass / http://wiki.domain.com/

       <Location />
                  AuthType Basic
                  AuthBasicProvider ldap
                  AuthName "Domain"

                  AuthzLDAPAuthoritative   off
                  AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com 
"
                  Require valid-user
       </Location>
</VirtualHost>

=======

SSH connects fine if the second <VirtualHost> clause isn't there, but  
fails if it is:

=======

# ssh somehost.domain.com

SSL client to proxy enabled
Local proxy proxy.domain.com resolves to XXX
Connected to proxy.domain.com:443 (local proxy)

Tunneling to somehost.domain.com:22 (destination)
Communication with local proxy:
-> CONNECT somehost.domain.com:22 HTTP/1.0
-> Proxy-Connection: Keep-Alive
<- HTTP/1.1 403 Proxy Error
HTTP return code: 403 Proxy Error
<- Date: Thu, 06 Aug 2009 17:16:26 GMT
<- Content-Length: 396
<- Connection: close
<- Content-Type: text/html; charset=iso-8859-1
ssh_exchange_identification: Connection closed by remote host

=======

In my apache logs:

=======

[Thu Aug 06 18:25:15 2009] [info] Initial (No.1) HTTPS request  
received for child 0 (server somehost.domain.com:443)
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(70): proxy:  
CONNECT: canonicalising URL somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] proxy_util.c(1497): [client XXX]  
proxy: *: found forward proxy worker for somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy.c(966): Running scheme  
somehost.domain.com handler (attempt 0)
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(154): proxy:  
CONNECT: serving URL somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(171): proxy:  
CONNECT: connecting somehost.domain.com:22 to somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(194): proxy:  
CONNECT: connecting to remote proxy somehost.domain.com on port 22
[Thu Aug 06 18:25:15 2009] [error] [client 87.127.96.17] proxy:  
Connect to remote machine blocked2 returned by somehost.domain.com:22  
<<<<<========
[Thu Aug 06 18:25:15 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL:  
Write: SSL negotiation finished successfully
[Thu Aug 06 18:25:15 2009] [info] [client 87.127.96.17] Connection  
closed to child 0 with standard shutdown (server proxy.domain.com:443)

=======

I've recompiled apache so I could tell which error message this was (3  
messages the same in mod_proxy_connect.c - nice):

=======

  ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
        "proxy: CONNECT: connecting to remote proxy %s on port %d",  
connectname, connectport);

   /* check if ProxyBlock directive on this host */
   if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
       return ap_proxyerror(r, HTTP_FORBIDDEN,
                            "Connect to remote machine blocked1");
   }

   /* Check if it is an allowed port */
   if (conf->allowed_connect_ports->nelts == 0) {
   /* Default setting if not overridden by AllowCONNECT */
       switch (uri.port) {
           case APR_URI_HTTPS_DEFAULT_PORT:
           case APR_URI_SNEWS_DEFAULT_PORT:
               break;
           default:
       return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote  
machine blocked2");
       }
   } else if(!allowed_port(conf, uri.port)) {
   return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine  
blocked3");
   }

=======

And its failing on the conf->allowed_connect_ports->nelts == 0, ie  
there are no AllowCONNECTs defined (although there obviously are!)

I think there must be something wrong in set_allowed_ports in  
mod_proxy.c, perhaps it is getting the wrong server_rec?

Some details of my system: Debian Lenny, apache 2.2.9-10+lenny4 (all  
the debian patches) + a patch fromhttps://issues.apache.org/bugzilla/ 
show_bug.cgi?id=29744(https://issues.apache.org/bugzilla/attachment.cgi?id=22248 
) to make http connect work over HTTPS.

As for all the ldap stuff in my config, if works fine for the Reverse  
Proxy (ie the wiki.domain.com) but haven't got it working for the  
forward, CONNECT proxy.  I think it has nothing to do with it though,  
because ssh works if I remove the reverse proxies, just without  
prompting for the ldap password.

So... Any ideas?

Thanks

Tom




Mime
View raw message