httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Wilkie <>
Subject bug in mod_proxy(_connect)?
Date Thu, 06 Aug 2009 17:50:40 GMT

Bear with me, I'm new to this list.  I think I've found a bug in  
mod_proxy / mod_proxy_connect.

I'm running apache in both forward and reverse proxy mode.  The idea  
is :- reverse proxy gives people outside firewall access to websites  
on different VMs inside via one IP, and forward proxy is to allow them  
to log in via ssh.

A trimmed down conf file:


NameVirtualHost *:443

SSLCertificateFile /etc/apache2/ssl/default-ssl

LogLevel debug
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

<VirtualHost *:443>
       SSLEngine on

       ProxyRequests on
       AllowCONNECT 22
       ProxyVia on

       <Proxy *>
               AuthType Basic
               AuthBasicProvider ldap
               AuthName "Domain"

               AuthzLDAPAuthoritative   off
               AuthLDAPURL "ldap://,dc=domain,dc=com 
               Require valid-user

<VirtualHost *:443>
       SSLEngine on
       ProxyPass /

       <Location />
                  AuthType Basic
                  AuthBasicProvider ldap
                  AuthName "Domain"

                  AuthzLDAPAuthoritative   off
                  AuthLDAPURL "ldap://,dc=domain,dc=com 
                  Require valid-user


SSH connects fine if the second <VirtualHost> clause isn't there, but  
fails if it is:


# ssh

SSL client to proxy enabled
Local proxy resolves to XXX
Connected to (local proxy)

Tunneling to (destination)
Communication with local proxy:
-> Proxy-Connection: Keep-Alive
<- HTTP/1.1 403 Proxy Error
HTTP return code: 403 Proxy Error
<- Date: Thu, 06 Aug 2009 17:16:26 GMT
<- Content-Length: 396
<- Connection: close
<- Content-Type: text/html; charset=iso-8859-1
ssh_exchange_identification: Connection closed by remote host


In my apache logs:


[Thu Aug 06 18:25:15 2009] [info] Initial (No.1) HTTPS request  
received for child 0 (server
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(70): proxy:  
CONNECT: canonicalising URL
[Thu Aug 06 18:25:15 2009] [debug] proxy_util.c(1497): [client XXX]  
proxy: *: found forward proxy worker for
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy.c(966): Running scheme handler (attempt 0)
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(154): proxy:  
CONNECT: serving URL
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(171): proxy:  
CONNECT: connecting to
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(194): proxy:  
CONNECT: connecting to remote proxy on port 22
[Thu Aug 06 18:25:15 2009] [error] [client] proxy:  
Connect to remote machine blocked2 returned by  
[Thu Aug 06 18:25:15 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL:  
Write: SSL negotiation finished successfully
[Thu Aug 06 18:25:15 2009] [info] [client] Connection  
closed to child 0 with standard shutdown (server


I've recompiled apache so I could tell which error message this was (3  
messages the same in mod_proxy_connect.c - nice):


  ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
        "proxy: CONNECT: connecting to remote proxy %s on port %d",  
connectname, connectport);

   /* check if ProxyBlock directive on this host */
   if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
       return ap_proxyerror(r, HTTP_FORBIDDEN,
                            "Connect to remote machine blocked1");

   /* Check if it is an allowed port */
   if (conf->allowed_connect_ports->nelts == 0) {
   /* Default setting if not overridden by AllowCONNECT */
       switch (uri.port) {
       return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote  
machine blocked2");
   } else if(!allowed_port(conf, uri.port)) {
   return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine  


And its failing on the conf->allowed_connect_ports->nelts == 0, ie  
there are no AllowCONNECTs defined (although there obviously are!)

I think there must be something wrong in set_allowed_ports in  
mod_proxy.c, perhaps it is getting the wrong server_rec?

Some details of my system: Debian Lenny, apache 2.2.9-10+lenny4 (all  
the debian patches) + a patch from 
) to make http connect work over HTTPS.

As for all the ldap stuff in my config, if works fine for the Reverse  
Proxy (ie the but haven't got it working for the  
forward, CONNECT proxy.  I think it has nothing to do with it though,  
because ssh works if I remove the reverse proxies, just without  
prompting for the ldap password.

So... Any ideas?



View raw message