httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michele Marcionelli <michele.marcione...@math.ethz.ch>
Subject Re: [users@httpd] Apache 2.0.55/win32 + OpenSSL 0.9.8a & OWA Reverse Proxy Problems
Date Fri, 21 Oct 2005 06:59:24 GMT
Hello,

I run exactly in the same problem, but with another architecture:

Red Hat Enterprise Linux AS release 3+4
Apache 2.0.55
OpenSSL  0.9.7a

I'm using Apache also as a SSL-Proxy for a Zope server and some 
operations especially with FORMs doesn't work anymore.

Thanks for a feedback,
Michele

On 20.10.2005, at 18:06, Manuel Martin wrote:
> Hello people,
>
> since 2.0.55 a reverse SSL-proxy (on Windows 2000) which I setup for MS
> Exchange 2003 Outlook Web Access makes problems. The users stumbled 
> over the
> problem that they cannot attach files to their emails. I tried it 
> myself: the
> attachment seems to be uploaded to the server, but is not "registered" 
> by
> Exchange.
> If I downgrade to 2.0.54 + OpenSSL 0.9.8 (I changed Apache while back 
> to make
> that compilation possible) it works fine again.
> I really suspect this change to be the culprit:
> "SECURITY: CAN-2005-2088 (cve.mitre.org)
>      proxy: Correctly handle the Transfer-Encoding and Content-Length
>      headers.  Discard the request Content-Length whenever T-E: chunked
>      is used, always passing one of either C-L or T-E: chunked whenever
>      the request includes a request body.  Resolves an entire class of
>      proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]"
>
> Has anyone run or _not_ run into this problem with this configuration?
>
> Here's part of the conf:
>
> LoadModule proxy_module modules/mod_proxy.so
> ProxyRequests Off
> LoadModule proxy_http_module modules/mod_proxy_http.so
> <VirtualHost _default_:443>
> 	ServerName owa.server
> 	SSLEngine On
> 	SSLProxyEngine on
> 	ProxyVia On
> 	ProxyPass / https://owa.server
> 	ProxyPassReverse / https://owa.server
> 	SSLCertificateKeyFile c:/apache/conf/ssl/owa.pem
> 	SSLCertificateFile c:/apache/conf/ssl/owa.crt
> 	CustomLog "|c:/apache/bin/rotatelogs.exe c:/log/%Y%m%d_owa.log 86400"
> combined
> 	<Location />
> 		Allow from All
> 		AuthType Basic
> 		AuthName "OWA"
> 		AuthUserFile conf/owa-passwords
> 		Require valid-user
> 	</Location>
> </VirtualHost>
>
> The internal ip of "owa.server" is setup in the hosts file to 
> facilitate the
> generation of correct URLs by Exchange (as suggested in
> http://www.soft-land.org/articoli/exch).
>
> Regards, Manuel Martin
-- 
michele.marcionelli@math.ethz.ch / phone: +41 44 632 6193
eth zentrum / hg g 14 / raemistrasse 101 - ch-8092 zurich


!DSPAM:435891e280741364917618!


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message