httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "david micheneau" <dmichen...@in-fusio.com>
Subject RE: [users@httpd] proxy and chunk mode
Date Mon, 10 Oct 2005 16:31:47 GMT
Sorry, is not very clear:

I use in Front Apache-2.0.52 with proxy and reverse proxy to the back-end server:

Client--->Apache-proxy<-->Apache-reverse<-->backend server

The back-end server receives the request http without the content-length value. (This one
is unset)

Do we have any mark character to finish body http message in chunk mode ?

David.


-----Message d'origine-----
De : William A. Rowe, Jr. [mailto:wrowe@rowe-clan.net] 
Envoyé : lundi 10 octobre 2005 17:36
À : users@httpd.apache.org
Objet : Re: [users@httpd] proxy and chunk mode

david micheneau wrote:
> I've a trouble with the chunk mode connection pass through a proxy.
> 
> It seems that the content-length is not forwarded when you use chunk 
> mode via a proxy mode: CHANGE-LOG in :

Uhmmm... most of the time it was never there...

> *) SECURITY: CAN-2005-2088 (cve.mitre.org)
>      proxy: Correctly handle the Transfer-Encoding and Content-Length
>      headers.  *Discard the request Content-Length whenever T-E: chunked*
>      is used, always passing one of either C-L or T-E: chunked whenever 
>      the request includes a request body.  Resolves an entire class of
>      proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]
> 
> But now, how we treat a http request, if we don't know the content 
> length via proxy mode ?

Transfer-Encoding: chunked.

All HTTP/1.1 servers and clients are required to support that method.
And HTTP/1.1 servers and clients are required to ignore any
Content-Length: header if Transfer-Encoding: chunked is present.

> May be a noob question but: Why Apache doesn't calculate the 
> content-length himself before to send via the proxy handler ?

It will, for HTTP/1.0 servers.

Care to provide details of a specific problem you are observing?

Bill

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message