httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Manuel Martin" <mar...@ferber-software.de>
Subject [users@httpd] Apache 2.0.55/win32 + OpenSSL 0.9.8a & OWA Reverse Proxy Problems
Date Thu, 20 Oct 2005 16:06:26 GMT
Hello people,

since 2.0.55 a reverse SSL-proxy (on Windows 2000) which I setup for MS
Exchange 2003 Outlook Web Access makes problems. The users stumbled over the
problem that they cannot attach files to their emails. I tried it myself: the
attachment seems to be uploaded to the server, but is not "registered" by
Exchange.
If I downgrade to 2.0.54 + OpenSSL 0.9.8 (I changed Apache while back to make
that compilation possible) it works fine again.
I really suspect this change to be the culprit:
"SECURITY: CAN-2005-2088 (cve.mitre.org)
     proxy: Correctly handle the Transfer-Encoding and Content-Length
     headers.  Discard the request Content-Length whenever T-E: chunked
     is used, always passing one of either C-L or T-E: chunked whenever 
     the request includes a request body.  Resolves an entire class of
     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]"

Has anyone run or _not_ run into this problem with this configuration?

Here's part of the conf:

LoadModule proxy_module modules/mod_proxy.so
ProxyRequests Off
LoadModule proxy_http_module modules/mod_proxy_http.so
<VirtualHost _default_:443>
	ServerName owa.server
	SSLEngine On
	SSLProxyEngine on
	ProxyVia On
	ProxyPass / https://owa.server
	ProxyPassReverse / https://owa.server
	SSLCertificateKeyFile c:/apache/conf/ssl/owa.pem
	SSLCertificateFile c:/apache/conf/ssl/owa.crt
	CustomLog "|c:/apache/bin/rotatelogs.exe c:/log/%Y%m%d_owa.log 86400"
combined
	<Location />
		Allow from All
		AuthType Basic
		AuthName "OWA"
		AuthUserFile conf/owa-passwords
		Require valid-user
	</Location>
</VirtualHost>

The internal ip of "owa.server" is setup in the hosts file to facilitate the
generation of correct URLs by Exchange (as suggested in
http://www.soft-land.org/articoli/exch).

Regards, Manuel Martin


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message