https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

Niels Haar <***@adrodev.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@adrodev.de

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

Michael Göhler <***@gmx.de> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@gmx.de

--- Comment #11 from Michael Göhler <***@gmx.de> ---
Created attachment 32670
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32670&action=edit
mod_proxy 2.4.12 error_log

Hi Hendrik,

I applied your patch for 2.4.10. and still observe a strange behavior in our
scenario:

client -> mod_proxy 2.4.12 -> squid -> IIS 8.5

Here's my config:

LogLevel debug
<VirtualHost *:80>
ServerName my.server.name
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyRemote https http://proxyhost:8080
ProxyPass / https://foreign.https.server/
ProxyPassReverse / https://foreign.https.server/
</VirtualHost>

Every request after 120 sec idle returns a HTTP 502. Subsequent connections
work as expected, if there is no delay of >120 sec.

error_log content attachment.

Suggestions very appreciated.

Many Thanks,
Michael

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #12 from Hendrik Harms <***@gmail.com> ---
(In reply to Michael Göhler from comment #11)
You don't need this patch for your setup - no user/password is configured in
ProxyRemote. Only the patches of Bug 57139 and may be of Bug 55892 are needed
for your setup.
The 502 usually indicates a problem during establishing the TCP connection.
What does the squid do with idle connections? Do you have a firewall in your
setup or other routing devices dropping their routing informations without
TCP-close after an idle timeout?

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #13 from Michael Göhler <***@gmx.de> ---
(In reply to Hendrik Harms from comment #12)

Thanks for your reply!
I know. It was just the easiest way to combine both.
I have a 120 sec. timeout on squid which matches what we see.

The Apache correctly identifies the connection as stale and reestablishes it.
AH00951: HTTPS: backend socket is disconnected.
AH00949: send_http_connect: response from the forward proxy: HTTP/1.0 200
Connection established

It seams to be an SSL handshake issue, as

the second request logs:
[ssl:info] AH01964: Connection to child 0 established (server
my.server.name:80)
[ssl:debug] ssl_engine_kernel.c(1378): AH02275: Certificate Verification ...

while the first logs:
[ssl:info] AH01964: Connection to child 0 established (server
my.server.name:80)
[ssl:info] AH02003: SSL Proxy connect failed

I'll go for some LogLevel=trace3 logs, as the error seams to happen in
SSL_connect().

Just a side-note:
Are you aware of the discussion in Bug 55892? They decided to go without the
force-proxy-request-1.0 condition, which is still part of your patch.

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #14 from Michael Göhler <***@gmx.de> ---
(In reply to Michael Göhler from comment #13)

Solved my issue using
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

William A. Rowe Jr. <***@apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |enhancement
Status|NEW |NEEDINFO

--- Comment #15 from William A. Rowe Jr. <***@apache.org> ---
Hello again Hendrik.

Glad we were able to get PR 55892 addressed now in 2.4 (and 2.2).

AIUI the patch above (2015-01-10) addressed both https: CONNECT remoteing as
well as auth. I would expect some redundancy/collision there?

Looking at the changes, I'm uncertain of whether the group would entertain any
API changes to mod_proxy.h for feature enhancements such as changing the args
list for auth. Third party module authors need binary stability between
subversion releases, and that would include those writing any mod_proxy
framework participants.

If there was a way to store/pass this info without altering the API, it's much
more likely to be applied to 2.4. I was prepared to refactor your patch for
trunk/2.4.16 changes to eliminate duplication of PR 55892 concerns, and commit
to trunk, but I'm looking for your thoughts before proceeding. Thank you for
the submissions and for fighting the good fight of getting these changes into
httpd!

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

Hendrik Harms <***@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW

--- Comment #16 from Hendrik Harms <***@gmail.com> ---
(In reply to William A. Rowe Jr. from comment #15)
Thank you for this - I have already found it in 2.4.16 :-)
I don't see a redundancy or collision between CONNECT remote an proxy
authentication.
I've build this patch because I need a setup discribed in Bug 55892:
The backend of my apache reverse proxy is place behind a http forward proxy.
This forward proxy requires a proxy authentication (HTTP-407) and the backend
requires https. The clients sending requests to my reverse proxy should not
know anything about this setup especially the needed proxy authentication. This
should be covered by the reverse proxy.
As described somethere in the RFCs it should be possible to configure the proxy
authentication as a hop-to-hop header. So the ReverseProxy should be able to
authenticate itself to the forward proxy.
A forward proxy could be defined by the ProxyRemote config directive. So I
thought it was a good idea to enhance this config directive by an optional
Yes, unfortunately my patch will kill the compatibility of some third party
modules :-(
But I think best place to store and transfer this authentication info should be
very close to the other attributes defining the forward proxy (hostname, port,
... + auth), because they belong together.
If the API change is not possible in 2.4 we should flag it for 2.6 and think
about a workaround in 2.4
HTH - never give up ;-)

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #17 from Hendrik Harms <***@gmail.com> ---
Created attachment 32948
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32948&action=edit
patch for modules/proxy of httpd-2.4.16

Patches for Bug 55892 and Bug Bug 57139 are applied to 2.4.16 - so they are not
part of this patch anymore.

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #18 from William A. Rowe Jr. <***@apache.org> ---
Thank you for the revised patch. It is easier for the core developers to read
a small dedicated patch that addresses just a single issue at a time, even if
that means there is a set of several patches to get to the desired outcome.

Here's one proposal that wouldn't require API changes.

If we added a 407 handler extension of some sort, we would be able to handle
specific backend challenges for auth credentials in a unified way. If we
stored the credentials in an auth challenge table, we could eventually support
other auth methods, including digest or even cookie based auth.

The syntax of the ProxyRemote directive still changes, but the scheme://host
would be split from the auth user:pass and stored in two different mechanisms.

The only downside is whether users in practice would want to identify a
particular proxy use by use case. While we can keep different stores of auth
tupples by virtual host, further differentiation might prove troublesome.

Thoughts?

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #19 from ***@gmail.com ---
Apologies for the ignorance here, after googling I came across this patch and
it is exactly what I need....but how do I get this change into my mod_proxy.so
file??

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #20 from Hendrik Harms <***@gmail.com> ---
Created attachment 34271
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34271&action=edit
patch for modules/proxy of httpd-2.4.23

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #21 from Hendrik Harms <***@gmail.com> ---
Pardon - it's still the same kind of patch like those before

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #22 from Mathieu CARBONNEAUX <info-bz-***@ch2o.info> ---
adding proxy credential in proxyremote make possible to chaine proxy with
differente authentication from front to back in chaining proxy and make
possible to use authenticated proxy on backend proxy...

when they are integrated in last http 2.4 version?

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

Szőgyényi Gábor <***@freemail.hu> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@freemail.hu

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

--- Comment #23 from Chris <***@gmail.com> ---
Created attachment 35893
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35893&action=edit
patch for modules/proxy of httpd-2.4.33

Hi there,
based on the previous patches in this thread I created a new version which
works for httpd-2.4.33.
Have a nice day,
Chris

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

William A. Rowe Jr. <***@apache.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |LATER
Keywords| |MassUpdate

--- Comment #24 from William A. Rowe Jr. <***@apache.org> ---
Please help us to refine our list of open and current defects; this is a mass
update of old and inactive Bugzilla reports which reflect user error, already
resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all
development and patch review of the 2.2.x series of releases. The final release
2.2.34 was published in July 2017, and no further evaluation of bug reports or
security risks will be considered or published for 2.2.x releases. All reports
older than 2.4.x have been updated to status RESOLVED/LATER; no further action
is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd
feature, an unexpected server behavior, problems building or installing httpd,
or working with an external component (a third party module, browser etc.) we
ask you to start by bringing your question to the User Support and Discussion
mailing list, see [https://httpd.apache.org/lists.html#http-users] for details.
Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that
you retest using a modern httpd release (2.4.33 or later) released in the past
year. If it can be reproduced, please reopen this bug and change the Version
field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the
current httpd server software release is greatly appreciated.

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

Christophe JAILLET <***@wanadoo.fr> changed:

What |Removed |Added
----------------------------------------------------------------------------
Version|2.0.55 |2.4.33

--- Comment #25 from Christophe JAILLET <***@wanadoo.fr> ---
Looks like this one is still valid on 2.4.x branch.
Re-opening and setting version to what is said in comment 23

https://bz.apache.org/bugzilla/show_bug.cgi?id=37355

Hendrik Harms <***@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|LATER |---

--- Comment #26 from Hendrik Harms <***@gmail.com> ---
this enhancement is still open for 2.4.33 and later