[Bug 55892] ProxyRemote with HTTPS backend sends requests with absoluteURI instead of abs

Discussion:

[Bug 55892] ProxyRemote with HTTPS backend sends requests with absoluteURI instead of abs_path

b***@apache.org

2015-02-27 00:08:46 UTC

https://bz.apache.org/bugzilla/show_bug.cgi?id=55892

--- Comment #4 from William A. Rowe Jr. <***@apache.org> ---
This assessment is correct. http://tools.ietf.org/html/rfc7230#section-5.3 is
controlling. Reviewing your proposed patch.

Scenario;

outward.example.com
- Gateway, reverse proxy
- ProxyRemote http://{targetServer} http://proxy1.example.com
- ProxyRemote https://{targetServer} http://proxy1.example.com
- ProxyPass /foo http://{targetServer}/foo
- ProxyPass /bar https://{targetServer}/bar

proxy1.example.com
- At DMZ, faces outward.example.com and behind firewall
- http:// request seen as proxy GET http://targetServer/foo/ absolute-form
- https:// request seen as proxy CONNECT targetServer authority-form

targetServer
- for http from proxy1.example.com, proxy1 has truncated URI to origin-form
/foo
- for https from outward.example.com through proxy1 tunnel, outward failed
to truncate URI from https://targetServer/bar/ absolute-form to origin-form
of simply /bar/ (outward is a tunnel, it has no visibility into the tunneled
SSL stream's contents).

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org

b***@apache.org

2015-02-27 09:19:18 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=55892

--- Comment #5 from Yann Ylavic <***@gmail.com> ---
Comment on attachment 31119
--> https://bz.apache.org/bugzilla/attachment.cgi?id=31119
patch for proxy_util.c

--- modules/proxy/proxy_util.c.orig 2013-07-11 14:21:19.000000000 +0200
+++ modules/proxy/proxy_util.c 2013-12-16 16:06:36.000000000 +0100
@@ -2077,7 +2077,10 @@
* short living pool.
*/
/* are we connecting directly, or via a proxy? */
- if (!proxyname) {
+ /* handle HTTP/1.0 via SSL like direct connect */
+ if (!proxyname ||
+ (conn->is_ssl &&
+ apr_table_get(r->subprocess_env, "force-proxy-request-1.0"))) {

I think we should do this regardless of HTTP version, eg :
+ if (!proxyname || conn->is_ssl) {

There is no point in forwarding a full URL to the target server (even in
HTTP/1.1), it is not itself a forward proxy.
If it were, why would this work with HTTP/1.1 over SSL only, and not with
HTTP/1.0 or without SSL?

*url = apr_pstrcat(p, uri->path, uri->query ? "?" : "",
uri->query ? uri->query : "",
uri->fragment ? "#" : "",

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org

b***@apache.org

2015-02-27 09:21:12 UTC

Permalink

b***@apache.org

2015-03-04 16:34:54 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=55892

--- Comment #6 from William A. Rowe Jr. <***@apache.org> ---
Well, here's a question;

if (!proxyname || conn->is_ssl)

sounds great, unless the fact is that the ProxyRemote itself was an https://
URL?
This would be common where the proxyremote receives authentication information
that
needs to be secured, e.g. an https:// CONNECT connection that then opaquely
tunnels
an https:// session.

I think we need to disambiguate whether proxyname is for a CONNECT request or
target
host, and base the behavior off of this.

b***@apache.org

2015-03-04 16:43:45 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=55892

--- Comment #7 from William A. Rowe Jr. <***@apache.org> ---
Scratch that concern, I guess

if (!proxyname || conn->is_ssl)

is the correct patch. All https:// requests will have the origin-form of the
URI and all non-Remote'd requests will have the origin-form of the URI (also
correct).

Yann, do we have agreement to commit and push back to 2.4 (and perhaps 2.2)?

b***@apache.org

2015-03-04 16:59:53 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=55892

--- Comment #8 from Yann Ylavic <***@gmail.com> ---
(In reply to William A. Rowe Jr. from comment #7)

Post by b***@apache.org
Yann, do we have agreement to commit and push back to 2.4 (and perhaps 2.2)?

Yes, absolutely.

b***@apache.org

2015-03-09 13:31:48 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=55892

Yann Ylavic <***@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Keywords|PatchAvailable |FixedInTrunk

--- Comment #9 from Yann Ylavic <***@gmail.com> ---
Committed in r1665215, backport to 2.4 proposed in r1665220, to 2.2 in
r1665229.

b***@apache.org

2015-04-24 20:03:36 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=55892

Yann Ylavic <***@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED

--- Comment #10 from Yann Ylavic <***@gmail.com> ---
Backported to 2.4.12 in r1665215.

b***@apache.org

2018-12-03 10:36:38 UTC

Permalink

https://bz.apache.org/bugzilla/show_bug.cgi?id=55892

Hendrik Harms <***@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED

--- Comment #11 from Hendrik Harms <***@gmail.com> ---
released with 2.4.16

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-***@httpd.apache.org
For additional commands, e-mail: bugs-***@httpd.apache.org