https://bz.apache.org/bugzilla/show_bug.cgi?id=69906
Bug ID: 69906
Summary: using an httpS ProxyRemote remote-server does not send
the CONNECT encrypted
Product: Apache httpd-2
Version: 2.4.66
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy_connect
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Using this configuration, the code from apache 2.4.66 sends the CONNECT request
unencrypted, but it shouldn't because myproxy is an https URL, whatever the
destination called by the client.
RequestHeader set Proxy-Authorization "Basic xxx"
# Chain to HTTPS proxy with basic authentication
ProxyRemote * https://myproxy:443
Since my proxy tenant instance is behind a LoadBalancer so this fails with a
404.
It is clear in mod_proxy_connect.c that ssl_engine was disabled.
I managed to fix it by iterating with Copilot, here is the resulting diff that
seems to work.
The following diff which is pretty small, provides proper TLS and SNI hostname,
and works with my configuration above, but unfortunately doesn't work with the
syntax
ProxyRemote * https://myproxy:443 username:password
Should I submit a merge request somewhere?
Thank you, regards.
Emmanuel Courreges from Orange.
diff --color httpd-2.4.66/modules/proxy/mod_proxy.c
httpd-2.4.66-mod/modules/proxy/mod_proxy.c
1417,1420c1417,1418
< access_status = proxy_run_scheme_handler(r, worker,
< conf, url,
<
ents[i].hostname,
< ents[i].port);
---
> /* Pass the remote proxy protocol (http/https) to the handler
> */
> apr_table_set(r->notes, "proxy-remote-protocol",
> ents[i].protocol);
1422c1420,1424
< if (ents[i].creds) apr_table_unset(r->notes,
"proxy-basic-creds");
---
> access_status = proxy_run_scheme_handler(r, worker,
> conf, url,
> ents[i].hostname,
> ents[i].port);
> apr_table_unset(r->notes, "proxy-remote-protocol");
1423a1426,1427
> if (ents[i].creds) apr_table_unset(r->notes,
> "proxy-basic-creds");
>
diff --color httpd-2.4.66/modules/proxy/mod_proxy_connect.c
httpd-2.4.66-mod/modules/proxy/mod_proxy_connect.c
276c276,295
< ap_proxy_ssl_engine(backconn, r->per_dir_config, 0);
---
>
> /* Check if we need SSL for the connection to the remote proxy */
> if (proxyname) {
> const char *remote_protocol = apr_table_get(r->notes,
> "proxy-remote-protocol");
> if (remote_protocol && ap_cstr_casecmp(remote_protocol, "https") ==
> 0) {
> ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
> "enabling SSL for HTTPS remote proxy connection to
> %s", connectname);
>
> /* Set SNI hostname for the TLS handshake */
> apr_table_setn(backconn->notes, "proxy-request-hostname",
> connectname);
>
> ap_proxy_ssl_engine(backconn, r->per_dir_config, 1);
> }
> else {
> ap_proxy_ssl_engine(backconn, r->per_dir_config, 0);
> }
> }
> else {
> ap_proxy_ssl_engine(backconn, r->per_dir_config, 0);
> }
307a327
> const char *proxy_auth;
313c333,344
< "Proxy-agent: %s" CRLF CRLF, ap_get_server_banner());
---
> "Proxy-agent: %s" CRLF, ap_get_server_banner());
>
> /* Forward Proxy-Authorization header if present */
> proxy_auth = apr_table_get(r->headers_in, "Proxy-Authorization");
> if (proxy_auth) {
> ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
> "forwarding Proxy-Authorization header");
> ap_fprintf(backconn->output_filters, bb,
> "Proxy-Authorization: %s" CRLF, proxy_auth);
> }
>
> ap_fprintf(backconn->output_filters, bb, CRLF);
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
