[Bug 65633] New: mod_authnz_ldap doesn't support SASL EXTERNAL bind to ldap
https://bz.apache.org/bugzilla/show_bug.cgi?id=65633 Bug ID: 65633 Summary: mod_authnz_ldap doesn't support SASL EXTERNAL bind to ldap Product: Apache httpd-2 Version: 2.5-HEAD Hardware: All OS: All Status: NEW Severity: enhancement Priority: P2 Component: mod_authnz_ldap Assignee: bugs@httpd.apache.org Reporter: chec...@d6.com Target Milestone: --- Hi, mod_authnz_ldap doesn't support httpd connecting to LDAP servers that require SASL EXTERNAL authentication using certificates (which provide the binddn implicitly). If there's a binddn specified with AuthLDAPBindDN it tries to use a password, if no binddn it tries anonymous. There are a couple related very old bug reports: https://bz.apache.org/bugzilla/show_bug.cgi?id=55178 This is on the mod_auth_ldap module, and had the problem of using the _s synchronous sasl bind function. https://bz.apache.org/bugzilla/show_bug.cgi?id=48780 This one is about allowing clients to use certificates, not httpd using certs to connect. I'm thinking about adding this to my local version of mod_authnz_ldap to support some features on my site using ldap-attribute queries. If you guys are interested in a patch to add this long-requested-but-obviously-not-that-high-priority feature, I can do it "right," if not I'll probably hack it a bit since it'll just be for me. Let me know! Thanks, Chris -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65631] Proxy CONNECT error 500
https://bz.apache.org/bugzilla/show_bug.cgi?id=65631 --- Comment #7 from Yann Ylavic --- (In reply to Ruediger Pluem from comment #6) > > I tend to say yes as it should sent a FIN back to close the connection. Right because without this FIN/ACK there is no way for the proxy to determine whether the last packet sent was received by the peer (besides looking at the sequence number of the RST, which we don't have access to at mod_proxy level..). So it may be an error or not. Maybe a SetEnv "proxy-tunnel-no-error-for-rst-on-fin" (or alike) could forcibly control whether we tolerate a RST on a FIN-ed connection, though it's for the final status in access log "only" (it won't change anything from the tunneling POV). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65631] Proxy CONNECT error 500
https://bz.apache.org/bugzilla/show_bug.cgi?id=65631 --- Comment #6 from Ruediger Pluem --- (In reply to Pavel Mateja from comment #5) > Created attachment 38070 [details] > trace for one 500 request > > And there we have proxy trace for this one. > Is it bug in client then? I tend to say yes as it should sent a FIN back to close the connection. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65632] ProxyPreserveHost on is not preserving original request Host header value with ProxyRequests on
https://bz.apache.org/bugzilla/show_bug.cgi?id=65632 Ruediger Pluem changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #1 from Ruediger Pluem --- The behavior in 2.4.12 was wrong. According to RFC7230 5.4: When a proxy receives a request with an absolute-form of request-target, the proxy MUST ignore the received Host header field (if any) and instead replace it with the host information of the request-target. A proxy that forwards such a request MUST generate a new Host field-value based on the received request-target rather than forward the received Host field-value. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65628] AH00051 - [core:notice] [pid 117745:tid 140692937303872] AH00051: child pid 117751 exit signal Segmentation fault (11), possible coredump in /opt/app/t1c1w177/opt/app/apache
https://bz.apache.org/bugzilla/show_bug.cgi?id=65628 --- Comment #4 from Ruediger Pluem --- Thanks. In gdb please issue the following commands: thread 1 frame 3 print *r print *(r->connection) print *(r->connection->conn_config) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65631] Proxy CONNECT error 500
https://bz.apache.org/bugzilla/show_bug.cgi?id=65631 --- Comment #5 from Pavel Mateja --- Created attachment 38070 --> https://bz.apache.org/bugzilla/attachment.cgi?id=38070&action=edit trace for one 500 request And there we have proxy trace for this one. Is it bug in client then? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65631] Proxy CONNECT error 500
https://bz.apache.org/bugzilla/show_bug.cgi?id=65631 --- Comment #4 from Pavel Mateja --- Created attachment 38069 --> https://bz.apache.org/bugzilla/attachment.cgi?id=38069&action=edit filtered tcpdump output of one request returning 500 I can see the client sent RST after it got FIN from proxy in tcpdump output. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65627] apache httpd segfault on child exit
https://bz.apache.org/bugzilla/show_bug.cgi?id=65627 Jean Traullé changed: What|Removed |Added CC||jtrau...@opencomp.fr -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65632] New: ProxyPreserveHost on is not preserving original request Host header value with ProxyRequests on
https://bz.apache.org/bugzilla/show_bug.cgi?id=65632 Bug ID: 65632 Summary: ProxyPreserveHost on is not preserving original request Host header value with ProxyRequests on Product: Apache httpd-2 Version: 2.4.46 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: mod_proxy Assignee: bugs@httpd.apache.org Reporter: jpastus...@protonmail.com Target Milestone: --- I am having a problem with ProxyPreserveHost after upgrading from 2.4.12 to 2.4.46. # ProxyPreserveHost on ProxyRequests on AllowOverride None Require all granted ProxyPreserveHost On RequestHeader set Host_Host "expr=%{HTTP:Host}" RequestHeader set Host_Host2 "expr=%{HTTP_HOST}" ## Request GET http://foo.example.net:80/hello/ HTTP/1.1 Host: bar.example.net ## Proxy request GET /hello/ HTTP/1.1 Host: foo.example.net:80 Host_Host: foo.example.net:80 Host_Host2: foo.example.net:80 # ProxyPreserveHost off ProxyRequests on AllowOverride None Require all granted ProxyPreserveHost Off RequestHeader set Host_Host "expr=%{HTTP:Host}" RequestHeader set Host_Host2 "expr=%{HTTP_HOST}" ## Request GET http://foo.example.net:80/hello/ HTTP/1.1 Host: bar.example.net ## Proxy request GET /hello/ HTTP/1.1 Host: foo.example.net Host_Host: foo.example.net:80 Host_Host2: foo.example.net:80 # The problem When ProxyPreserveHost is on the value of the Host header proxy request should be bar.example.net (like Host header in the original request). Also in both cases the HTTP:Host and HTTP_HOST variables were rewritten based on the host in the URL. It looks like the request Host header is rewritten to the content of the URL before ProxyPreserveHost has a chance to set it. This was working correctly with httpd 2.4.12. The only workaround I found was to have the upstream server (Varnish in my case) preserve the value of the Host request header under different name (e.g. X-Host) and then use ProxyPreserveHost on with RequestHeader set Host "expr=%{HTTP:X-Host}". -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65631] Proxy CONNECT error 500
https://bz.apache.org/bugzilla/show_bug.cgi?id=65631 --- Comment #3 from Ruediger Pluem --- (In reply to Pavel Mateja from comment #2) > > But those 500 in logs are still present. > I've tried older Apache versions and I don't see them with 2.4.46. I guess the 500 happens to be logged if one side shuts down the connection not with a regular FIN but with a RST. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65631] Proxy CONNECT error 500
https://bz.apache.org/bugzilla/show_bug.cgi?id=65631 --- Comment #2 from Pavel Mateja --- Hi Yann, you are right. One of our applications did not close sockets after proxied requests properly. I was able to see long lasting connections in FIN_WAIT2 state but still assigned to Apache's PID. Like tcp 0 0 AB.XYZ.49.8:8080 AB.XXX.48.134:53119 FIN_WAIT2 109016/httpd instead of just tcp 0 0 AB.XYZ.49.8:8080 AB.XXX.48.134:1916 FIN_WAIT2 - In such case kernel won't clean them up. I can see AH10212: proxy: CONNECT: tunnel running (timeout -1.00) in debug log. Which configuration parameter sets this timeout nowadays? ProxyTimeout did not do the trick. This was just fixed on application side and such connections are no more. But those 500 in logs are still present. I've tried older Apache versions and I don't see them with 2.4.46. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65628] AH00051 - [core:notice] [pid 117745:tid 140692937303872] AH00051: child pid 117751 exit signal Segmentation fault (11), possible coredump in /opt/app/t1c1w177/opt/app/apache
https://bz.apache.org/bugzilla/show_bug.cgi?id=65628 --- Comment #3 from VINAY S --- Created attachment 38068 --> https://bz.apache.org/bugzilla/attachment.cgi?id=38068&action=edit Complete thread log file Please find the complete thread log file -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65628] AH00051 - [core:notice] [pid 117745:tid 140692937303872] AH00051: child pid 117751 exit signal Segmentation fault (11), possible coredump in /opt/app/t1c1w177/opt/app/apache
https://bz.apache.org/bugzilla/show_bug.cgi?id=65628 --- Comment #2 from Ruediger Pluem --- (In reply to VINAY S from comment #1) > Created attachment 38067 [details] > Core dump file Please provide the full output. You only provided full output from one thread and that thread did not cause the crash. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 65628] AH00051 - [core:notice] [pid 117745:tid 140692937303872] AH00051: child pid 117751 exit signal Segmentation fault (11), possible coredump in /opt/app/t1c1w177/opt/app/apache
https://bz.apache.org/bugzilla/show_bug.cgi?id=65628 --- Comment #1 from VINAY S --- Created attachment 38067 --> https://bz.apache.org/bugzilla/attachment.cgi?id=38067&action=edit Core dump file -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org