Bug with "ProxyPass /" and mod_proxy_balancer + double-slashes (httpd-2.4.3)
There seems to be some problems when trying to proxy "/" with ProxyPass and mod_proxy_balancer. See also: https://issues.apache.org/bugzilla/show_bug.cgi?id=51982 https://issues.apache.org/bugzilla/show_bug.cgi?id=51489 I could reproduce both errors in httpd-2.4.3: 1) error 500 when configuring "ProxyPass / balancer://default" 2) double-slash problem when backend returns 301 Sample config: ProxyPreserveHost Off BalancerMember http://backend1.foo:5080 route=0 BalancerMember http://backend2.foo:5080 route=1 ProxySet lbmethod=bybusyness nofailover=off stickysession=JSESSIONID|jsessionid ProxyPass / balancer://default ProxyPassReverse / balancer://default 1) When configuring "ProxyPass / balancer://default", an error 500 occurs. When using a different ProxyPassMatch config, everything works fine, e.g.: ProxyPassMatch ^/(.*)$ balancer://default/$1 I broke it down to mod_proxy.c::ap_proxy_trans_match(). "r->filename" resp. "found" is set to "proxy:balancer://defaultclusterjsp" when for e.g. the URL "http://mydomain.foo/clusterjsp"; is called. "r->filename" should be "proxy:balancer://default/clusterjsp". I wrote a patch for httpd-2.4.3 (attached) - maybe someone can review and improve it to get it finally in trunk. 2) When the patch from 1) is applied, you will run into another problem. On 301 from backend, an dispensable "/" will be prepended to the URI. E.g. when you call http://mydomain.foo:8080/clusterjsp in you browser, the redirect location will be set wrong: Location: http://mydomain.foo:8080//clusterjsp/ This will result in session problems... (cookie path is "/clusterjsp" and not "//clusterjsp"). See attached logfile for more details. A patch was proposed in https://issues.apache.org/bugzilla/show_bug.cgi?id=51489 for httpd-2.4.x, which is working for me. I did a quick check with: u = apr_pstrcat(r->pool, (strcmp(ent[i].fake, "/") == 0 ? "" : ent[i].fake), &url[l2], NULL); regards, zisis [Wed Sep 05 18:46:03.780655 2012] [core:trace5] [pid 16732:tid 14004746496] protocol.c(627): [client 10.x.x.x:53812] Request received from client: GET /clusterjsp HTTP/1.0 [Wed Sep 05 18:46:03.780880 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(301): [client 10.x.x.x:53812] Headers received from client: [Wed Sep 05 18:46:03.780904 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] Host: mydomain.foo:8080 [Wed Sep 05 18:46:03.780918 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0 [Wed Sep 05 18:46:03.780933 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [Wed Sep 05 18:46:03.780945 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] Accept-Language: en-us,en;q=0.5 [Wed Sep 05 18:46:03.780957 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] Accept-Encoding: gzip, deflate [Wed Sep 05 18:46:03.780969 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] Cookie: JSESSIONID=74ed1ff134626b3d85e4ec2ebca9.0; __utma=85701643.1776763863.1324649383.1324649383.1324649383.1 [Wed Sep 05 18:46:03.780981 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] Via: 1.0 proxyserver.mydomain:3128 (squid/2.7.STABLE5) [Wed Sep 05 18:46:03.780992 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] X-Forwarded-For: 10.x.x.x [Wed Sep 05 18:46:03.781003 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] Cache-Control: max-age=259200 [Wed Sep 05 18:46:03.781023 2012] [http:trace4] [pid 16732:tid 14004746496] http_request.c(305): [client 10.x.x.x:53812] Connection: keep-alive ... [Wed Sep 05 18:46:03.781220 2012] [proxy_balancer:trace1] [pid 16732:tid 14004746496] mod_proxy_balancer.c(73): [client 10.x.x.x:53812] canonicalising URL //default/clusterjsp [Wed Sep 05 18:46:03.781300 2012] [proxy_balancer:debug] [pid 16732:tid 14004746496] mod_proxy_balancer.c(292): [client 10.x.x.x:53812] AH01160: Found value 74ed1ff134626b3d85e4ec2ebca9.0 for stickysession JSESSIONID [Wed Sep 05 18:46:03.781319 2012] [proxy_balancer:debug] [pid 16732:tid 14004746496] mod_proxy_balancer.c(302): [client 10.x.x.x:53812] AH01161: Found route 0 [Wed Sep 05 18:46:03.781338 2012] [proxy_balancer:debug] [pid 16732:tid 14004746496] mod_proxy_balancer.c(614): [client 10.x.x.x:53812] AH01172: balancer://default: worker (http://backend1.foo:5080) rewritten to http://backend1.foo:5080/clusterjsp [Wed Sep
Re: how to avoid balancer manager nonce?
On 31.08.2012 15:45, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get-> apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. Doesn't it only call apr_uuid_get() during creation of the balancer worker? So IMHO it should be only a problem during startup. I was thinking a global "BalancerManager off" could be used for this For 2.4 there already seems to be a configurable "nonce" attribute for each balancer allowing the special value "None". Not so for 2.2. and would also have the upside of fixing the SetHandler htaccess problem. Not sure what the "SetHandler htaccess" problem is. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? Concerning the more recent discussion on this topic: it seems the nonce was introduced in r661666 to counter a possible CSRF attack against the balancer manager (CVE-2007-6420). Configurability was aded later. Regards, Rainer
Re: how to avoid balancer manager nonce?
On Wed, Sep 5, 2012 at 12:02 PM, Tony Stevenson wrote: > > On 5 Sep 2012, at 11:57, Jim Jagielski wrote: > >> FWIW, I have time this week to impl this... >> >> Feedback/Concerns? > > Only the term 'nonce' - It has very unfortunate connotations from UK english. > [1] :-) Sadly, we lost that battle a long time ago, it is a term of art in crypto/security - which is why, btw, I want to know what it is actually used for, because generally predictable nonces are a _really bad idea_, and that is what is currently proposed. I'm assuming that whoever wrote the code wasn't a complete idiot and did not use cryptographic randomness for no reason. But perhaps they did, as Jim seems to think. > > > [1] - http://en.wikipedia.org/wiki/Nonce_(slang) > > > > > Cheers, > Tony > > -- > Tony Stevenson > > t...@pc-tony.com > t...@caret.cam.ac.uk > pct...@apache.org > > http://www.pc-tony.com > > GPG - 1024D/51047D66 > -- >
Re: how to avoid balancer manager nonce?
On Wed, Sep 5, 2012 at 11:57 AM, Jim Jagielski wrote: > FWIW, I have time this week to impl this... > > Feedback/Concerns? I still want to know what the "nonce" is actually for! Are you going to make me read the code and guess? > > On Sep 1, 2012, at 11:47 AM, Jim Jagielski wrote: > >> Another alternative would be to have the nonce also possibly >> set at config-time and, if unset, then use the uuid. That way >> it could also be used as a sort of shared-secret ;) >> >> ProxySet nonce="applepie!" >> >> Longer term, I think that's a more "strategic" solution. >> >> On Aug 31, 2012, at 2:14 PM, Stefan Fritsch wrote: >> >>> On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get-> apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global "BalancerManager off" could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? >>> >>> For 2.4, you could use ap_random_insecure_bytes(). It should be good >>> enough for a nonce. >>> >>> If you add a "BalancerManager off", it should be per directory, or at >>> least per vhost. Otherwise it would not help that much with the >>> SetHandler htaccess problem. >>> >> >
Re: how to avoid balancer manager nonce?
On 5 Sep 2012, at 11:57, Jim Jagielski wrote: > FWIW, I have time this week to impl this... > > Feedback/Concerns? Only the term 'nonce' - It has very unfortunate connotations from UK english. [1] :-) [1] - http://en.wikipedia.org/wiki/Nonce_(slang) Cheers, Tony -- Tony Stevenson t...@pc-tony.com t...@caret.cam.ac.uk pct...@apache.org http://www.pc-tony.com GPG - 1024D/51047D66 --
Re: how to avoid balancer manager nonce?
FWIW, I have time this week to impl this... Feedback/Concerns? On Sep 1, 2012, at 11:47 AM, Jim Jagielski wrote: > Another alternative would be to have the nonce also possibly > set at config-time and, if unset, then use the uuid. That way > it could also be used as a sort of shared-secret ;) > > ProxySet nonce="applepie!" > > Longer term, I think that's a more "strategic" solution. > > On Aug 31, 2012, at 2:14 PM, Stefan Fritsch wrote: > >> On Friday 31 August 2012, Eric Covener wrote: >>> I'm fighting a problem on new releases of AIX where in some >>> environments, /dev/random seems to run out of entropy way too >>> quick. >>> >>> I'd like a way to suppress the apr_uuid_get-> >>> apr_generate_random_bytes() in mod_proxy_balancer used for the >>> balancer-manager nonce in affected environments. >>> >>> I was thinking a global "BalancerManager off" could be used for >>> this and would also have the upside of fixing the SetHandler >>> htaccess problem. >>> >>> Alternatives would be to find a weaker source for the nonce, or >>> allow tto opt out / use a hard-coded one. >>> >>> Any suggestions? >> >> For 2.4, you could use ap_random_insecure_bytes(). It should be good >> enough for a nonce. >> >> If you add a "BalancerManager off", it should be per directory, or at >> least per vhost. Otherwise it would not help that much with the >> SetHandler htaccess problem. >> >
