Public bug reported: Version 2.4.52-1ubuntu4.10 of the apache2 package that was released in order to fix the issues described in USN-6885-1 introduced a regression that leads to intermittent 502 errors when proxying requests to a HTTP/2 server. This issue is not present in version 2.4.52-1ubuntu4.9 of the package, so it must have been introduced as a side effect of the security fixes.
The affected server uses the following configuration to proxy requests to an Apache HTTPd version 2.4.61 that is running inside a Docker container: ProxyPass "/" "h2c://localhost:8080/" ProxyPassReverse "/" "http://localhost:8080/"; ProxyPreserveHost On RequestHeader set "X-Forwarded-Proto" "expr=%{REQUEST_SCHEME}" RequestHeader unset "X-Forwarded-For" RequestHeader unset "X-Forwarded-Host" RequestHeader unset "X-Forwarded-Server" This configuration works without any problems when using Apache 2.4.52-1ubuntu4.9. After upgrading to Apache 2.4.52-1ubuntu4.10, the following error message is intermittently displayed when trying to access a proxied resource: Bad Gateway The proxy server received an invalid response from an upstream server. The proxy server could not handle the request Reason: URI has no hostname: /… Apache/2.4.52 (Ubuntu) Server at … Port 443 The request does not show up in the log of the server running inside the Docker container, so it seems like it is not forwarded correctly. This problem does not appear when changing ProxyPass "/" "h2c://localhost:8080/" to ProxyPass "/" "http://localhost:8080/"; so it only seems to appear when using the HTTP/2 backend. My best guess is that one of the changes that were introduced to address the security vulnerabilities also introduced a race condition that is only triggered when using HTTP/2 that is more parallel in nature. This seems to be corroborated by my observation that this problem seems to appear more frequently when many requests are forwarded in parallel or at least quick succession. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: apache2 2.4.52-1ubuntu4.10 ProcVersionSignature: Ubuntu 5.15.0-113.123-generic 5.15.152 Uname: Linux 5.15.0-113-generic x86_64 Apache2ConfdDirListing: False Apache2Modules: httpd (pid 580607) already running ApportVersion: 2.20.11-0ubuntu82.5 Architecture: amd64 CasperMD5CheckResult: unknown Date: Wed Jul 10 14:25:29 2024 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=C.UTF-8 SHELL=/bin/bash SourcePackage: apache2 UpgradeStatus: Upgraded to jammy on 2024-01-05 (187 days ago) ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy uec-images -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2072648 Title: Regression in Apache 2.4.52-1ubuntu4.10 causes intermittent errors in mod_proxy_http2 backend To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2072648/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
