[users@httpd] 421 when SNI mismatches Host
Hello, mod_proxy includes a “ProxyPreserveHost” option, which causes the Host: header to be preserved in requests to a backend. httpd, though, seems to send a 421 response to any HTTP/1.1 request whose Host header mismatches the SNI string. Is ProxyPreserveHost, then, unable to use httpd as a backend? Is there a configuration option to tell httpd to serve such mismatched requests? Thank you! cheers, -Felipe Gasper - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
On Fri, May 08, 2020 at 03:15:23PM +0200, Antony Stone wrote: > On Friday 08 May 2020 at 15:00:07, Marc Haber wrote: > > On Fri, May 08, 2020 at 02:01:03PM +0200, Antony Stone wrote: > > > On Friday 08 May 2020 at 13:16:28, Marc Haber wrote: > > > > I have a vhost in a https-only IPv6-only setup and would like to make > > > > the web site hosted there reachable from the IPv4 Internet. > > > > > > Is the vhost capable of dealing with IPv4 queries if you can only manage > > > to get them to the machine? > > > > Yes, but I'd prefer having the setup IPv6 only. I only build IPv4 if > > absolutely necessary. > > To be honest I would have thought that "talking to a very large part of the > current Internet" is reasonably necessary :) I would do it differently in an infrastructure project, but this is my personal blog, somewhere between "engineering study" and "production". And I know of at least one ISP who has built the datacenter in a quite similiar way. Being reachable from the IPv4 internet is very well done with sniproxy, it's just apache making this unnecessarily complicated by offering two methods from the same module with the exception list backwards in one of those two. I was hoping that somebody would explain _why_ the haproxy protocol is implemented so differently from the http header method in the very same module, and maybe I have missed something in the docs. > Dual-stack I can quite understand, but attempting IPv6-only seems a bit too > far ahead of the game for my liking. > > > I'd rather take the approach of having a dedicated apache listener for > > the proxied requests than building more IPv4. > > Okay, I just thought I'd offer an alternative possible solution. The least evil solutions seems to look different for different people, although a solution inside apache would actually help the most. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
On Friday 08 May 2020 at 15:00:07, Marc Haber wrote: > On Fri, May 08, 2020 at 02:01:03PM +0200, Antony Stone wrote: > > On Friday 08 May 2020 at 13:16:28, Marc Haber wrote: > > > I have a vhost in a https-only IPv6-only setup and would like to make > > > the web site hosted there reachable from the IPv4 Internet. > > > > Is the vhost capable of dealing with IPv4 queries if you can only manage > > to get them to the machine? > > Yes, but I'd prefer having the setup IPv6 only. I only build IPv4 if > absolutely necessary. To be honest I would have thought that "talking to a very large part of the current Internet" is reasonably necessary :) Dual-stack I can quite understand, but attempting IPv6-only seems a bit too far ahead of the game for my liking. > I'd rather take the approach of having a dedicated apache listener for > the proxied requests than building more IPv4. Okay, I just thought I'd offer an alternative possible solution. Regards, Antony. -- Ramdisk is not an installation procedure. Please reply to the list; please *don't* CC me. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
On Fri, May 08, 2020 at 02:01:03PM +0200, Antony Stone wrote: > On Friday 08 May 2020 at 13:16:28, Marc Haber wrote: > > I have a vhost in a https-only IPv6-only setup and would like to make > > the web site hosted there reachable from the IPv4 Internet. > > Is the vhost capable of dealing with IPv4 queries if you can only manage to > get them to the machine? Yes, but I'd prefer having the setup IPv6 only. I only build IPv4 if absolutely necessary. I'd rather take the approach of having a dedicated apache listener for the proxied requests than building more IPv4. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
On Friday 08 May 2020 at 13:16:28, Marc Haber wrote: > Hi, > > I have a vhost in a https-only IPv6-only setup and would like to make > the web site hosted there reachable from the IPv4 Internet. Is the vhost capable of dealing with IPv4 queries if you can only manage to get them to the machine? > On a dual-homed host, I have sniproxy that forwards requests coming in via > IPv4 over IPv6 depending on the SNI header. The web server is directly > reachable from the IPv6 Internet without proxy. How about a completely different approach - set up a VPN connection between your dual-homed host and the IPv6-only web server, to tunnel IPv4 requests and responses over an IPv6 link? Then you publish the real IPv6 address of the server as your DNS address, and the IPv4 address of the dual-homed host as the A address. The dual-homed host tunnels all requests (source and destination still both IPv4) to the vhost, and it routes all IPv4 traffic back across the VPN. No need for HTTPS interception etc.; you're just tunneling all requests directly to the machine which has the certificate on it. Antony. -- How many Prolog programmers does it take to change a lightbulb? No. Please reply to the list; please *don't* CC me. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] RemoteIPProxyProtocolExceptions with negated IP list
Hi, I have a vhost in a https-only IPv6-only setup and would like to make the web site hosted there reachable from the IPv4 Internet. On a dual-homed host, I have sniproxy that forwards requests coming in via IPv4 over IPv6 depending on the SNI header. The web server is directly reachable from the IPv6 Internet without proxy. sniproxy can utilize the haproxy proxy protocol to forward the IPv4 address of the requesting client to the weberver. With the RemoteIPProxyProtocol directive of mod_remoteip, apache can make sense from that. So far so good. With this option set, apache expects the proxy protocol on all connections for the listener in question, making it unsuitable for direct client connections. There is RemoteIPProxyProtocolExceptions, which specifies IP addresse from where the proxy protocol is not required. In the situation in question, I'd need "require proxy protocol fom the IP address of the proxy ONLY". If I set like 2000::/3 as Exceptions, the entire Internet could send me a wrong IP address. This logic completely backwards than the other mechanism for X-Forwarded-For headers using RemoteIPInternalProxy, where I need to put in a list of IP addresses that are allowed to send a clien IP address. Confusing. Is it possible to have a negated IP address list in RemoteIPProxyProtocolExceptions? I think that I cannot use SetEnvIf at this point because the ProxyProtocol processing happens way before any http processing begins. I would like to avoid defining a dedicated listener for the sniproxy mechanism. Any ideas? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] proxy_html / xml2enc won't handle certain HTML entities
> On 8 May 2020, at 07:28, Antonio Suárez Pozuelo > wrote: > > Hi Nick, > > Your glass of wine was inspiring: just removed > >> ProxyHTMLCharsetOut * # Backend (Tomcat) charset is ISO-8859-1 > > and the problem's gone! OK, thanks for confirming it. I'm pretty sure now what's happening. Libxml2 uses unicode (utf-8) internally, so for i18n to work, your iso-8859-1 gets converted before feeding to the parser. But HTML entities are not preserved: they get converted to their unicode representations. ProxyHTMLCharsetOut is kind-of an afterthought: it converts unicode to your choice of encoding. But it doesn't deal with HTML entities. So when it encounters unicode sequences for your "" et al, it just tries to convert unicode to latin-1, and fails when there is no latin-1 representation. As far as I know this doesn't really matter: unicode support is pretty-near universal, so just leaving it in place has no real downside. I'll think about whether there's an easy fix to ProxyHTMLCharsetOut for cases like this, but will more likely just add a note to the docs about the limitation. > FYI, by increasing LogLevel to INFO, error log shows: Basically just shows the problem isn't your backend. My first reply was leading to "if the debug info doesn't tell us what's wrong, I'll ask for a test case to try and replicate the problem". No need for that now! Thanks for the report! -- Nick Kew - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] proxy_html / xml2enc won't handle certain HTML entities
Hi Nick, Your glass of wine was inspiring: just removed >ProxyHTMLCharsetOut * # Backend (Tomcat) charset is ISO-8859-1 and the problem's gone! Also commented out >ProxyHTMLMeta on with no noticeable change in behaviour. As per the docs "turning ProxyHTMLMeta Off will give a small performance boost", so off it goes. Thank you so much! FYI, by increasing LogLevel to INFO, error log shows: [Fri May 08 07:42:35.790051 2020] [xml2enc:info] [pid 13183:tid 139823008806656] [client _redacted_:55344] AH01431: Got charset ISO-8859-1 from HTTP headers So our backend's stated charset is ISO-8859-1. About your questions: > Are you sure your backend is sending literally those entities, as opposed to > their byte representations in its charset? > Note that libxml2 is doing the hard work here: what version of libxml2 do you > have? "Faulty" entities are coded verbatim (i.e. "") in the backend JSP pages, and are rendered exactly that way in non-proxied responses. libxml2 version is 2.9.4 (within Debian 10.3 amd64). I can do further testing, if you need it. FYI 2 (side point): > >ProxyHTMLURLMap "/backend-path/(.*)" "/$1" R We had some previous experience with proxy URL mapping, and "/frontend-path/" <-> "/backend-path/" has always worked fine for us without the regexp. But mapping the root frontend path "/" gave us some trouble; maybe there's a better solution, but that regexp solved the issue. Thank you again. Best regards, Antonio - Mensaje original - De: "Nick Kew" Para: "users" Enviados: Viernes, 8 de Mayo 2020 1:49:25 Asunto: Re: [users@httpd] proxy_html / xml2enc won't handle certain HTML entities > On 7 May 2020, at 17:52, Antonio Suárez Pozuelo > wrote: > > Hi there, Further to my last reply, I can see what may possibly be wrong: > We have a Tomcat 8 backend server behind an Apache 2.4 proxy. Our Apache conf: > >ProxyPreserveHost on >ProxyHTMLEnable on >ProxyHTMLExtended on You probably don't want that. >ProxyHTMLCharsetOut * # Backend (Tomcat) charset is ISO-8859-1 I suspect that is very probably the culprit. Does removing it fix the problem? >ProxyHTMLMeta on You probably also don't want that. I think the documentation of that is misleadingly out-of-date, but I don't want to check now (late, and after a glass of wine). -- Nick Kew - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org