Hi,
I'm trying to grant road warrior users access to our company Exchange server
through RPC over HTTP. In my setup, an Apache 2.2.2 on a FreeBSD server in
the DMZ should act as a proxy between the Internet and the IIS on on the
Exchange server. The communication is SSL-encrypted in both directions
(SSLEngine and SSLProxyEngine On).
Unfortunately, the Outlook client just hangs when trying to access Exchange
through the proxy. The Apache error log shows these messages:
[Mon Jul 10 10:48:48 2006] [error] (70007)The timeout specified has expired:
proxy: prefetch request body failed to <exchangeip>:<port> (<exchange>) from
<clientip> ()
After working on this for quite some time, I believe I can rule out the usual
configuration and certificate problems that are described on various
websites. Also, I have a Linux in my internal network with an older version
of Apache (2.0.53) where the same proxy configuration works like a charm.
I did some analysis with ssldump on both proxies. Apparently, RPC over HTTP
opens two HTTP/1.1 requests: One with request method RPC_IN_DATA to send
data to the server, and one with method RPC_OUT_DATA to send data back to the
client. The body consists of raw binary data, and the connections are
apparently re-used for several RPCs.
I.e. after sending the headers for both connections, the client sends a
request on the IN connections, reads the response from the OUT connection,
sends another request on the IN connection and so on - which means that any
buffering in the proxy is absolutely deadly in this scenario.
Here's an example of an IN connection header:
RPC_IN_DATA /rpc/rpcproxy.dll?<exchange>:6002 HTTP/1.1
Accept: application/rpc
User-Agent: MSRPC
Host: <proxy>
Content-Length: 1073741824
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Authorization: Basic <user/passwd>
And here's an example of an OUT connection header:
RPC_OUT_DATA /rpc/rpcproxy.dll?<exchange>:6002 HTTP/1.1
Accept: application/rpc
User-Agent: MSRPC
Host: <proxy>
Content-Length: 76
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Authorization: Basic <user/passwd>
ssldump on the Apache 2.2.2 machine shows that the RPC_OUT_DATA is correctly
forwarded to the Exchange server. For the RPC_IN_DATA, OTOH, the proxy
doesn't even open a connection to the Exchange server. I can only guess
that's it's trying to read (prefetch?) a part or all of the 1073741824 bytes
(Content-Length) before opening the session to the Exchange server.
Unfortunately, the client only sends a small request (~ 100 bytes) on the IN
connection and starts waiting for a response on the OUT connection. It never
gets one, though, since the request hasn't reached the Exchange server yet.
On the Apache 2.0.53 server, however, both requests are forwarded to the
Exchange server, and the body bits are also relayed in a direct and timely
manner. I've tried an Apache 2.0.58 on the FreeBSD server, but that one
doesn't work, either.
Is there any option to configure mod_proxy and Apache core in 2.2.2 (or
2.0.58) to behave in the same way as the 2.0.53 version?
Is there a source patch that I could apply (no idea what a brigade is and
what it does)?
Thanks in advance,
Hans
PS: I realize that the design of Microsoft's RPC over HTTP is somewhat
broken. However, I guess my setup is not that unusual, and I'd like Apache
to handle these unknown methods as interoperable as possible.
--
Hans Maurer [EMAIL PROTECTED]
"Deep down, I doubt my greed for presents can overcome
my desire to misbehave"
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
