bug in mod_proxy(_connect)?

Thu, 06 Aug 2009 10:51:14 -0700 

Hi
Bear with me, I'm new to this list. I think I've found a bug in mod_proxy / mod_proxy_connect. 


I'm running apache in both forward and reverse proxy mode.  The idea  
is :- reverse proxy gives people outside firewall access to websites  
on different VMs inside via one IP, and forward proxy is to allow them  
to log in via ssh.


A trimmed down conf file:

======

NameVirtualHost *:443

SSLCertificateFile /etc/apache2/ssl/default-ssl

LogLevel debug
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined

<VirtualHost *:443>
      SSLEngine on
      ServerName proxy.domain.com

      ProxyRequests on
      AllowCONNECT 22
      ProxyVia on

      <Proxy *.domain.com>
              AuthType Basic
              AuthBasicProvider ldap
              AuthName "Domain"

              AuthzLDAPAuthoritative   off

              AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com 
"

              Require valid-user
      </Proxy>
</VirtualHost>

<VirtualHost *:443>
      SSLEngine on
      ServerName wiki.domain.com
      ProxyPass / http://wiki.domain.com/

      <Location />
                 AuthType Basic
                 AuthBasicProvider ldap
                 AuthName "Domain"

                 AuthzLDAPAuthoritative   off

                 AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com 
"

                 Require valid-user
      </Location>
</VirtualHost>

=======


SSH connects fine if the second <VirtualHost> clause isn't there, but  
fails if it is:


=======

# ssh somehost.domain.com

SSL client to proxy enabled
Local proxy proxy.domain.com resolves to XXX
Connected to proxy.domain.com:443 (local proxy)

Tunneling to somehost.domain.com:22 (destination)
Communication with local proxy:
-> CONNECT somehost.domain.com:22 HTTP/1.0
-> Proxy-Connection: Keep-Alive
<- HTTP/1.1 403 Proxy Error
HTTP return code: 403 Proxy Error
<- Date: Thu, 06 Aug 2009 17:16:26 GMT
<- Content-Length: 396
<- Connection: close
<- Content-Type: text/html; charset=iso-8859-1
ssh_exchange_identification: Connection closed by remote host

=======

In my apache logs:

=======


[Thu Aug 06 18:25:15 2009] [info] Initial (No.1) HTTPS request  
received for child 0 (server somehost.domain.com:443)
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(70): proxy:  
CONNECT: canonicalising URL somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] proxy_util.c(1497): [client XXX]  
proxy: *: found forward proxy worker for somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy.c(966): Running scheme  
somehost.domain.com handler (attempt 0)
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(154): proxy:  
CONNECT: serving URL somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(171): proxy:  
CONNECT: connecting somehost.domain.com:22 to somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(194): proxy:  
CONNECT: connecting to remote proxy somehost.domain.com on port 22
[Thu Aug 06 18:25:15 2009] [error] [client 87.127.96.17] proxy:  
Connect to remote machine blocked2 returned by somehost.domain.com:22  
<<<<<========
[Thu Aug 06 18:25:15 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL:  
Write: SSL negotiation finished successfully
[Thu Aug 06 18:25:15 2009] [info] [client 87.127.96.17] Connection  
closed to child 0 with standard shutdown (server proxy.domain.com:443)


=======


I've recompiled apache so I could tell which error message this was (3  
messages the same in mod_proxy_connect.c - nice):


=======

 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,

       "proxy: CONNECT: connecting to remote proxy %s on port %d",  
connectname, connectport);


  /* check if ProxyBlock directive on this host */
  if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
      return ap_proxyerror(r, HTTP_FORBIDDEN,
                           "Connect to remote machine blocked1");
  }

  /* Check if it is an allowed port */
  if (conf->allowed_connect_ports->nelts == 0) {
  /* Default setting if not overridden by AllowCONNECT */
      switch (uri.port) {
          case APR_URI_HTTPS_DEFAULT_PORT:
          case APR_URI_SNEWS_DEFAULT_PORT:
              break;
          default:

      return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote  
machine blocked2");

      }
  } else if(!allowed_port(conf, uri.port)) {

  return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine  
blocked3");

  }

=======


And its failing on the conf->allowed_connect_ports->nelts == 0, ie  
there are no AllowCONNECTs defined (although there obviously are!)



I think there must be something wrong in set_allowed_ports in  
mod_proxy.c, perhaps it is getting the wrong server_rec?



Some details of my system: Debian Lenny, apache 2.2.9-10+lenny4 (all  
the debian patches) + a patch fromhttps://issues.apache.org/bugzilla/ 
show_bug.cgi?id=29744(https://issues.apache.org/bugzilla/attachment.cgi?id=22248 
) to make http connect work over HTTPS.



As for all the ldap stuff in my config, if works fine for the Reverse  
Proxy (ie the wiki.domain.com) but haven't got it working for the  
forward, CONNECT proxy.  I think it has nothing to do with it though,  
because ssh works if I remove the reverse proxies, just without  
prompting for the ldap password.


So... Any ideas?

Thanks

Tom

























					Reply via email to