So I figured out why the forward proxy wasn't authenticating... I
changed:
<Proxy *.domain.com>
to:
<Proxy *>
And it worked. Bug? Feature?
On 6 Aug 2009, at 18:50, Tom Wilkie wrote:
Hi
Bear with me, I'm new to this list. I think I've found a bug in
mod_proxy / mod_proxy_connect.
I'm running apache in both forward and reverse proxy mode. The idea
is :- reverse proxy gives people outside firewall access to websites
on different VMs inside via one IP, and forward proxy is to allow
them to log in via ssh.
A trimmed down conf file:
======
NameVirtualHost *:443
SSLCertificateFile /etc/apache2/ssl/default-ssl
LogLevel debug
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
<VirtualHost *:443>
SSLEngine on
ServerName proxy.domain.com
ProxyRequests on
AllowCONNECT 22
ProxyVia on
<Proxy *.domain.com>
AuthType Basic
AuthBasicProvider ldap
AuthName "Domain"
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com
"
Require valid-user
</Proxy>
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
ServerName wiki.domain.com
ProxyPass / http://wiki.domain.com/
<Location />
AuthType Basic
AuthBasicProvider ldap
AuthName "Domain"
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldap.domain.com/ou=People,dc=domain,dc=com
"
Require valid-user
</Location>
</VirtualHost>
=======
SSH connects fine if the second <VirtualHost> clause isn't there,
but fails if it is:
=======
# ssh somehost.domain.com
SSL client to proxy enabled
Local proxy proxy.domain.com resolves to XXX
Connected to proxy.domain.com:443 (local proxy)
Tunneling to somehost.domain.com:22 (destination)
Communication with local proxy:
-> CONNECT somehost.domain.com:22 HTTP/1.0
-> Proxy-Connection: Keep-Alive
<- HTTP/1.1 403 Proxy Error
HTTP return code: 403 Proxy Error
<- Date: Thu, 06 Aug 2009 17:16:26 GMT
<- Content-Length: 396
<- Connection: close
<- Content-Type: text/html; charset=iso-8859-1
ssh_exchange_identification: Connection closed by remote host
=======
In my apache logs:
=======
[Thu Aug 06 18:25:15 2009] [info] Initial (No.1) HTTPS request
received for child 0 (server somehost.domain.com:443)
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(70): proxy:
CONNECT: canonicalising URL somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] proxy_util.c(1497): [client XXX]
proxy: *: found forward proxy worker for somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy.c(966): Running scheme
somehost.domain.com handler (attempt 0)
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(154): proxy:
CONNECT: serving URL somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(171): proxy:
CONNECT: connecting somehost.domain.com:22 to somehost.domain.com:22
[Thu Aug 06 18:25:15 2009] [debug] mod_proxy_connect.c(194): proxy:
CONNECT: connecting to remote proxy somehost.domain.com on port 22
[Thu Aug 06 18:25:15 2009] [error] [client 87.127.96.17] proxy:
Connect to remote machine blocked2 returned by somehost.domain.com:
22 <<<<<========
[Thu Aug 06 18:25:15 2009] [debug] ssl_engine_kernel.c(1770):
OpenSSL: Write: SSL negotiation finished successfully
[Thu Aug 06 18:25:15 2009] [info] [client 87.127.96.17] Connection
closed to child 0 with standard shutdown (server proxy.domain.com:443)
=======
I've recompiled apache so I could tell which error message this was
(3 messages the same in mod_proxy_connect.c - nice):
=======
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: CONNECT: connecting to remote proxy %s on port %d",
connectname, connectport);
/* check if ProxyBlock directive on this host */
if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
return ap_proxyerror(r, HTTP_FORBIDDEN,
"Connect to remote machine blocked1");
}
/* Check if it is an allowed port */
if (conf->allowed_connect_ports->nelts == 0) {
/* Default setting if not overridden by AllowCONNECT */
switch (uri.port) {
case APR_URI_HTTPS_DEFAULT_PORT:
case APR_URI_SNEWS_DEFAULT_PORT:
break;
default:
return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote
machine blocked2");
}
} else if(!allowed_port(conf, uri.port)) {
return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine
blocked3");
}
=======
And its failing on the conf->allowed_connect_ports->nelts == 0, ie
there are no AllowCONNECTs defined (although there obviously are!)
I think there must be something wrong in set_allowed_ports in
mod_proxy.c, perhaps it is getting the wrong server_rec?
Some details of my system: Debian Lenny, apache 2.2.9-10+lenny4 (all
the debian patches) + a patch fromhttps://issues.apache.org/bugzilla/
show_bug.cgi?id=29744(https://issues.apache.org/bugzilla/attachment.cgi?id=22248
) to make http connect work over HTTPS.
As for all the ldap stuff in my config, if works fine for the
Reverse Proxy (ie the wiki.domain.com) but haven't got it working
for the forward, CONNECT proxy. I think it has nothing to do with
it though, because ssh works if I remove the reverse proxies, just
without prompting for the ldap password.
So... Any ideas?
Thanks
Tom
