>Number: 4393 >Category: general >Synopsis: Apache without mod_proxy does not give an error when it gets a >proxy-request. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: change-request >Submitter-Id: apache >Arrival-Date: Wed May 12 04:10:01 PDT 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.6 >Environment: I don't think this problem depends on the environment. Anyway, I've seen it on Linux 2.0.x, 2.2.x, HP-UX 10.20/9.05 and IRIX 6.x. >Description: I run Apache and Squid on the same server, and sometimes clients are misconfigured, and tries to use the Apache server as a web-proxy/cache. The Apache server is _not_ configured to handle this, mod_proxy is _not_ compiled in or configured. I prefer to use Squid as a proxy/cache instead.
When a client tries to fetch a URL through Apache by i.e "GET http://www.apache.org/bug_report.html HTTP/1.0" the following happens: * Apache seems to strip the protocol and server from the request, and ends up with "/bug_report.html". * If this path should happen to exist on my local server the client will get this document. I.e when the request ends up as "/" it will get our homepage, which is wrong. * The client gets an ordinary 404 when our server don't have the requested path. I think Apache should return a '400 Bad Request' when it gets a request of the form "GET http|ftp|gopher:server.name:port/path HTTP/1.0". >How-To-Repeat: Try to contact www.uit.no by telnet and do a GET http://www.apache.org/ HTTP/1.0 and GET http://www.apache.org/foo.html HTTP/1.0 I have implemented a custom warning by using a cgi-script. When a 404 occurs, and the request starts with http I send out a customized error message. So you should try this on a regular Apache server which do not use mod_proxy. >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
