https://bz.apache.org/bugzilla/show_bug.cgi?id=58479
Bug ID: 58479
Summary: In mod ssl httpd still decodes %2f%2f even if
allowencodedslashes is On or NoDecode.
Product: Apache httpd-2
Version: 2.4.12
Hardware: PC
OS: Linux
Status: NEW
Severity: critical
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
The following reverse proxy configuration is placed to my front end server:
AllowEncodedSlashes NoDecode
<Location /path-to-server-01/>
ProxyPass http://server-01-ip:8888/ nocanon retry=0 timeout=180
ProxyPassReverse http://server-01-ip:8888/
Order Deny,Allow
Deny from All
Allow from All
</Location>
http://front-end-server-ip/path-to-server-01/linka/156752%2F%2F156752%2F%2FENG
works without any problem.
https://front-end-server-ip/path-to-server-01/linka/156752%2F%2F156752%2F%2FENG
does not work at all because of %2F%2F that are in the URI.
https://front-end-server-ip/path-to-server-01/linka/156752 also work to proove
that the https mode works with my configuration.
I found the following in my ssl_error_log (when i made the Loglevel to trace8):
[Fri Oct 02 18:03:57.826073 2015] [core:info] [pid 6179] [client
address-ip:56842] AH00026: found %2f (encoded '/') in URI
(decoded='/linka/156752//156752//ENG'), returning 404
Last thing, i am in the labo, for that my reverse proxy has not domain name
FQDN and the https is self signed. I think these are not a problem.
I am on CentOS 6.7. The httpd servers that i tested for this are httpd 2.2.15
(AllowEncodedSlashes On) and httpd24-httpd-2.4.12 (AllowEncodedSlashes
NoDecode)
I am asking to my self: Why ssl forces the core to decode %2f%2f in the URI ?
Is there any security reason ?.
Thank's very much for your qick answer. I am so confused now by this problem.
Every thing is depending to it.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
