On 01/08/2008 06:41 PM, Martin Kraemer wrote: > Okay, I found a new bug in the 2.2.7 proxy while testing SSL > and non-SSL CONNECTions both with and without a ProxyRemote > directive. > > <verbose> > To recap, totally different things happen in the presence or > absence of a ProxyRemote: > > * with ProxyRemote, the web server acts as a forwarder, and > connects to an "upstream" proxy in a proxy chain (speaking > the HTTP protocol to it), > > while > > * without ProxyRemote, the web server connects directly to the > origin server, speaking the native protocol to it (i.e., speaking > FTP when executing a ftp://originserver/ proxy URL, or > simply tunnelling the net data when doing http:// or ssl > CONNECT proxy requests) > </verbose> > > In the test matrix, the forwarder situation was working allright. > The direct connection, however, breaks in SSL mode, and the > connection is closed by the 2.2.7 proxy too early (before > receiving the 1st response to the SSL CLIENT-HELLO). > > The chunk_filter patch seems to improve the situation: the > connection "sometimes" succeeds. But in most cases, I get > (with a slightly patched openssl s_client that can use a > HTTP proxy): > > --snip-- > % openssl s_client -connect originserver:443 -proxy apacheproxy227:8227 > -verify 0 -msg > verify depth is 0 > HTTP/1.0 200 Connection Established > CONNECTED(00000005) >>>> SSL 2.0 [length 00c5], CLIENT-HELLO > 01 03 01 00 9c 00 00 00 20 00 c0 14 00 c0 0a 00 > 00 39 00 00 38 00 00 88 00 00 87 00 c0 0f 00 c0 > 05 00 00 35 00 00 84 00 c0 12 00 c0 08 00 00 16 > 00 00 13 00 c0 0d 00 c0 03 00 00 0a 07 00 c0 00 > c0 13 00 c0 09 00 00 33 00 00 32 00 00 9a 00 00 > 99 00 00 45 00 00 44 00 c0 0e 00 c0 04 00 00 2f > 00 00 96 00 00 41 00 00 07 05 00 80 03 00 80 00 > c0 11 00 c0 07 00 c0 0c 00 c0 02 00 00 05 00 00 > 04 01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 > 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 > 00 03 02 00 80 b8 a2 32 64 e5 0b 51 ae ec a1 2f > f0 f9 6e b1 8f ab af 9c 97 c2 de a1 d4 f3 34 1d > a9 c3 9c ef 10 > 38921:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:s23_clnt.c:631: > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 7 bytes and written 199 bytes > --- > New, (NONE), Cipher is (NONE) > Compression: NONE > Expansion: NONE > --- > --snip-- > > so the connection is closed before the response has arrived. > On the server side, the proxy_connect (with DEBUGGING) logs: > > --snip-- > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(145): proxy: CONNECT: > connecting to remote host originserver > [Tue Jan 08 15:00:44 2008] [debug] proxy_util.c(1525): proxy: CONNECT: fam 2 > socket created to connect to originserver > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(241): proxy: CONNECT: > Returning 200 OK Status > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(262): proxy: CONNECT: > setting up poll() > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(299): proxy: CONNECT: > woke from select(), i=1 > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(344): proxy: CONNECT: > client was set > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(353): proxy: CONNECT: > read 199 from client > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(299): proxy: CONNECT: > woke from select(), i=1 > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(344): proxy: CONNECT: > client was set > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(371): proxy: CONNECT: > client: apr_socket_recv() => rv=70014 = End of file found > [Tue Jan 08 15:00:44 2008] [debug] mod_proxy_connect.c(404): proxy: CONNECT: > finished with poll() - cleaning up > --snip-- > > so it gets an EOF when there should be more data available. > > On Sun, Jan 06, 2008 at 07:47:03PM +0100, Ruediger Pluem wrote: >> Ok, next one. I missed to set the correct state in some situations. >> Can you please give it a try again? > > As I said, without this patch, the connection apparently never > succeeds. With the patch, *sometimes* it succeeds:
Very, very strange because in the SSL proxy forward case you 1. use mod_proxy_connect which wasn't touched in 2.2.x for the last 11 month, so I doubt that this is a regression- 2. The HTTP_IN filter does not do anything in the SSL proxy forward case (it is not in the filter chain) as in contrast to non SSL proxying mod_proxy_connect does not care about the contents of the backend at all and is a pure data pump on TCP level. Or are you talking about reverse proxying a SSL backend? Regards RĂ¼diger
