mod_proxy and HTTP 302 response

mod_proxy and HTTP 302 response

am 16.08.2002 07:34:08 von jsilves

I am running Apache 1.3.26 with mod_proxy and am having a interesting
problem. A specific site that I connect to with the proxy server is
doing a redirect on requests. However, the redirect is not being
interpreted properly by the proxy server. If I connect to the same
site without using the proxy server, my browser is properly redirected,
which is why I am unable to figure out exactly what is happening.

If I make a request of http://www.someserver.com/webpage.html it is
supposed to be redirected to http://server1.someserver.com/webpage.html

When using the proxy server I get this in my web browser:

Date: Fri, 16 Aug 2002 05:17:28 GMT Server: RealPage 2700
Set-Cookie: RealPageID=590675136; expires=Tue, 31-Dec-2002 00:00:00 GMT;
path=/; domain=.someserver.com Location:
http://server1.someserver.com/webpage.html Content-Type: text/html
X-Cache: MISS from xxx.xxx.xxx.xxx Connection: close


And I see this in the log file

yyy.yyy.yyy.yyy - - [16/Aug/2002:01:17:40 -0400] "GET http://www.someserver.com/webpage.html HTTP/1.1" 302 179


Any ideas what is happening here? As I said, if I connect directly to the
web site without the proxy server in the middle, the redirect works and
the correct page is displayed. Also, the web site is not mine and is
outside of my control.


John

Re: mod_proxy and HTTP 302 response

am 16.08.2002 08:24:57 von Brett Hutley

J.D. Silvester wrote:

>I am running Apache 1.3.26 with mod_proxy and am having a interesting
>problem. A specific site that I connect to with the proxy server is
>doing a redirect on requests. However, the redirect is not being
>interpreted properly by the proxy server. If I connect to the same
>site without using the proxy server, my browser is properly redirected,
>which is why I am unable to figure out exactly what is happening.
>
>If I make a request of http://www.someserver.com/webpage.html it is
>supposed to be redirected to http://server1.someserver.com/webpage.html
>
>When using the proxy server I get this in my web browser:
>
>Date: Fri, 16 Aug 2002 05:17:28 GMT Server: RealPage 2700
>Set-Cookie: RealPageID=590675136; expires=Tue, 31-Dec-2002 00:00:00 GMT;
>path=/; domain=.someserver.com Location:
>http://server1.someserver.com/webpage.html Content-Type: text/html
>X-Cache: MISS from xxx.xxx.xxx.xxx Connection: close
>

OK, it may be that having worked through one mod_proxy problem, I now
see *everything* in terms of that problem (akin to what happens if you
only have a hammer), but this kinda sounds like the issue I was banging
my head against yesterday. Is the server that is doing the redirection
sending back invalid headers (where invalid is defined in mod_proxy as a
HTTP header line without a colon in it)? If so, see my post to this
mailing list of earlier today.

Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 16.08.2002 09:40:03 von Peter Van Biesen

I have the same problem with two sites : www.argenta.be and
www.sony-europe.com . The proxy locks up for 30 seconds and then garbles
up the headers. Sony is a IIS/4.x, which has a known problem : it does
not send a TCP/IP packet at the end of the connection, so the
proxy keeps on waiting until a timeout occurs. Does your proxy lock up
also for about 30 seconds ? I don't know if this causes the headers to
be garbled.

I've contacted the webmasters to get more details but up until now no
response ...

Peter.

Brett Hutley wrote:
>
> J.D. Silvester wrote:
>
> >I am running Apache 1.3.26 with mod_proxy and am having a interesting
> >problem. A specific site that I connect to with the proxy server is
> >doing a redirect on requests. However, the redirect is not being
> >interpreted properly by the proxy server. If I connect to the same
> >site without using the proxy server, my browser is properly redirected,
> >which is why I am unable to figure out exactly what is happening.
> >
> >If I make a request of http://www.someserver.com/webpage.html it is
> >supposed to be redirected to http://server1.someserver.com/webpage.html
> >
> >When using the proxy server I get this in my web browser:
> >
> >Date: Fri, 16 Aug 2002 05:17:28 GMT Server: RealPage 2700
> >Set-Cookie: RealPageID=590675136; expires=Tue, 31-Dec-2002 00:00:00 GMT;
> >path=/; domain=.someserver.com Location:
> >http://server1.someserver.com/webpage.html Content-Type: text/html
> >X-Cache: MISS from xxx.xxx.xxx.xxx Connection: close
> >
>
> OK, it may be that having worked through one mod_proxy problem, I now
> see *everything* in terms of that problem (akin to what happens if you
> only have a hammer), but this kinda sounds like the issue I was banging
> my head against yesterday. Is the server that is doing the redirection
> sending back invalid headers (where invalid is defined in mod_proxy as a
> HTTP header line without a colon in it)? If so, see my post to this
> mailing list of earlier today.
>
> Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 16.08.2002 16:44:02 von jsilves

On Fri, 16 Aug 2002, Peter Van Biesen wrote:

> I have the same problem with two sites : www.argenta.be and
> www.sony-europe.com . The proxy locks up for 30 seconds and then garbles
> up the headers. Sony is a IIS/4.x, which has a known problem : it does
> not send a TCP/IP packet at the end of the connection, so the
> proxy keeps on waiting until a timeout occurs. Does your proxy lock up
> also for about 30 seconds ? I don't know if this causes the headers to
> be garbled.
>
> I've contacted the webmasters to get more details but up until now no
> response ...
>
> Peter.
>

Peter, yes it does seem to lock up for about 30 seconds. Then I get a
web page in my browser showing the header information I posted earlier.

I just looked at the source for that web page and this is what I got:

Date: Fri, 16 Aug 2002 14:03:26 GMT
Server: RealPage 2700
Location: http://server1.someserver.com/webpage.html
Content-Type: text/html
X-Cache: MISS from xxx.xxx.xxx.xxx
Transfer-Encoding: chunked

9d





0


That is exactly how it appears in the Netscape source viewer. I
especially like the "space link". So, I'm guessing that the extra junk at
the bottom after the headers is what is causing the problem?


John

Re: mod_proxy and HTTP 302 response

am 17.08.2002 01:05:02 von Brett Hutley

J.D. Silvester wrote:
*snip*

>I just looked at the source for that web page and this is what I got:
>
>Date: Fri, 16 Aug 2002 14:03:26 GMT
>Server: RealPage 2700
>Location: http://server1.someserver.com/webpage.html
>Content-Type: text/html
>X-Cache: MISS from xxx.xxx.xxx.xxx
>Transfer-Encoding: chunked
>
>9d
>
>


>
>


>
>0
>
>
>That is exactly how it appears in the Netscape source viewer. I
>especially like the "space link". So, I'm guessing that the extra junk at
>the bottom after the headers is what is causing the problem?
>
>
>
What you need to do is have a look at the HTTP headers that the server
that is doing the redirect sends BEFORE they hit your proxy server. An
easy way to do this is to use 'wget -S' (I wish I'd known this the other
day - I was using tcpdump to sniff the packets...). For example, when I
fire it at my host:

wget -S host.example.com

I get back:

HTTP request sent, awaiting response...
1 HTTP/1.0 200 OK
2 Server: Zope/(Zope 2.5.1b1 (OpenBSD package zope-2.5.1b1)
3 , python 2.1.2, openbsd3) ZServer/1.1b1
4 Date: Fri, 16 Aug 2002 22:52:44 GMT
5 Connection: Keep-Alive
6 Content-Type: text/html
7 Etag:
8 Content-Length: 289

.... and you can immediately see the bad line number 3, without the
all-important colon.

Cheers, Brett

How to use different server based on the url ???

am 17.08.2002 17:20:16 von Nicolas Brasseur

Hello can anybody please tell me if it is possible to
reroute requests to another web server based on the
url used ...
I have an apache web server on a machine, and a lotus
domino server on another machine. I have a domain name
loop.be pointing to a router that re-route requests
addressed to the port 80 to the apache server. I would
like that when the url is www.loop.be the HTTP
requests are re-routed to the apache server (normal
way) and when the url used is mail.loop.be the HTTP
requests should be forwarded to the domino server.
In other terms, is apache able to "forward" requests
based on the url used ...

Am I clear enough ?

Thanks for your answers ...

Nicolas

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

Re: How to use different server based on the url ???

am 18.08.2002 03:17:40 von Brett Hutley

Nicolas Brasseur wrote:

>Hello can anybody please tell me if it is possible to
>reroute requests to another web server based on the
>url used ...
>I have an apache web server on a machine, and a lotus
>domino server on another machine. I have a domain name
>loop.be pointing to a router that re-route requests
>addressed to the port 80 to the apache server. I would
>like that when the url is www.loop.be the HTTP
>requests are re-routed to the apache server (normal
>way) and when the url used is mail.loop.be the HTTP
>requests should be forwarded to the domino server.
>In other terms, is apache able to "forward" requests
>based on the url used ...
>
Yup, definitely. Use mod_rewrite and mod_proxy. You'll need to build a
version of apache with these compiled in or loaded as modules (since
they are not included by default). You want to set up a rewrite rule
with a regex that matches the address you want to proxy and get it to
handle the other stuff locally. I believe that you'll only be able to do
it with HTTP/1.1 requests since your rewrite rule will depend on having
a RewriteCond using the %{HTTP_HOST} variable.

I'm pretty much a mod_rewrite novice, but I'll make a quick stab at
solving the problem (although someone with more experience PLEASE chime
in at this port...):

RewriteEngine on
RewriteCond %{*HTTP_HOST*} ^mail.loop.be$
RewriteRule ^(.+) http://domino.server/$1 [P,L]
RewriteRule ^/(.*) - [L]


The first rewrite rule depends on the condition of the HTTP_Host being
mail.loop.be. It then proxies the request to your domino server and
stops rewriting. The second rule says to serve the remaining matches
locally.

HTH,
Brett

Re: mod_proxy and HTTP 302 response

am 19.08.2002 11:53:55 von Peter Van Biesen

Hi,

I've investigated further and I see strange things happening :

Direct conntection :

# wget -S --proxy=off http://www.argenta.be
--11:29:28-- http://www.argenta.be/
=> `index.html.2'
Resolving www.argenta.be... done.
Connecting to www.argenta.be[62.233.1.156]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200
2 Date: Mon, 19 Aug 2002 09:27:03 GMT
3 Server: web server
4 Set-Cookie: ASPSESSIONIDQQGGGQLW=GIHBKICAKHGMILKNGEHDOBLI; path=/
5 cache-control: private
6 Connection: close
7 Content-Type: text/html

Through the proxy :

wget -S http://www.argenta.be
--11:28:22-- http://www.argenta.be/
=> `index.html.1'
Resolving vlafo3... done.
Connecting to vlafo3[193.190.145.66]:80... connected.
Proxy request sent, awaiting response...
1 HTTP/1.1 200
2
3 Date: Mon, 19 Aug 2002 09:28:22 GMT
4 Server: web server
5 Set-Cookie: ASPSESSIONIDQQGGGQLW=PHHBKICAHBJJACKGMCPAJPAC; path=/
6 cache-control: private
7 Content-Type: text/html; charset=ISO-8859-1
8 Via: 1.0 www.argenta.be
9 Content-Length: 758
10 Connection: close

Notice the extra empty line when going through the proxy. Something I
also notice that is different is the HTTP line : on other sites, the
line includes " OK", but here it is not present. I know some regexp's
will fail on this line ...

I'll check the code if I have the time !

Anyway, I haven't tested the 302 response, what http headerline must I
send to the server to get a 302 response ?

Cheers,

Peter.
Brett Hutley wrote:
>
> J.D. Silvester wrote:
> *snip*
>
> >I just looked at the source for that web page and this is what I got:
> >
> >Date: Fri, 16 Aug 2002 14:03:26 GMT
> >Server: RealPage 2700
> >Location: http://server1.someserver.com/webpage.html
> >Content-Type: text/html
> >X-Cache: MISS from xxx.xxx.xxx.xxx
> >Transfer-Encoding: chunked
> >
> >9d
> >
> >


> >
> >


> >
> >0
> >
> >
> >That is exactly how it appears in the Netscape source viewer. I
> >especially like the "space link". So, I'm guessing that the extra junk at
> >the bottom after the headers is what is causing the problem?
> >
> >
> >
> What you need to do is have a look at the HTTP headers that the server
> that is doing the redirect sends BEFORE they hit your proxy server. An
> easy way to do this is to use 'wget -S' (I wish I'd known this the other
> day - I was using tcpdump to sniff the packets...). For example, when I
> fire it at my host:
>
> wget -S host.example.com
>
> I get back:
>
> HTTP request sent, awaiting response...
> 1 HTTP/1.0 200 OK
> 2 Server: Zope/(Zope 2.5.1b1 (OpenBSD package zope-2.5.1b1)
> 3 , python 2.1.2, openbsd3) ZServer/1.1b1
> 4 Date: Fri, 16 Aug 2002 22:52:44 GMT
> 5 Connection: Keep-Alive
> 6 Content-Type: text/html
> 7 Etag:
> 8 Content-Length: 289
>
> ... and you can immediately see the bad line number 3, without the
> all-important colon.
>
> Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 19.08.2002 13:56:41 von Peter Van Biesen

Hi, I think I found the problem, try this patch, let me know if it
solves your problem :

*** proxy_http.c Fri Jun 14 19:14:57 2002
--- proxy_http_new.c Mon Aug 19 13:52:28 2002
***************
*** 734,744 ****
"server: ", buffer, NULL));
}
backasswards = 0;

buffer[12] = '\0';
r->status = atoi(&buffer[9]);

! buffer[12] = ' ';
r->status_line = apr_pstrdup(p, &buffer[9]);

/* read the headers. */
--- 734,749 ----
"server: ", buffer, NULL));
}
backasswards = 0;
+ //Store byte 12 in buffer[0] for safekeeping
+ buffer[0] = buffer[12];

buffer[12] = '\0';
r->status = atoi(&buffer[9]);

! //Put back position 12 and reset buffer[0] to 'H'
! buffer[12] = buffer[0];
! buffer[0] = 'H';
!
r->status_line = apr_pstrdup(p, &buffer[9]);

/* read the headers. */

What does it do ? When a HTTP header is received without a description,
byte 12 will be \0. In this case, the old code would overwrite the \0
with a space, adding garbage at the end. This will probably be
interpreted by the outputwriter as a newline, thus the creation of the
problem. Is this correct ? Can anybody check this ?

Thanks !

Peter.

Peter Van Biesen wrote:
>
> Hi,
>
> I've investigated further and I see strange things happening :
>
> Direct conntection :
>
> # wget -S --proxy=off http://www.argenta.be
> --11:29:28-- http://www.argenta.be/
> => `index.html.2'
> Resolving www.argenta.be... done.
> Connecting to www.argenta.be[62.233.1.156]:80... connected.
> HTTP request sent, awaiting response...
> 1 HTTP/1.1 200
> 2 Date: Mon, 19 Aug 2002 09:27:03 GMT
> 3 Server: web server
> 4 Set-Cookie: ASPSESSIONIDQQGGGQLW=GIHBKICAKHGMILKNGEHDOBLI; path=/
> 5 cache-control: private
> 6 Connection: close
> 7 Content-Type: text/html
>
> Through the proxy :
>
> wget -S http://www.argenta.be
> --11:28:22-- http://www.argenta.be/
> => `index.html.1'
> Resolving vlafo3... done.
> Connecting to vlafo3[193.190.145.66]:80... connected.
> Proxy request sent, awaiting response...
> 1 HTTP/1.1 200
> 2
> 3 Date: Mon, 19 Aug 2002 09:28:22 GMT
> 4 Server: web server
> 5 Set-Cookie: ASPSESSIONIDQQGGGQLW=PHHBKICAHBJJACKGMCPAJPAC; path=/
> 6 cache-control: private
> 7 Content-Type: text/html; charset=ISO-8859-1
> 8 Via: 1.0 www.argenta.be
> 9 Content-Length: 758
> 10 Connection: close
>
> Notice the extra empty line when going through the proxy. Something I
> also notice that is different is the HTTP line : on other sites, the
> line includes " OK", but here it is not present. I know some regexp's
> will fail on this line ...
>
> I'll check the code if I have the time !
>
> Anyway, I haven't tested the 302 response, what http headerline must I
> send to the server to get a 302 response ?
>
> Cheers,
>
> Peter.
> Brett Hutley wrote:
> >
> > J.D. Silvester wrote:
> > *snip*
> >
> > >I just looked at the source for that web page and this is what I got:
> > >
> > >Date: Fri, 16 Aug 2002 14:03:26 GMT
> > >Server: RealPage 2700
> > >Location: http://server1.someserver.com/webpage.html
> > >Content-Type: text/html
> > >X-Cache: MISS from xxx.xxx.xxx.xxx
> > >Transfer-Encoding: chunked
> > >
> > >9d
> > >
> > >


> > >
> > >


> > >
> > >0
> > >
> > >
> > >That is exactly how it appears in the Netscape source viewer. I
> > >especially like the "space link". So, I'm guessing that the extra junk at
> > >the bottom after the headers is what is causing the problem?
> > >
> > >
> > >
> > What you need to do is have a look at the HTTP headers that the server
> > that is doing the redirect sends BEFORE they hit your proxy server. An
> > easy way to do this is to use 'wget -S' (I wish I'd known this the other
> > day - I was using tcpdump to sniff the packets...). For example, when I
> > fire it at my host:
> >
> > wget -S host.example.com
> >
> > I get back:
> >
> > HTTP request sent, awaiting response...
> > 1 HTTP/1.0 200 OK
> > 2 Server: Zope/(Zope 2.5.1b1 (OpenBSD package zope-2.5.1b1)
> > 3 , python 2.1.2, openbsd3) ZServer/1.1b1
> > 4 Date: Fri, 16 Aug 2002 22:52:44 GMT
> > 5 Connection: Keep-Alive
> > 6 Content-Type: text/html
> > 7 Etag:
> > 8 Content-Length: 289
> >
> > ... and you can immediately see the bad line number 3, without the
> > all-important colon.
> >
> > Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 19.08.2002 16:31:20 von jsilves

On Sat, 17 Aug 2002, Brett Hutley wrote:

> What you need to do is have a look at the HTTP headers that the server
> that is doing the redirect sends BEFORE they hit your proxy server. An
> easy way to do this is to use 'wget -S' (I wish I'd known this the other
> day - I was using tcpdump to sniff the packets...). For example, when I
> fire it at my host:
>
> wget -S host.example.com
>
> I get back:
>
> HTTP request sent, awaiting response...
> 1 HTTP/1.0 200 OK
> 2 Server: Zope/(Zope 2.5.1b1 (OpenBSD package zope-2.5.1b1)
> 3 , python 2.1.2, openbsd3) ZServer/1.1b1
> 4 Date: Fri, 16 Aug 2002 22:52:44 GMT
> 5 Connection: Keep-Alive
> 6 Content-Type: text/html
> 7 Etag:
> 8 Content-Length: 289
>
> ... and you can immediately see the bad line number 3, without the
> all-important colon.
>
> Cheers, Brett
>

Brett when I use wget (by the way thanks for pointing out that tool), this
is what I get.

First without the proxy server:

% /usr/local/wget/bin/wget -S --proxy=off http://www.someserver.com/webpage.html
--10:08:01-- http://www.someserver.com/webpage.html
=> `webpage.html'
Resolving www.someserver.com... done.
Connecting to www.someserver.com[xxx.xxx.xxx.xxx]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.0 302
2 Server: RealPage 2700
3 Set-Cookie: RealPageID=123456789; expires=Tue, 31-Dec-2002 00:00:00 GMT; path=/; domain=.someserver.com
4 Location: http://server1.someserver.com/webpage.html
5 Content-Type: text/html
Location: http://server1.someserver.com/webpage.html
[following]
--10:08:05--
http://server1.someserver.com/webpage.html
=> `webpage.html'
Resolving server1.someserver.com... done.
Connecting to server1.someserver.com[yyy.yyy.yyy.yyy]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Connection: Keep-Alive
3 Server: RealPage 2700
4 Content-Type: text/html
5 Content-length: 1592

100%[====================================>] 1,592 1.52M/s ETA
00:00

10:08:06 (1.52 MB/s) - `webpage.html' saved [1592/1592]


Now with the proxy server

% /usr/local/wget/bin/wget -S http://www.someserver.com/webpage.html
--10:09:27-- http://www.someserver.com/webpage.html
=> `webpage.html'
Resolving proxy.server.com... done.
Connecting to proxy.server.com[xxx.xxx.xxx.xxx]:80... connected.
Proxy request sent, awaiting response...
1 HTTP/1.1 302
Location: unspecified
ERROR: Redirection (302) without location.


Other than the first line, all the lines have a colon. So I am not sure
what is going wrong here. Any ideas?


John

Re: mod_proxy and HTTP 302 response

am 20.08.2002 01:31:18 von Brett Hutley

Peter Van Biesen wrote:

>Hi, I think I found the problem, try this patch, let me know if it
>solves your problem :
>
*snip*

Hi Peter,
your patch looks like it does the right thing. Note that this is a
2.0.40 patch (whereas I think John is running 1.3.26 as am I). The
problem is that the code assumes that because it got a HTTP/#.# along
with the status code that it's going to get a reason phrase as per the RFC.

Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 20.08.2002 01:55:41 von Brett Hutley

J.D. Silvester wrote:
*stuff snipped*

>Other than the first line, all the lines have a colon. So I am not sure
>what is going wrong here. Any ideas?
>
>

Hmmm... I'm not sure what is going on here. I'd probably have to set up
a similar scenario in order to investigate. As a work-around, why don't
you use mod_rewrite to rewrite incoming requests to the server that is
doing the redirect, to redirect directly from the proxy to the server
that is the end-point of the redirect?
If you know what I mean... :)

Cheers, Brett

Re: How to use different server based on the url ???

am 20.08.2002 08:39:34 von Graham Leggett

Nicolas Brasseur wrote:

> Hello can anybody please tell me if it is possible to
> reroute requests to another web server based on the
> url used ...
> I have an apache web server on a machine, and a lotus
> domino server on another machine. I have a domain name
> loop.be pointing to a router that re-route requests
> addressed to the port 80 to the apache server. I would
> like that when the url is www.loop.be the HTTP
> requests are re-routed to the apache server (normal
> way) and when the url used is mail.loop.be the HTTP
> requests should be forwarded to the domino server.
> In other terms, is apache able to "forward" requests
> based on the url used ...

Use mod_proxy and virtual hosts:

NameVirtualHost ip.add.re.ss:80


ServerName www.loop.be
ProxyPass / http://apache/
ProxyPassReverse / http://apache/



ServerName mail.loop.be
ProxyPass / http://domino/
ProxyPassReverse / http://domino/


You can also use mod_rewrite in there, but using virtual hosts is
cleaner and more flexible a solution.

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm
"There's a moon
over Bourbon Street
tonight..."

Re: mod_proxy and HTTP 302 response

am 20.08.2002 08:45:26 von Graham Leggett

Peter Van Biesen wrote:

> Direct conntection :
>
> # wget -S --proxy=off http://www.argenta.be
> --11:29:28-- http://www.argenta.be/
> => `index.html.2'
> Resolving www.argenta.be... done.
> Connecting to www.argenta.be[62.233.1.156]:80... connected.
> HTTP request sent, awaiting response...
> 1 HTTP/1.1 200
^^^^^^^^

Seems the "human readable" part of the response is missing, and the
proxy is expecting at least an HTTP/x.x200, where the last
space is missing.

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm
"There's a moon
over Bourbon Street
tonight..."

Re: mod_proxy and HTTP 302 response

am 20.08.2002 09:41:55 von Brett Hutley

Graham Leggett wrote:

> Peter Van Biesen wrote:
>
>> Direct conntection :
>>
>> # wget -S --proxy=off http://www.argenta.be
>> --11:29:28-- http://www.argenta.be/
>> => `index.html.2'
>> Resolving www.argenta.be... done.
>> Connecting to www.argenta.be[62.233.1.156]:80... connected.
>> HTTP request sent, awaiting response...
>> 1 HTTP/1.1 200
>
> ^^^^^^^^
>
> Seems the "human readable" part of the response is missing, and the
> proxy is expecting at least an HTTP/x.x200, where the
> last space is missing.
>
> Regards,
> Graham

Yup. Note that the way 2.0.40 handles this, it strdups WHATEVER is
pushed through afterwards to the status_line member of the request_rec
structure. This seems to me to be potentially dangerous... as in; push
exploit machine code onto the heap through this function, and then take
advantage of a smaller buffer overflow opportunity elsewhere to indirect
through to your HUGE_STRING_LEN-13 sized exploit function... of course
this depends on there actually BEING another buffer overflow opportunity
elsewhere.... and being able to access the pointer to the request_rec
structure, and then DNS-cache-poisoning the internal dns server so the
web server proxies from the evil machine that serves the bad headers
rather than the server you THINK you are proxying from... so it's very,
very, unlikely to be exploited. The fix is so trivial though (make sure
the HTTP response string length is greater than 13 bytes).

Cheers, Brett

Re: How to use different server based on the url ???

am 20.08.2002 09:47:55 von Brett Hutley

Graham Leggett wrote:

> Nicolas Brasseur wrote:

*snip*

>
> Use mod_proxy and virtual hosts:

*snip*

>
> You can also use mod_rewrite in there, but using virtual hosts is
> cleaner and more flexible a solution.

Doh. *slaps forehead*... yup much neater. It's scary - I'm starting to
see everything as a problem calling for a mod_rewrite solution :)

Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 20.08.2002 11:52:10 von Peter Van Biesen

Yes, I'm sorry, I should have pointed this out. Actually, it is a 2.0.39
patch, since I have not yet download the 2.0.40 ...

Btw, am I to understand that the rfc states that there should be a space
there ( I didn't have the time to look it up yet ) ?

Peter.

Brett Hutley wrote:
>
> Peter Van Biesen wrote:
>
> >Hi, I think I found the problem, try this patch, let me know if it
> >solves your problem :
> >
> *snip*
>
> Hi Peter,
> your patch looks like it does the right thing. Note that this is a
> 2.0.40 patch (whereas I think John is running 1.3.26 as am I). The
> problem is that the code assumes that because it got a HTTP/#.# along
> with the status code that it's going to get a reason phrase as per the RFC.
>
> Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 20.08.2002 14:14:40 von Brett Hutley

Peter Van Biesen wrote:

>Yes, I'm sorry, I should have pointed this out. Actually, it is a 2.0.39
>patch, since I have not yet download the 2.0.40 ...
>
>Btw, am I to understand that the rfc states that there should be a space
>there ( I didn't have the time to look it up yet ) ?
>
>
Yup.

From the HTTP 1.1 RFC (2068) (but also in the 1.0 RFC).

-- 8< -- snip -- 8< --
6.1 Status-Line

The first line of a Response message is the Status-Line, consisting
of the protocol version followed by a numeric status code and its
associated textual phrase, with each element separated by SP
characters. No CR or LF is allowed except in the final CRLF
sequence.

Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF

-- 8< -- snip -- 8< --

Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 20.08.2002 14:27:29 von Brett Hutley

Brett Hutley wrote:

> Yup. Note that the way 2.0.40 handles this, it strdups WHATEVER is
> pushed through afterwards to the status_line member of the request_rec
> structure. This seems to me to be potentially dangerous... as in; push
> exploit machine code onto the heap through this function, and then
> take advantage of a smaller buffer overflow opportunity elsewhere to
> indirect through to your HUGE_STRING_LEN-13 sized exploit function...
> of course this depends on there actually BEING another buffer overflow
> opportunity elsewhere.... and being able to access the pointer to the
> request_rec structure, and then DNS-cache-poisoning the internal dns
> server so the web server proxies from the evil machine that serves the
> bad headers rather than the server you THINK you are proxying from...
> so it's very, very, unlikely to be exploited. The fix is so trivial
> though (make sure the HTTP response string length is greater than 13
> bytes).

Hmmm, just realised that an attacker can send through the exploit code
in the reason string anyway. I guess the patch will only help with
broken servers sending through broken status lines in the response
message (which, funnily enough, was it's original purpose). Please
consider the above a momentary attack of insanity, while I give myself
a good whack with the clue stick.

Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 20.08.2002 14:29:25 von jsilves

On Tue, 20 Aug 2002, Brett Hutley wrote:

> J.D. Silvester wrote:
> *stuff snipped*
>
> >Other than the first line, all the lines have a colon. So I am not sure
> >what is going wrong here. Any ideas?
> >
> >
>
> Hmmm... I'm not sure what is going on here. I'd probably have to set up
> a similar scenario in order to investigate. As a work-around, why don't
> you use mod_rewrite to rewrite incoming requests to the server that is
> doing the redirect, to redirect directly from the proxy to the server
> that is the end-point of the redirect?
> If you know what I mean... :)
>

Yeah I was thinking of that. I'll just have to get my head around
mod_rewrite (never been able to fully do that).


John

Re: mod_proxy and HTTP 302 response

am 20.08.2002 15:34:26 von Brett Hutley

J.D. Silvester wrote:

>On Tue, 20 Aug 2002, Brett Hutley wrote:
>
>
>
>>J.D. Silvester wrote:
>>*stuff snipped*
>>
>>
>>
>>>Other than the first line, all the lines have a colon. So I am not sure
>>>what is going wrong here. Any ideas?
>>>
>>>
>>>
>>>
>>Hmmm... I'm not sure what is going on here. I'd probably have to set up
>>a similar scenario in order to investigate. As a work-around, why don't
>>you use mod_rewrite to rewrite incoming requests to the server that is
>>doing the redirect, to redirect directly from the proxy to the server
>>that is the end-point of the redirect?
>>If you know what I mean... :)
>>
>>
>>
>
>Yeah I was thinking of that. I'll just have to get my head around
>mod_rewrite (never been able to fully do that).
>
>

Yeah, me neither.
As Graham Leggett pointed out, if the redirection is based on the host
name (or part of the host name), you can use name-based virtual hosting.
Then you can apply your rewrite rule inside the virtual host container
(if you need to map the path coming in on the request to the REAL path
on you server).

Just off the top of my head, the following has the vague possibility of
(accidentally) being something like what you want... (but don't be
fooled by my tone of certainty...)

.... within your virtual host container...
RewriteEngine On
RewriteRule ^/incoming_dir(.*) http://end.server.com/real_dir$1 [R,L]

# if you want to proxy all other requests to the original server...
RewriteRule ^/(.*) http://other.server.com/$1 [P,L]

# to help in debugging... (but don't leave it on log level 9 for long).
RewriteLog "/var/log/proxy_log"
RewriteLogLevel 9

Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 21.08.2002 08:22:56 von Graham Leggett

Brett Hutley wrote:

> Yup. Note that the way 2.0.40 handles this, it strdups WHATEVER is
> pushed through afterwards to the status_line member of the request_rec
> structure.

Looking at this, it does this:

r->status_line = apr_pstrdup(p, &buffer[9]);

apr_pstrdup is not strdup as far as I am aware. Can someone check this
for me?

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm
"There's a moon
over Bourbon Street
tonight..."

Re: mod_proxy and HTTP 302 response

am 21.08.2002 08:47:04 von Brett Hutley

Graham Leggett wrote:

> Brett Hutley wrote:
>
>> Yup. Note that the way 2.0.40 handles this, it strdups WHATEVER is
>> pushed through afterwards to the status_line member of the
>> request_rec structure.
>
>
> Looking at this, it does this:
>
> r->status_line = apr_pstrdup(p, &buffer[9]);
>
> apr_pstrdup is not strdup as far as I am aware. Can someone check this
> for me?


Function is in apr_strings.c

Kinda works like strdup() as far as I can see... (although I guess with
a memory pool)...

APR_DECLARE(char *) apr_pstrdup(apr_pool_t *a, const char *s)
{
char *res;
apr_size_t len;

if (s == NULL) {
return NULL;
}
len = strlen(s) + 1;
res = apr_palloc(a, len);
memcpy(res, s, len);
return res;
}

Re: mod_proxy and HTTP 302 response

am 21.08.2002 09:25:41 von Graham Leggett

Brett Hutley wrote:

> Kinda works like strdup() as far as I can see... (although I guess with
> a memory pool)...

> len = strlen(s) + 1;
> res = apr_palloc(a, len);
> memcpy(res, s, len);

The apr_palloc() will either allocate enough memory for a (potentially
very large) string, or it will segfault (to my knowledge) and fail safe.
Thus the memcpy will only occur if a buffer is created sufficiently
large enough to hold the string, thus no overflow that I can see.

Again - can someone else check...?

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm
"There's a moon
over Bourbon Street
tonight..."

Re: mod_proxy and HTTP 302 response

am 21.08.2002 10:52:04 von Brett Hutley

Graham Leggett wrote:

> Brett Hutley wrote:
>
>> Kinda works like strdup() as far as I can see... (although I guess
>> with a memory pool)...
>
>
>> len = strlen(s) + 1;
>> res = apr_palloc(a, len);
>> memcpy(res, s, len);
>
>
> The apr_palloc() will either allocate enough memory for a (potentially
> very large) string, or it will segfault (to my knowledge) and fail
> safe. Thus the memcpy will only occur if a buffer is created
> sufficiently large enough to hold the string, thus no overflow that I
> can see.
>
> Again - can someone else check...?

No, the point I was trying to make was not of a potential overflow, but
the ability to store whatever you want in
an area of memory - including machine code. If you had a *different*
buffer overflow attack, but didn't have
enough of a buffer to store your exploit machine code, then you could
potentially use this area of memory to
hold your exploit machine code as binary data and then indirect to it
using your buffer overflow attack. For example,
lets say that you had created a server that send "HTTP/1.1 200 ..."
where the dots are the machine code for a function that does a
system("tftp ...") or whatever. The machine code is essentially
strdup()ed, and you now know that if you can indirect through to that
area of memory, ie (*request_rec->status_line)(); you can execute your
exploit code. Of course this depends on you being able to make a buffer
overflow attack on *another* function that gets the request_rec pointer.
So it is very very unlikely that this is a real vulnerability.

Cheers, Brett

Re: mod_proxy and HTTP 302 response

am 21.08.2002 18:02:34 von Ian Holsman

Graham Leggett wrote:

> Brett Hutley wrote:
>
>> Yup. Note that the way 2.0.40 handles this, it strdups WHATEVER is
>> pushed through afterwards to the status_line member of the
>> request_rec structure.
>
>
> Looking at this, it does this:
>
> r->status_line = apr_pstrdup(p, &buffer[9]);
>
> apr_pstrdup is not strdup as far as I am aware. Can someone check this
> for me?
>
> Regards,
> Graham

Ok.. I put a patch through in Apache 2.0 which will fix the case where
the server status line isn't present.
and yes apr_pstrdup is the equivalent of strdup.

Re: mod_proxy and HTTP 302 response

am 22.08.2002 09:19:37 von Peter Van Biesen

Thank you ! Could you also add a line that prints a warning in the log
when the space after the status code is not present, so sysadmins can
bug the webmasters who run defective servers ?

Peter.

Ian Holsman wrote:
>
> Graham Leggett wrote:
>
> > Brett Hutley wrote:
> >
> >> Yup. Note that the way 2.0.40 handles this, it strdups WHATEVER is
> >> pushed through afterwards to the status_line member of the
> >> request_rec structure.
> >
> >
> > Looking at this, it does this:
> >
> > r->status_line = apr_pstrdup(p, &buffer[9]);
> >
> > apr_pstrdup is not strdup as far as I am aware. Can someone check this
> > for me?
> >
> > Regards,
> > Graham
>
> Ok.. I put a patch through in Apache 2.0 which will fix the case where
> the server status line isn't present.
> and yes apr_pstrdup is the equivalent of strdup.

Re: mod_proxy and HTTP 302 response

am 22.08.2002 09:29:14 von Graham Leggett

Peter Van Biesen wrote:

> Thank you ! Could you also add a line that prints a warning in the log
> when the space after the status code is not present, so sysadmins can
> bug the webmasters who run defective servers ?

I was about to ask for this - currently the way the space is handled
isn't obvious to someone looking at the code a year from now, it's
likely it could be removed down the line by accident.

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm
"There's a moon
over Bourbon Street
tonight..."