Bug 591224
| Summary: | proxy_http doesn't set the hostname when doing reverse proxy | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Josh <joshkayse> | |
| Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 12 | CC: | jorton, pahan, rcritten | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | mod_nss-1.0.8-6.fc12 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 591901 (view as bug list) | Environment: | ||
| Last Closed: | 2010-06-04 18:46:13 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 591901 | |||
| Attachments: | ||||
Joe, this is your patch from EL5. This got done differently upstream. As of 2.2.12 I think, the proxy sets the "proxy-request-hostname" note in r->connection->notes with the hostname of the backend - you need to change mod_nss to use this instead of the custom hack we used in RHEL5. from what i can tell of mod_nss, it is checking in pre_connection which doesn't have access to the request_rec r (In reply to comment #3) > from what i can tell of mod_nss, it is checking in pre_connection which doesn't > have access to the request_rec r nvm, i see how it can be done. I've created a patch but haven't had a chance to test it yet. I'll test it tomorrow and upload it when it works. Created attachment 413752 [details] uses value of proxy-request-hostname in c->notes instead of c->remote_host This patch changes mod_nss to use the value of proxy-request-hostname in c->notes instead of c->remote_host This is the same method used by mod_ssl and the recommended upstream method per comment 2. Created attachment 413782 [details]
Enhanced c->notes patch that adds configuration option
I enhanced your patch to add a new configuration option, NSSProxyCheckPeerCN.
I'm not quite sure I agree with the existence of this option but added to keep parity with mod_ssl.
If this seems ok I'll get it committed upstream and add this patch to Fedora 12-rawhide.
that patch looks good to me. it defaults to checking which I think is appropriate. Will you be porting this to the RHEL6 branch also? Thanks! Yes, this will be fixed in RHEL-6 as well (bug #591901) Committed upstream. Checking in TODO; /cvs/dirsec/mod_nss/TODO,v <-- TODO new revision: 1.4; previous revision: 1.3 done Checking in mod_nss.c; /cvs/dirsec/mod_nss/mod_nss.c,v <-- mod_nss.c new revision: 1.19; previous revision: 1.18 done Checking in mod_nss.h; /cvs/dirsec/mod_nss/mod_nss.h,v <-- mod_nss.h new revision: 1.22; previous revision: 1.21 done Checking in nss_engine_config.c; /cvs/dirsec/mod_nss/nss_engine_config.c,v <-- nss_engine_config.c new revision: 1.17; previous revision: 1.16 done Running syncmail... Mailing relnotes... ...syncmail done. Running syncmail... Mailing cvsdirsec... ...syncmail done. Checking in docs/mod_nss.html; /cvs/dirsec/mod_nss/docs/mod_nss.html,v <-- mod_nss.html new revision: 1.12; previous revision: 1.11 done mod_nss-1.0.8-5.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc12 mod_nss-1.0.8-5.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc13 mod_nss-1.0.8-5.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update mod_nss'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc12 mod_nss-1.0.8-5.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update mod_nss'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc13 we're waiting on the SIGHUP bug (591889) before we test because it doesn't make much sense for us to use this version if we can't run nss without bug 591889 fixed. mod_nss-1.0.8-6.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc12 mod_nss-1.0.8-6.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc13 mod_nss-1.0.8-6.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update mod_nss'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc13 mod_nss-1.0.8-6.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update mod_nss'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc12 mod_nss-1.0.8-6.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. mod_nss-1.0.8-6.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. mod_nss-1.0.8-7.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/mod_nss-1.0.8-7.fc13 mod_nss-1.0.8-7.fc12 has been submitted as an update for Fedora 12. https://admin.fedoraproject.org/updates/mod_nss-1.0.8-7.fc12 mod_nss-1.0.8-8.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/mod_nss-1.0.8-8.fc14 |
Created attachment 413202 [details] copy the hostname into the client connection structure *NOTE* This is copied verbatim from the upstream bug report by Rob Crittenden*NOTE* Description of problem: When doing a reverse proxy the proxy client connection remote_host field isn't populated. Since this is already available as a result of the ProxyPassReverse entry it makes sense to pass this on. Otherwise a client that may want this hostname value has no access to it until the request is being processed and in the case of an input filter that does something like SSL may be too late. SSL connections should compare the requested hostname value with the certificate subject returned by remote server. This is the only protection against man-in-the-middle attacks. Once mod_proxy populates this field then SSL connections can do this comparison. Version-Release number of selected component (if applicable): httpd-2.2.15-1.fc12.2 How reproducible: Always Steps to Reproduce: 1. Create a ssl reverse proxy 2. Install mod_nss 3. Remove mod_ssl 4. Try to use the ssl reverse proxy. Actual results: mod_nss errors with: "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468." Expected results: The reverse proxy works and traffic is passed Additional info: This was originally reported by Rob Crittenden against 2.0.4. I have tested the uploaded patch that was supplied by Rob Crittenden. It works using mod_nss.