Bug 591901
Summary: | proxy_http doesn't set the hostname when doing reverse proxy | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Rob Crittenden <rcritten> | ||||
Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 6.0 | CC: | benl, dpal, jorton, joshkayse, kchamart, pahan, rcritten | ||||
Target Milestone: | rc | Keywords: | Regression | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | mod_nss-1_0_8-7_el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | 591224 | Environment: | |||||
Last Closed: | 2010-11-11 14:51:27 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 591224 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Rob Crittenden
2010-05-13 13:03:57 UTC
Verified with mod_nss-1.0.8-8.el6.x86_64 Attached are is the rhts script used to verify Successful output from /var/log/httpd/error_log ====================================================================== [root@colossus ~]# cat /var/log/httpd/error_log [Tue Aug 31 11:06:19 2010] [debug] proxy_util.c(2576): proxy: HTTPS: connection complete to [::1]:8443 (localhost) [Tue Aug 31 11:06:19 2010] [info] Connection to child 0 established (server colossus.dsdev.sjc.redhat.com:80, client ::1) [Tue Aug 31 11:06:19 2010] [error] SSL Proxy: Possible man-in-the-middle attack. The remove server is colossus.dsdev.sjc.redhat.com, we expected localhost [Tue Aug 31 11:06:19 2010] [info] SSL library error -12276 writing data [Tue Aug 31 11:06:19 2010] [info] SSL Library Error: -12276 Requested domain name does not match the server's certificate [Tue Aug 31 11:06:19 2010] [error] (20014)Internal error: proxy: pass request body failed to [::1]:8443 (localhost) [Tue Aug 31 11:06:19 2010] [error] proxy: pass request body failed to [::1]:8443 (localhost) from 10.14.1.213 () [Tue Aug 31 11:06:19 2010] [debug] proxy_util.c(2029): proxy: HTTPS: has released connection for (localhost) [Tue Aug 31 11:06:19 2010] [debug] nss_engine_io.c(656): SSL connection destroyed without being closed [Tue Aug 31 11:06:19 2010] [error] SSL Library Error: -12271 SSL client cannot verify your certificate [Tue Aug 31 11:15:42 2010] [info] removed PID file /etc/httpd/run/httpd.pid (pid=18788) [Tue Aug 31 11:15:42 2010] [notice] caught SIGTERM, shutting down [Tue Aug 31 11:15:42 2010] [info] Shutting down SSL Session ID Cache [Tue Aug 31 11:15:42 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Tue Aug 31 11:15:42 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Aug 31 11:15:42 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Tue Aug 31 11:15:43 2010] [info] Init: Initializing (virtual) servers for SSL [Tue Aug 31 11:15:43 2010] [info] Enabling proxy. [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3 [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5] [Tue Aug 31 11:15:43 2010] [info] Server: Apache/2.2.15, Interface: mod_nss/2.2.15, Library: NSS/3.12.6.2 [Tue Aug 31 11:15:43 2010] [info] Shutting down SSL Session ID Cache [Tue Aug 31 11:15:43 2010] [notice] Digest: generating secret for digest authentication ... [Tue Aug 31 11:15:43 2010] [notice] Digest: done [Tue Aug 31 11:15:43 2010] [debug] util_ldap.c(2058): LDAP merging Shared Cache conf: shm=0x7fa1f6cb9488 rmm=0x7fa1f6cb94e0 for VHOST: colossus.dsdev.sjc.redhat.com [Tue Aug 31 11:15:43 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Tue Aug 31 11:15:43 2010] [info] LDAP: SSL support available [Tue Aug 31 11:15:43 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400. [Tue Aug 31 11:15:43 2010] [info] Server: Apache/2.2.15, Interface: mod_nss/2.2.15, Library: NSS/3.12.6.2 [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18961 for worker https://colossus.dsdev.sjc.redhat.com:8443/ [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18961 for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18961 for worker proxy:reverse [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18961 for (*) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18962 for worker https://colossus.dsdev.sjc.redhat.com:8443/ [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18962 for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18962 for worker proxy:reverse [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18962 for (*) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18963 for worker https://colossus.dsdev.sjc.redhat.com:8443/ [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18963 for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18963 for worker proxy:reverse [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18963 for (*) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18964 for worker https://colossus.dsdev.sjc.redhat.com:8443/ [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18964 for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18964 for worker proxy:reverse [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18964 for (*) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18965 for worker https://colossus.dsdev.sjc.redhat.com:8443/ [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18965 for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18965 for worker proxy:reverse [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18965 for (*) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18966 for worker https://colossus.dsdev.sjc.redhat.com:8443/ [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18966 for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18966 for worker proxy:reverse [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18966 for (*) [Tue Aug 31 11:15:43 2010] [notice] Apache/2.2.15 (Unix) DAV/2 mod_nss/2.2.15 NSS/3.12.6.2 configured -- resuming normal operations [Tue Aug 31 11:15:43 2010] [info] Server built: Aug 14 2010 08:53:20 [Tue Aug 31 11:15:43 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem (default: sysvsem) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18967 for worker https://colossus.dsdev.sjc.redhat.com:8443/ [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18967 for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18967 for worker proxy:reverse [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18967 for (*) [Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Tue Aug 31 11:15:43 2010] [info] Enabling proxy. [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3 [Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5] [Tue Aug 31 11:15:43 2010] [info] Enabling proxy. [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3 [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5] [Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Tue Aug 31 11:15:43 2010] [info] Enabling proxy. [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3 [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5] [Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Tue Aug 31 11:15:43 2010] [info] Enabling proxy. [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3 [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5] [Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Tue Aug 31 11:15:43 2010] [info] Enabling proxy. [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3 [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5] [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18968 for worker https://colossus.dsdev.sjc.redhat.com:8443/ [Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized [Tue Aug 31 11:15:43 2010] [info] Enabling proxy. [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18968 for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18968 for worker proxy:reverse [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized [Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18968 for (*) [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3 [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5] [Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Tue Aug 31 11:15:43 2010] [info] Enabling proxy. [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3 [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5] [Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy [Tue Aug 31 11:15:43 2010] [info] Enabling proxy. [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3 [Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5] [Tue Aug 31 11:15:44 2010] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //colossus.dsdev.sjc.redhat.com:8443/content-bz591224.txt [Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(1506): [client 10.14.1.213] proxy: https: found worker https://colossus.dsdev.sjc.redhat.com:8443/ for https://colossus.dsdev.sjc.redhat.com:8443/content-bz591224.txt [Tue Aug 31 11:15:44 2010] [debug] mod_proxy.c(993): Running scheme https handler (attempt 0) [Tue Aug 31 11:15:44 2010] [debug] mod_proxy_http.c(1962): proxy: HTTP: serving URL https://colossus.dsdev.sjc.redhat.com:8443/content-bz591224.txt [Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2011): proxy: HTTPS: has acquired connection for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2067): proxy: connecting https://colossus.dsdev.sjc.redhat.com:8443/content-bz591224.txt to colossus.dsdev.sjc.redhat.com:8443 [Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2193): proxy: connected /content-bz591224.txt to colossus.dsdev.sjc.redhat.com:8443 [Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2444): proxy: HTTPS: fam 2 socket created to connect to colossus.dsdev.sjc.redhat.com [Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2576): proxy: HTTPS: connection complete to 10.14.1.213:8443 (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:44 2010] [info] Connection to child 0 established (server colossus.dsdev.sjc.redhat.com:80, client 10.14.1.213) [Tue Aug 31 11:15:44 2010] [debug] mod_proxy_http.c(1732): proxy: start body send [Tue Aug 31 11:15:44 2010] [debug] mod_proxy_http.c(1836): proxy: end body send [Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2029): proxy: HTTPS: has released connection for (colossus.dsdev.sjc.redhat.com) [Tue Aug 31 11:15:44 2010] [debug] nss_engine_io.c(656): SSL connection destroyed without being closed [root@colossus ~]# Created attachment 442251 [details] a simple test for proxying to SSL server. With the below contents in nss.conf ######################################################### [root@colossus ]# cat nss.conf NSSProxyEngine On NSSProxyCipherSuite +rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5 NSSProxyProtocol SSLv3 ProxyPass /bz591224/ https://colossus.dsdev.sjc.redhat.com:8443/ ProxyPassReverse /bz591224/ https://colossus.dsdev.sjc.redhat.com:8443/ LogLevel debug ######################################################## Many thanks to rcrit, jorton, ckannan Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |