Bug 591224 - proxy_http doesn't set the hostname when doing reverse proxy
proxy_http doesn't set the hostname when doing reverse proxy
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: mod_nss (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 591901
  Show dependency treegraph
 
Reported: 2010-05-11 13:20 EDT by Josh
Modified: 2016-02-29 10:22 EST (History)
3 users (show)

See Also:
Fixed In Version: mod_nss-1.0.8-6.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 591901 (view as bug list)
Environment:
Last Closed: 2010-06-04 14:46:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
copy the hostname into the client connection structure (628 bytes, patch)
2010-05-11 13:20 EDT, Josh
no flags Details | Diff
uses value of proxy-request-hostname in c->notes instead of c->remote_host (1.42 KB, patch)
2010-05-13 08:48 EDT, Josh
no flags Details | Diff
Enhanced c->notes patch that adds configuration option (4.87 KB, patch)
2010-05-13 10:46 EDT, Rob Crittenden
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache Bugzilla 36468 None None None Never

  None (edit)
Description Josh 2010-05-11 13:20:56 EDT
Created attachment 413202 [details]
copy the hostname into the client connection structure

*NOTE* This is copied verbatim from the upstream bug report by Rob Crittenden*NOTE*

Description of problem:
When doing a reverse proxy the proxy client connection remote_host field isn't
populated. Since this is already available as a result of the ProxyPassReverse
entry it makes sense to pass this on.

Otherwise a client that may want this hostname value has no access to it until
the request is being processed and in the case of an input filter that does
something like SSL may be too late. 

SSL connections should compare the requested hostname value with the certificate
subject returned by remote server. This is the only protection against
man-in-the-middle attacks. Once mod_proxy populates this field then SSL
connections can do this comparison.

Version-Release number of selected component (if applicable):
httpd-2.2.15-1.fc12.2

How reproducible:
Always

Steps to Reproduce:
1. Create a ssl reverse proxy
2. Install mod_nss
3. Remove mod_ssl
4. Try to use the ssl reverse proxy.
  
Actual results:
mod_nss errors with: "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."

Expected results:
The reverse proxy works and traffic is passed

Additional info:
This was originally reported by Rob Crittenden against 2.0.4.  I have tested the uploaded patch that was supplied by Rob Crittenden.  It works using mod_nss.
Comment 1 Rob Crittenden 2010-05-11 14:00:49 EDT
Joe, this is your patch from EL5.
Comment 2 Joe Orton 2010-05-12 03:16:48 EDT
This got done differently upstream.  As of 2.2.12 I think, the proxy sets 
the "proxy-request-hostname" note in r->connection->notes with the hostname of the backend - you need to change mod_nss to use this instead of the custom hack we used in RHEL5.
Comment 3 Josh 2010-05-12 16:56:07 EDT
from what i can tell of mod_nss, it is checking in pre_connection which doesn't have access to the request_rec r
Comment 4 Josh 2010-05-12 17:50:40 EDT
(In reply to comment #3)
> from what i can tell of mod_nss, it is checking in pre_connection which doesn't
> have access to the request_rec r    

nvm, i see how it can be done.

I've created a patch but haven't had a chance to test it yet.  I'll test it tomorrow and upload it when it works.
Comment 5 Josh 2010-05-13 08:48:16 EDT
Created attachment 413752 [details]
uses value of proxy-request-hostname in c->notes instead of c->remote_host

This patch changes mod_nss to use the value of proxy-request-hostname in c->notes instead of c->remote_host

This is the same method used by mod_ssl and the recommended upstream method per comment 2.
Comment 6 Rob Crittenden 2010-05-13 10:46:52 EDT
Created attachment 413782 [details]
Enhanced c->notes patch that adds configuration option

I enhanced your patch to add a new configuration option, NSSProxyCheckPeerCN.

I'm not quite sure I agree with the existence of this option but added to keep parity with mod_ssl.

If this seems ok I'll get it committed upstream and add this patch to Fedora 12-rawhide.
Comment 7 Josh 2010-05-13 10:52:16 EDT
that patch looks good to me.  it defaults to checking which I think is appropriate.

Will you be porting this to the RHEL6 branch also?

Thanks!
Comment 8 Rob Crittenden 2010-05-13 11:22:45 EDT
Yes, this will be fixed in RHEL-6 as well (bug #591901)

Committed upstream.

Checking in TODO;
/cvs/dirsec/mod_nss/TODO,v  <--  TODO
new revision: 1.4; previous revision: 1.3
done
Checking in mod_nss.c;
/cvs/dirsec/mod_nss/mod_nss.c,v  <--  mod_nss.c
new revision: 1.19; previous revision: 1.18
done
Checking in mod_nss.h;
/cvs/dirsec/mod_nss/mod_nss.h,v  <--  mod_nss.h
new revision: 1.22; previous revision: 1.21
done
Checking in nss_engine_config.c;
/cvs/dirsec/mod_nss/nss_engine_config.c,v  <--  nss_engine_config.c
new revision: 1.17; previous revision: 1.16
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.
Checking in docs/mod_nss.html;
/cvs/dirsec/mod_nss/docs/mod_nss.html,v  <--  mod_nss.html
new revision: 1.12; previous revision: 1.11
done
Comment 9 Fedora Update System 2010-05-13 13:59:57 EDT
mod_nss-1.0.8-5.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc12
Comment 10 Fedora Update System 2010-05-13 14:00:02 EDT
mod_nss-1.0.8-5.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc13
Comment 11 Fedora Update System 2010-05-15 16:24:08 EDT
mod_nss-1.0.8-5.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mod_nss'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc12
Comment 12 Fedora Update System 2010-05-15 16:34:53 EDT
mod_nss-1.0.8-5.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mod_nss'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc13
Comment 13 Josh 2010-05-17 13:58:52 EDT
we're waiting on the SIGHUP bug (591889) before we test because it doesn't make much sense for us to use this version if we can't run nss without bug 591889 fixed.
Comment 14 Fedora Update System 2010-05-17 16:23:31 EDT
mod_nss-1.0.8-6.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc12
Comment 15 Fedora Update System 2010-05-17 16:23:40 EDT
mod_nss-1.0.8-6.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc13
Comment 16 Fedora Update System 2010-05-18 17:56:08 EDT
mod_nss-1.0.8-6.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mod_nss'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc13
Comment 17 Fedora Update System 2010-05-18 17:56:52 EDT
mod_nss-1.0.8-6.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mod_nss'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc12
Comment 18 Fedora Update System 2010-06-04 14:46:04 EDT
mod_nss-1.0.8-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2010-06-04 14:51:50 EDT
mod_nss-1.0.8-6.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2010-09-20 10:34:02 EDT
mod_nss-1.0.8-7.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mod_nss-1.0.8-7.fc13
Comment 21 Fedora Update System 2010-09-20 10:34:12 EDT
mod_nss-1.0.8-7.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/mod_nss-1.0.8-7.fc12
Comment 22 Fedora Update System 2010-09-20 10:34:21 EDT
mod_nss-1.0.8-8.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mod_nss-1.0.8-8.fc14

Note You need to log in before you can comment on or make changes to this bug.