Bug 591224 - proxy_http doesn't set the hostname when doing reverse proxy
Summary: proxy_http doesn't set the hostname when doing reverse proxy
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_nss (Show other bugs)
(Show other bugs)
Version: 12
Hardware: All Linux
low
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 591901
TreeView+ depends on / blocked
 
Reported: 2010-05-11 17:20 UTC by Josh
Modified: 2016-02-29 15:22 UTC (History)
3 users (show)

Fixed In Version: mod_nss-1.0.8-6.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 591901 (view as bug list)
Environment:
Last Closed: 2010-06-04 18:46:13 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
copy the hostname into the client connection structure (628 bytes, patch)
2010-05-11 17:20 UTC, Josh
no flags Details | Diff
uses value of proxy-request-hostname in c->notes instead of c->remote_host (1.42 KB, patch)
2010-05-13 12:48 UTC, Josh
no flags Details | Diff
Enhanced c->notes patch that adds configuration option (4.87 KB, patch)
2010-05-13 14:46 UTC, Rob Crittenden
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache Bugzilla 36468 None None None Never

Description Josh 2010-05-11 17:20:56 UTC
Created attachment 413202 [details]
copy the hostname into the client connection structure

*NOTE* This is copied verbatim from the upstream bug report by Rob Crittenden*NOTE*

Description of problem:
When doing a reverse proxy the proxy client connection remote_host field isn't
populated. Since this is already available as a result of the ProxyPassReverse
entry it makes sense to pass this on.

Otherwise a client that may want this hostname value has no access to it until
the request is being processed and in the case of an input filter that does
something like SSL may be too late. 

SSL connections should compare the requested hostname value with the certificate
subject returned by remote server. This is the only protection against
man-in-the-middle attacks. Once mod_proxy populates this field then SSL
connections can do this comparison.

Version-Release number of selected component (if applicable):
httpd-2.2.15-1.fc12.2

How reproducible:
Always

Steps to Reproduce:
1. Create a ssl reverse proxy
2. Install mod_nss
3. Remove mod_ssl
4. Try to use the ssl reverse proxy.
  
Actual results:
mod_nss errors with: "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."

Expected results:
The reverse proxy works and traffic is passed

Additional info:
This was originally reported by Rob Crittenden against 2.0.4.  I have tested the uploaded patch that was supplied by Rob Crittenden.  It works using mod_nss.

Comment 1 Rob Crittenden 2010-05-11 18:00:49 UTC
Joe, this is your patch from EL5.

Comment 2 Joe Orton 2010-05-12 07:16:48 UTC
This got done differently upstream.  As of 2.2.12 I think, the proxy sets 
the "proxy-request-hostname" note in r->connection->notes with the hostname of the backend - you need to change mod_nss to use this instead of the custom hack we used in RHEL5.

Comment 3 Josh 2010-05-12 20:56:07 UTC
from what i can tell of mod_nss, it is checking in pre_connection which doesn't have access to the request_rec r

Comment 4 Josh 2010-05-12 21:50:40 UTC
(In reply to comment #3)
> from what i can tell of mod_nss, it is checking in pre_connection which doesn't
> have access to the request_rec r    

nvm, i see how it can be done.

I've created a patch but haven't had a chance to test it yet.  I'll test it tomorrow and upload it when it works.

Comment 5 Josh 2010-05-13 12:48:16 UTC
Created attachment 413752 [details]
uses value of proxy-request-hostname in c->notes instead of c->remote_host

This patch changes mod_nss to use the value of proxy-request-hostname in c->notes instead of c->remote_host

This is the same method used by mod_ssl and the recommended upstream method per comment 2.

Comment 6 Rob Crittenden 2010-05-13 14:46:52 UTC
Created attachment 413782 [details]
Enhanced c->notes patch that adds configuration option

I enhanced your patch to add a new configuration option, NSSProxyCheckPeerCN.

I'm not quite sure I agree with the existence of this option but added to keep parity with mod_ssl.

If this seems ok I'll get it committed upstream and add this patch to Fedora 12-rawhide.

Comment 7 Josh 2010-05-13 14:52:16 UTC
that patch looks good to me.  it defaults to checking which I think is appropriate.

Will you be porting this to the RHEL6 branch also?

Thanks!

Comment 8 Rob Crittenden 2010-05-13 15:22:45 UTC
Yes, this will be fixed in RHEL-6 as well (bug #591901)

Committed upstream.

Checking in TODO;
/cvs/dirsec/mod_nss/TODO,v  <--  TODO
new revision: 1.4; previous revision: 1.3
done
Checking in mod_nss.c;
/cvs/dirsec/mod_nss/mod_nss.c,v  <--  mod_nss.c
new revision: 1.19; previous revision: 1.18
done
Checking in mod_nss.h;
/cvs/dirsec/mod_nss/mod_nss.h,v  <--  mod_nss.h
new revision: 1.22; previous revision: 1.21
done
Checking in nss_engine_config.c;
/cvs/dirsec/mod_nss/nss_engine_config.c,v  <--  nss_engine_config.c
new revision: 1.17; previous revision: 1.16
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.
Checking in docs/mod_nss.html;
/cvs/dirsec/mod_nss/docs/mod_nss.html,v  <--  mod_nss.html
new revision: 1.12; previous revision: 1.11
done

Comment 9 Fedora Update System 2010-05-13 17:59:57 UTC
mod_nss-1.0.8-5.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc12

Comment 10 Fedora Update System 2010-05-13 18:00:02 UTC
mod_nss-1.0.8-5.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc13

Comment 11 Fedora Update System 2010-05-15 20:24:08 UTC
mod_nss-1.0.8-5.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mod_nss'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc12

Comment 12 Fedora Update System 2010-05-15 20:34:53 UTC
mod_nss-1.0.8-5.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mod_nss'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-5.fc13

Comment 13 Josh 2010-05-17 17:58:52 UTC
we're waiting on the SIGHUP bug (591889) before we test because it doesn't make much sense for us to use this version if we can't run nss without bug 591889 fixed.

Comment 14 Fedora Update System 2010-05-17 20:23:31 UTC
mod_nss-1.0.8-6.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc12

Comment 15 Fedora Update System 2010-05-17 20:23:40 UTC
mod_nss-1.0.8-6.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc13

Comment 16 Fedora Update System 2010-05-18 21:56:08 UTC
mod_nss-1.0.8-6.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mod_nss'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc13

Comment 17 Fedora Update System 2010-05-18 21:56:52 UTC
mod_nss-1.0.8-6.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mod_nss'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/mod_nss-1.0.8-6.fc12

Comment 18 Fedora Update System 2010-06-04 18:46:04 UTC
mod_nss-1.0.8-6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2010-06-04 18:51:50 UTC
mod_nss-1.0.8-6.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2010-09-20 14:34:02 UTC
mod_nss-1.0.8-7.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/mod_nss-1.0.8-7.fc13

Comment 21 Fedora Update System 2010-09-20 14:34:12 UTC
mod_nss-1.0.8-7.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/mod_nss-1.0.8-7.fc12

Comment 22 Fedora Update System 2010-09-20 14:34:21 UTC
mod_nss-1.0.8-8.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/mod_nss-1.0.8-8.fc14


Note You need to log in before you can comment on or make changes to this bug.