Bug 591901 - proxy_http doesn't set the hostname when doing reverse proxy
proxy_http doesn't set the hostname when doing reverse proxy
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mod_nss (Show other bugs)
6.0
All Linux
high Severity medium
: rc
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
: Regression
Depends On: 591224
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-13 09:03 EDT by Rob Crittenden
Modified: 2015-01-04 18:42 EST (History)
7 users (show)

See Also:
Fixed In Version: mod_nss-1_0_8-7_el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 591224
Environment:
Last Closed: 2010-11-11 09:51:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
a simple test for proxying to SSL server. (780 bytes, text/plain)
2010-08-31 14:54 EDT, Kashyap Chamarthy
no flags Details

  None (edit)
Description Rob Crittenden 2010-05-13 09:03:57 EDT
This needs to be fixed or is a regression from EL 5.

+++ This bug was initially created as a clone of Bug #591224 +++

Created an attachment (id=413202)
copy the hostname into the client connection structure

*NOTE* This is copied verbatim from the upstream bug report by Rob Crittenden*NOTE*

Description of problem:
When doing a reverse proxy the proxy client connection remote_host field isn't
populated. Since this is already available as a result of the ProxyPassReverse
entry it makes sense to pass this on.

Otherwise a client that may want this hostname value has no access to it until
the request is being processed and in the case of an input filter that does
something like SSL may be too late. 

SSL connections should compare the requested hostname value with the certificate
subject returned by remote server. This is the only protection against
man-in-the-middle attacks. Once mod_proxy populates this field then SSL
connections can do this comparison.

Version-Release number of selected component (if applicable):
httpd-2.2.15-1.fc12.2

How reproducible:
Always

Steps to Reproduce:
1. Create a ssl reverse proxy
2. Install mod_nss
3. Remove mod_ssl
4. Try to use the ssl reverse proxy.
  
Actual results:
mod_nss errors with: "SSL Proxy: I don't have the name of the host we're supposed to connect to so I can't verify that we are connecting to who we think we should be. Giving up. Hint: See Apache bug 36468."

Expected results:
The reverse proxy works and traffic is passed

Additional info:
This was originally reported by Rob Crittenden against 2.0.4.  I have tested the uploaded patch that was supplied by Rob Crittenden.  It works using mod_nss.

--- Additional comment from rcritten@redhat.com on 2010-05-11 14:00:49 EDT ---

Joe, this is your patch from EL5.

--- Additional comment from jorton@redhat.com on 2010-05-12 03:16:48 EDT ---

This got done differently upstream.  As of 2.2.12 I think, the proxy sets 
the "proxy-request-hostname" note in r->connection->notes with the hostname of the backend - you need to change mod_nss to use this instead of the custom hack we used in RHEL5.

--- Additional comment from joshkayse@fedoraproject.org on 2010-05-12 16:56:07 EDT ---

from what i can tell of mod_nss, it is checking in pre_connection which doesn't have access to the request_rec r

--- Additional comment from joshkayse@fedoraproject.org on 2010-05-12 17:50:40 EDT ---

(In reply to comment #3)
> from what i can tell of mod_nss, it is checking in pre_connection which doesn't
> have access to the request_rec r    

nvm, i see how it can be done.

I've created a patch but haven't had a chance to test it yet.  I'll test it tomorrow and upload it when it works.

--- Additional comment from joshkayse@fedoraproject.org on 2010-05-13 08:48:16 EDT ---

Created an attachment (id=413752)
uses value of proxy-request-hostname in c->notes instead of c->remote_host

This patch changes mod_nss to use the value of proxy-request-hostname in c->notes instead of c->remote_host

This is the same method used by mod_ssl and the recommended upstream method per comment 2.
Comment 5 Kashyap Chamarthy 2010-08-31 14:41:58 EDT
Verified with mod_nss-1.0.8-8.el6.x86_64

Attached are is the rhts script used to verify

Successful output from /var/log/httpd/error_log 
======================================================================
[root@colossus ~]# cat /var/log/httpd/error_log 
[Tue Aug 31 11:06:19 2010] [debug] proxy_util.c(2576): proxy: HTTPS: connection complete to [::1]:8443 (localhost)
[Tue Aug 31 11:06:19 2010] [info] Connection to child 0 established (server colossus.dsdev.sjc.redhat.com:80, client ::1)
[Tue Aug 31 11:06:19 2010] [error] SSL Proxy: Possible man-in-the-middle attack. The remove server is colossus.dsdev.sjc.redhat.com, we expected localhost
[Tue Aug 31 11:06:19 2010] [info] SSL library error -12276 writing data
[Tue Aug 31 11:06:19 2010] [info] SSL Library Error: -12276 Requested domain name does not match the server's certificate
[Tue Aug 31 11:06:19 2010] [error] (20014)Internal error: proxy: pass request body failed to [::1]:8443 (localhost)
[Tue Aug 31 11:06:19 2010] [error] proxy: pass request body failed to [::1]:8443 (localhost) from 10.14.1.213 ()
[Tue Aug 31 11:06:19 2010] [debug] proxy_util.c(2029): proxy: HTTPS: has released connection for (localhost)
[Tue Aug 31 11:06:19 2010] [debug] nss_engine_io.c(656): SSL connection destroyed without being closed
[Tue Aug 31 11:06:19 2010] [error] SSL Library Error: -12271 SSL client cannot verify your certificate
[Tue Aug 31 11:15:42 2010] [info] removed PID file /etc/httpd/run/httpd.pid (pid=18788)
[Tue Aug 31 11:15:42 2010] [notice] caught SIGTERM, shutting down
[Tue Aug 31 11:15:42 2010] [info] Shutting down SSL Session ID Cache
[Tue Aug 31 11:15:42 2010] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Tue Aug 31 11:15:42 2010] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Aug 31 11:15:42 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy
[Tue Aug 31 11:15:43 2010] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 31 11:15:43 2010] [info] Enabling proxy.
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5]
[Tue Aug 31 11:15:43 2010] [info] Server: Apache/2.2.15, Interface: mod_nss/2.2.15, Library: NSS/3.12.6.2
[Tue Aug 31 11:15:43 2010] [info] Shutting down SSL Session ID Cache
[Tue Aug 31 11:15:43 2010] [notice] Digest: generating secret for digest authentication ...
[Tue Aug 31 11:15:43 2010] [notice] Digest: done
[Tue Aug 31 11:15:43 2010] [debug] util_ldap.c(2058): LDAP merging Shared Cache conf: shm=0x7fa1f6cb9488 rmm=0x7fa1f6cb94e0 for VHOST: colossus.dsdev.sjc.redhat.com
[Tue Aug 31 11:15:43 2010] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Tue Aug 31 11:15:43 2010] [info] LDAP: SSL support available
[Tue Aug 31 11:15:43 2010] [info] Initializing SSL Session Cache of size 10000. SSL2 timeout = 100, SSL3/TLS timeout = 86400.
[Tue Aug 31 11:15:43 2010] [info] Server: Apache/2.2.15, Interface: mod_nss/2.2.15, Library: NSS/3.12.6.2
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18961 for worker https://colossus.dsdev.sjc.redhat.com:8443/
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18961 for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18961 for worker proxy:reverse
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18961 for (*)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18962 for worker https://colossus.dsdev.sjc.redhat.com:8443/
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18962 for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18962 for worker proxy:reverse
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18962 for (*)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18963 for worker https://colossus.dsdev.sjc.redhat.com:8443/
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18963 for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18963 for worker proxy:reverse
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18963 for (*)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18964 for worker https://colossus.dsdev.sjc.redhat.com:8443/
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18964 for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18964 for worker proxy:reverse
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18964 for (*)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18965 for worker https://colossus.dsdev.sjc.redhat.com:8443/
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18965 for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18965 for worker proxy:reverse
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18965 for (*)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18966 for worker https://colossus.dsdev.sjc.redhat.com:8443/
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18966 for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18966 for worker proxy:reverse
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18966 for (*)
[Tue Aug 31 11:15:43 2010] [notice] Apache/2.2.15 (Unix) DAV/2 mod_nss/2.2.15 NSS/3.12.6.2 configured -- resuming normal operations
[Tue Aug 31 11:15:43 2010] [info] Server built: Aug 14 2010 08:53:20
[Tue Aug 31 11:15:43 2010] [debug] prefork.c(1013): AcceptMutex: sysvsem (default: sysvsem)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18967 for worker https://colossus.dsdev.sjc.redhat.com:8443/
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18967 for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18967 for worker proxy:reverse
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18967 for (*)
[Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy
[Tue Aug 31 11:15:43 2010] [info] Enabling proxy.
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3
[Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5]
[Tue Aug 31 11:15:43 2010] [info] Enabling proxy.
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5]
[Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy
[Tue Aug 31 11:15:43 2010] [info] Enabling proxy.
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5]
[Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy
[Tue Aug 31 11:15:43 2010] [info] Enabling proxy.
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5]
[Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy
[Tue Aug 31 11:15:43 2010] [info] Enabling proxy.
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5]
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 18968 for worker https://colossus.dsdev.sjc.redhat.com:8443/
[Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker https://colossus.dsdev.sjc.redhat.com:8443/ already initialized
[Tue Aug 31 11:15:43 2010] [info] Enabling proxy.
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 18968 for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 1 in child 18968 for worker proxy:reverse
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Tue Aug 31 11:15:43 2010] [debug] proxy_util.c(1934): proxy: initialized single connection worker 1 in child 18968 for (*)
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5]
[Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy
[Tue Aug 31 11:15:43 2010] [info] Enabling proxy.
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5]
[Tue Aug 31 11:15:43 2010] [info] Init: Seeding PRNG with 144 bytes of entropy
[Tue Aug 31 11:15:43 2010] [info] Enabling proxy.
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(612): Enabling SSL3
[Tue Aug 31 11:15:43 2010] [debug] nss_engine_init.c(788): Configuring permitted SSL ciphers [+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5]
[Tue Aug 31 11:15:44 2010] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //colossus.dsdev.sjc.redhat.com:8443/content-bz591224.txt
[Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(1506): [client 10.14.1.213] proxy: https: found worker https://colossus.dsdev.sjc.redhat.com:8443/ for https://colossus.dsdev.sjc.redhat.com:8443/content-bz591224.txt
[Tue Aug 31 11:15:44 2010] [debug] mod_proxy.c(993): Running scheme https handler (attempt 0)
[Tue Aug 31 11:15:44 2010] [debug] mod_proxy_http.c(1962): proxy: HTTP: serving URL https://colossus.dsdev.sjc.redhat.com:8443/content-bz591224.txt
[Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2011): proxy: HTTPS: has acquired connection for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2067): proxy: connecting https://colossus.dsdev.sjc.redhat.com:8443/content-bz591224.txt to colossus.dsdev.sjc.redhat.com:8443
[Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2193): proxy: connected /content-bz591224.txt to colossus.dsdev.sjc.redhat.com:8443
[Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2444): proxy: HTTPS: fam 2 socket created to connect to colossus.dsdev.sjc.redhat.com
[Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2576): proxy: HTTPS: connection complete to 10.14.1.213:8443 (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:44 2010] [info] Connection to child 0 established (server colossus.dsdev.sjc.redhat.com:80, client 10.14.1.213)
[Tue Aug 31 11:15:44 2010] [debug] mod_proxy_http.c(1732): proxy: start body send
[Tue Aug 31 11:15:44 2010] [debug] mod_proxy_http.c(1836): proxy: end body send
[Tue Aug 31 11:15:44 2010] [debug] proxy_util.c(2029): proxy: HTTPS: has released connection for (colossus.dsdev.sjc.redhat.com)
[Tue Aug 31 11:15:44 2010] [debug] nss_engine_io.c(656): SSL connection destroyed without being closed
[root@colossus ~]#
Comment 6 Kashyap Chamarthy 2010-08-31 14:54:35 EDT
Created attachment 442251 [details]
a simple test for proxying to SSL server.

With the below contents in nss.conf
#########################################################
[root@colossus ]# cat nss.conf 
NSSProxyEngine On
NSSProxyCipherSuite +rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5
NSSProxyProtocol SSLv3

ProxyPass /bz591224/ https://colossus.dsdev.sjc.redhat.com:8443/
ProxyPassReverse /bz591224/ https://colossus.dsdev.sjc.redhat.com:8443/
LogLevel debug
########################################################

Many thanks to rcrit, jorton, ckannan
Comment 7 releng-rhel@redhat.com 2010-11-11 09:51:27 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.