| Summary: | Wrong backend is used | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | Lubos Uhliarik <luhliari> |
| Component: | mod_proxy | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | NEW --- | ||
| Severity: | normal | ||
| Priority: | P2 | ||
| Version: | 2.4.38 | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Linux | ||
|
Description
Lubos Uhliarik
2019-02-14 17:06:51 UTC
OK, this bug is even present in 2.4.34, but it occurs less often: # curl -v http://localhost/test/test-miss.html; curl -v http://localhost/test/test-hit.html * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 80 (#0) > GET /test/test-miss.html HTTP/1.1 > Host: localhost > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 18 Feb 2019 16:23:45 GMT < Server: Apache/2.4.34 (Fedora) < Last-Modified: Mon, 18 Feb 2019 12:14:31 GMT < ETag: "5-5822a1126202f" < Accept-Ranges: bytes < Content-Length: 5 < Content-Type: text/html; charset=UTF-8 < MISS * Connection #0 to host localhost left intact * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 80 (#0) > GET /test/test-hit.html HTTP/1.1 > Host: localhost > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 403 Forbidden < Date: Mon, 18 Feb 2019 16:23:45 GMT < Server: Apache/2.4.34 (Fedora) < Content-Length: 238 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access http://localhost/test-hit.html on this server.<br /> </p> </body></html> * Connection #0 to host localhost left intact [root@host-8-248-205 ~]# curl -v http://localhost/test/test-miss.html; curl -v http://localhost/test/test-hit.html * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 80 (#0) > GET /test/test-miss.html HTTP/1.1 > Host: localhost > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 18 Feb 2019 16:23:46 GMT < Server: Apache/2.4.34 (Fedora) < Last-Modified: Mon, 18 Feb 2019 12:14:31 GMT < ETag: "5-5822a1126202f" < Accept-Ranges: bytes < Content-Length: 5 < Content-Type: text/html; charset=UTF-8 < MISS * Connection #0 to host localhost left intact * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 80 (#0) > GET /test/test-hit.html HTTP/1.1 > Host: localhost > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 403 Forbidden < Date: Mon, 18 Feb 2019 16:23:47 GMT < Server: Apache/2.4.34 (Fedora) < Content-Length: 238 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access http://localhost/test-hit.html on this server.<br /> </p> </body></html> * Connection #0 to host localhost left intact [root@host-8-248-205 ~]# curl -v http://localhost/test/test-miss.html; curl -v http://localhost/test/test-hit.html * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 80 (#0) > GET /test/test-miss.html HTTP/1.1 > Host: localhost > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 18 Feb 2019 16:23:48 GMT < Server: Apache/2.4.34 (Fedora) < Last-Modified: Mon, 18 Feb 2019 12:14:31 GMT < ETag: "5-5822a1126202f" < Accept-Ranges: bytes < Content-Length: 5 < Content-Type: text/html; charset=UTF-8 < MISS * Connection #0 to host localhost left intact * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 80 (#0) > GET /test/test-hit.html HTTP/1.1 > Host: localhost > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 403 Forbidden < Date: Mon, 18 Feb 2019 16:23:48 GMT < Server: Apache/2.4.34 (Fedora) < Content-Length: 238 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access http://localhost/test-hit.html on this server.<br /> </p> </body></html> * Connection #0 to host localhost left intact [root@host-8-248-205 ~]# curl -v http://localhost/test/test-miss.html; curl -v http://localhost/test/test-hit.html * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 80 (#0) > GET /test/test-miss.html HTTP/1.1 > Host: localhost > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 18 Feb 2019 16:23:49 GMT < Server: Apache/2.4.34 (Fedora) < Last-Modified: Mon, 18 Feb 2019 12:14:31 GMT < ETag: "5-5822a1126202f" < Accept-Ranges: bytes < Content-Length: 5 < Content-Type: text/html; charset=UTF-8 < MISS * Connection #0 to host localhost left intact * Trying ::1... * TCP_NODELAY set * Connected to localhost (::1) port 80 (#0) > GET /test/test-hit.html HTTP/1.1 > Host: localhost > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 18 Feb 2019 16:23:49 GMT < Server: Apache/2.4.34 (Fedora) < Last-Modified: Mon, 18 Feb 2019 12:14:26 GMT < ETag: "4-5822a10df9597" < Accept-Ranges: bytes < Content-Length: 4 < Content-Type: text/html; charset=UTF-8 < HIT * Connection #0 to host localhost left intact In 2.4.18, it is still failing. In 2.4.16, it passed 100 iterations (so probably, it is working here). > ProxyPass /test/ http://localhost/
> ProxyRemoteMatch http://localhost/.*hit.html http://localhost:8080
>
> Listen 8080
>
> <VirtualHost *:8080>
> ProxyRequests on
> <Proxy "*">
> Require all denied
> </Proxy>
> </VirtualHost>
What is this configuration supposed to achieve, reverse-proxying to a forward-proxy? What is "Listen"ing on port 80?
(In reply to Yann Ylavic from comment #3) > > ProxyPass /test/ http://localhost/ > > ProxyRemoteMatch http://localhost/.*hit.html http://localhost:8080 > > > > Listen 8080 > > > > <VirtualHost *:8080> > > ProxyRequests on > > <Proxy "*"> > > Require all denied > > </Proxy> > > </VirtualHost> > > What is this configuration supposed to achieve, reverse-proxying to a > forward-proxy? What is "Listen"ing on port 80? Apart from the weird setup which purpose I struggle to understand as well I guess I know what is happening. As the configuration uses a remote proxy for certain URL's of the backend and not for others (.*hit.html on the backend requires the usage of a remote proxy all other URL's do not) we get into trouble with our connection reusing. Once the worker for a backend returns a a usable connection for a backend we no longer check whether this particular URL should go directly or via a proxy. We just take what we have and use it. Currently the above could be fixed by either disabling the reuse of connections or by having a separate ProxyPassMatch ^(/test/.*hit.html)$ http://localhost$1 that is configured before the ProxyPass. The config is perhaps a bit artificial, it is an internal test case we had for bug 33170; the point is merely to test that the ProxyRemoteMatch is applied correctly for some URLs and not others. I figured this was a connection re-use issue, but wasn't sure where. Maybe ProxyRemoteMatch shouldn't allow a URL path segment other than "/" if it cannot reliably be applied differently to different paths? (Or we should warn for this case?) The alternative would be to (re-)validate the reused URL (from the reused proxy_conn_rec) against the ProxyRemoteMatch (if any involved for the new request). Not sure how to do this though, since we don't really store the path segment in proxy_conn_rec for now (only the hostname/port AFAICT), but should be possible.. |