Bug 63893 - Bogus warning "unsupported command 20"
Summary: Bogus warning "unsupported command 20"
Status: REOPENED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_remoteip (show other bugs)
Version: 2.4.38
Hardware: PC Linux
: P2 normal with 1 vote (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
: 62866 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-10-30 13:38 UTC by Charlemagne Lasse
Modified: 2022-05-15 01:34 UTC (History)
3 users (show)



Attachments
Patch to prevent from logging local proxy connections (532 bytes, patch)
2020-01-29 22:06 UTC, Giovanni Bechis
Details | Diff
prevent logging local proxy connections (1.55 KB, patch)
2020-02-06 07:49 UTC, Giovanni Bechis
Details | Diff
prevent logging local proxy connections (542 bytes, patch)
2020-02-06 09:54 UTC, Giovanni Bechis
Details | Diff
don't log 400 for LOCAL PROXY connections (1.49 KB, patch)
2021-01-22 08:35 UTC, Joe Orton
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Charlemagne Lasse 2019-10-30 13:38:32 UTC
My log filled just my complete EC2 HDD because apache remoteip spams my logs full with "RemoteIPProxyProtocol: unsupported command 20". This is caused by the health checks of AWS's NLB - which sends LOCAL ver_cmd proxy headers to check for problems.

This is (according to the spec https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) a valid ver_cmd and shouldn't cause these kind of log spam.

See "9. Sample code" for details.
Comment 1 Giovanni Bechis 2020-01-29 22:06:15 UTC
Created attachment 36986 [details]
Patch to prevent from logging local proxy connections
Comment 2 Eric Covener 2020-01-31 02:25:38 UTC
(In reply to Giovanni Bechis from comment #1)
> Created attachment 36986 [details]
> Patch to prevent from logging local proxy connections

desk-checking patch and not too familiar with this module/protocol, should we be returning over the apr_sockaddr_ip_get() below the switch?
Comment 3 Giovanni Bechis 2020-02-06 07:49:22 UTC
Created attachment 36992 [details]
prevent logging local proxy connections

From protocol specs (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt):
"...When used with a LOCAL command, the receiver must accept the connection and
ignore any address information...."
The updated patch doesn't compute the client ip in the local connection case.
Comment 4 Joe Orton 2020-02-06 08:50:11 UTC
Doing "return HDR_DONE" in the LOCAL case looks simpler
Comment 5 Giovanni Bechis 2020-02-06 09:54:45 UTC
Created attachment 36993 [details]
prevent logging local proxy connections

Looks fine as well, diff updated.
Comment 6 Giovanni Bechis 2020-02-21 23:20:17 UTC
Committed to trunk in r1874344.
Comment 7 Avinash S 2021-01-22 06:54:11 UTC
This looks to be not working still. 
Since, we are checking for 
if (!conn_config->client_addr) {
            ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03496)
                          "RemoteIPProxyProtocol data is missing, but required! Aborting request.");
            return HTTP_BAD_REQUEST;
        }

We still return 400 Bad requests.
We may need to do something like below under switch statement
        case 0x00: /* LOCAL command */
        case 0x01: /* PROXY command */
            switch (hdr->v2.fam) {
                case 0x11:  /* TCPv4 */
                    ret = apr_sockaddr_info_get(&conn_conf->client_addr, NULL,
                                                APR_INET,
                                                ntohs(hdr->v2.addr.ip4.src_port),
                                                0, c->pool

And go ahead parsing client info even for LOCAL and so that conn_config->client_addr is populated.
Comment 8 Avinash S 2021-01-22 06:56:42 UTC
Btw, I was developing proxy protocol for my company and found across this issue still.

is the above mentioned fix is fine ?

what's your opinion ?

Thanks,
Avinash
Comment 9 Joe Orton 2021-01-22 08:35:37 UTC
Created attachment 37712 [details]
don't log 400 for LOCAL PROXY connections

Can you try this patch?  We really need a test suite for this stuff. :(
Comment 10 Avinash S 2021-01-25 10:29:37 UTC
Hi Joe,
This patch is working fine. 

Hi Joe, would like to contribute in bug fixes/new features. 
Could you please help me in providing details on process for the same.

Thanks,
Avinash
Comment 11 Yann Ylavic 2021-01-26 12:29:54 UTC
(In reply to Avinash S from comment #10)
> would like to contribute in bug fixes/new features. 
> Could you please help me in providing details on process for the same.

Thanks for proposing!

The best way to contribute is to propose the patch(es) and rationale on the dev@httpd.apache.org mailing list, or for existing bugzilla tickets simply attach the proposed fix there.
Comment 12 Paulo M 2021-10-16 10:21:44 UTC
I'm having the same problem caused by AWS's NLB use of LOCAL.

I have tried the two patches and it successfully stopped the "RemoteIPProxyProtocol: unsupported command 20" and the log of 400 errors which makes the NLB health check pass.

However, I'm still seeing a bunch of these happening which are generated by the same health check requests:

[remoteip:error] [pid 9861:tid 140156862461504] (70014)End of file found: [client 10.0.0.x:22257] AH10184: failed reading input
Comment 13 Paulo M 2021-10-16 10:23:58 UTC
*** Bug 62866 has been marked as a duplicate of this bug. ***
Comment 14 Sarva 2022-05-15 01:34:32 UTC
Still seeing the same errors in Apache/2.4.53, any idea when this patch will be merged? Thanks.