Bug 65737 - Proxy Balancer AH10187: ignoring params in balancer-manager cross-site access
Summary: Proxy Balancer AH10187: ignoring params in balancer-manager cross-site access
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_balancer (show other bugs)
Version: 2.4.41
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-10 15:48 UTC by Horst Platz
Modified: 2021-12-16 15:14 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Horst Platz 2021-12-10 15:48:17 UTC
I came across from here 

https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1939678

After Update from Ubuntu 18.04 apache2 2.4.29 to Ubuntu 20.04 apache2 2.4.41

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

To Reproduce i create two new Virtual Box VMs on my local Machine and compile apach2 from the sources 2.4.38 -> 2.4.51

 -------------
|Bastian Host |
|Apache Proxy | -----------> LB Apache Balancer Manger
 -------------

Debian 11 -> Bastion Host (Proxy) / 192.168.56.70
Ubuntu 20.04 -> LB Manager / 192.168.56.170

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I use the Proxy as Bastion Host to reache several LB Manager from one Point.

Debian 11 Proxy strip down config for reproduce the issue.

:~# apt-get install apache2

~# vim /etc/apache2/sites-enabled/000-default.conf
[...]
       <Location /balancer-manager>
                ProxyPass http://192.168.56.170:81/balancer-manager
                ProxyPassReverse http://192.168.56.170:81/balancer-manager
                SetOutputFilter INFLATE;SUBSTITUTE
                Substitute "s|http://192.168.56.70:81|http://192.168.56.170|i"
       </Location>
[...]

:~# a2enmod proxy_http substitute
:~# systemctl restart apache2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Second VM with Ubuntu 20.04 for testing and reproduction. I compile apache from the sources. I Start with apache 2.4.38

wget http://archive.apache.org/dist/httpd/httpd-2.4.38.tar.gz
configure / make / make install


:~# vim /usr/local/apache2/conf/httpd.conf
ServerRoot "/usr/local/apache2"
ServerName "localhost"
ServerAdmin you@example.com

Listen 80
Listen 81
Listen 8100

LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so

<IfModule unixd_module>
User daemon
Group daemon
</IfModule>

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/usr/local/apache2/htdocs"
<Directory "/usr/local/apache2/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

ErrorLog "logs/error_log"
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" common
</IfModule>

<IfModule headers_module>
    RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

<VirtualHost 192.168.56.170:81 127.0.0.1:81>
  Servername 127.0.0.1
  ServerAdmin root@localhost

  <Location /balancer-manager>
    SetHandler balancer-manager
    Require all granted
   </Location>

  LogLevel warn
  ErrorLog "logs/management_error.log"
  CustomLog "/management_access.log" combined
</VirtualHost>

<Proxy "balancer://test">
  BalancerMember "http://192.168.168.130/test"
  BalancerMember "http://192.168.168.131/test" status=+H
  ProxySet lbmethod=bybusyness
</Proxy>

<VirtualHost 127.0.0.1:8100>
  ServerAdmin root@localhost
  ServerName testapp01
  ServerAlias 127.0.0.1:8100

  ProxyPass "/test" "balancer://test"
  ProxyPassReverse "/test" "balancer://test"

  CustomLog "logs/test-access.log" combined
  ErrorLog "logs/test-error.log"
</VirtualHost>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Direct connection with curl in the Console from the LB Machine

:~# curl http://127.0.0.1:81/balancer-manager

from outside with the Browser

http://192.168.56.170:81/balancer-manager

and simultaneously looking in the log

:~# tail -f /usr/local/apache2/logs/management_error.log

-> no error Log entry LB Manager in Browser is working


Now Over Debian 11 Proxy VM

http://192.168.56.70/balancer-manager

-> LB Manager is working as expected

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

wget http://archive.apache.org/dist/httpd/httpd-2.4.39.tar.gz
configure / make / make install

Update to 2.4.39 everything is working as expected like above

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

wget http://archive.apache.org/dist/httpd/httpd-2.4.41.tar.gz
configure / make / make install

But Now with the Update to Version 2.4.41

Direct connection with curl in the Console from the LB Machine

:~# curl http://127.0.0.1:81/balancer-manager

from outside with the Browser

http://192.168.56.170:81/balancer-manager

and simultaneously looking in the log

:~# tail -f /usr/local/apache2/logs/management_error.log
[Fri Dec 10 12:02:15.015978 2021] [proxy_balancer:error] [pid 92187:tid 139705270384384] [client 127.0.0.1:52138] AH10187: ignoring params in balancer-manager cross-site access

[Fri Dec 10 12:02:36.039407 2021] [proxy_balancer:error] [pid 92187:tid 139705253582592] [client 192.168.56.1:28366] AH10187: ignoring params in balancer-manager cross-site access

From curl localhost and outside with the Browser i trigger on error Log entry. So why "cross-site access" with an connection from/with/in localhost? The LB Manager in the Browser is working. I can change load, disable machines etc. without further error Log entries.


BUT Now Over Debian 11 Proxy VM

http://192.168.56.70/balancer-manager

[Fri Dec 10 12:03:27.341921 2021] [proxy_balancer:error] [pid 92187:tid 139705236780800] [client 192.168.56.70:57986] AH10187: ignoring params in balancer-manager cross-site access

[Fri Dec 10 12:03:43.425885 2021] [proxy_balancer:error] [pid 92189:tid 139705245181696] [client 192.168.56.70:57988] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.70/balancer-manager
[Fri Dec 10 12:03:44.978644 2021] [proxy_balancer:error] [pid 92189:tid 139705236780800] [client 192.168.56.70:57988] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.70/balancer-manager?b=test&w=http://192.168.168.130/test&nonce=bb418b73-73df-208e-0eb3-343ac2e4d3d6
[Fri Dec 10 12:03:46.721392 2021] [proxy_balancer:error] [pid 92189:tid 139705228379904] [client 192.168.56.70:57988] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.70/balancer-manager?b=test&w=http://192.168.168.131/test&nonce=bb418b73-73df-208e-0eb3-343ac2e4d3d6


I got a same first error Log entry. But the LB Manager ist not Working i can not change things load etc. The Second "Change GUI Part" is not visible and every tray to klick will create a error log entry.

I compile/update further one to apache 2.4.51 without no luck. LB Manager reached from the Proxy Machine will not Working.

Any suggestion is appreciated.

Thx Horst
Comment 1 Horst Platz 2021-12-16 15:14:05 UTC
There is an copy & paste bug in my Substitute it must be.

[...]
                Substitute "s|http://192.168.56.170:81|http://192.168.56.70|i"
[...]


And i investigate further on i grab some httpd versions i can get from

wget http://archive.apache.org/dist/httpd/httpd-2.4.39.tar.gz
wget http://archive.apache.org/dist/httpd/httpd-2.4.41.tar.gz
wget http://archive.apache.org/dist/httpd/httpd-2.4.51.tar.gz

And i diff mod_proxy_balancer.c from version to version for instance.

:~$ diff httpd-2.4.39/modules/proxy/mod_proxy_balancer.c httpd-2.4.41/modules/proxy/mod_proxy_balancer.c


In version 2.4.41 mod_proxy_balancer.c and in the further versions i found that peace of code. And it looks like that trigger the error.

:~$ vim mod_proxy_balancer.c
[...]
    /* Ignore parameters if this looks like XSRF */
    ref = apr_table_get(r->headers_in, "Referer");
    if (apr_table_elts(params)
        && (!ref || !safe_referer(r, ref))) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10187)
                      "ignoring params in balancer-manager cross-site access");
        apr_table_clear(params);
    }
[...]

If i delete that and recompile than it looks like anything is working again with the proxy in front of the LB Manager. But i'am not a Developer and i don't know is that an good idea to delete that code. And mybe on different places happening other bad things.

Any suggestion is appreciated.

Thx Horst