I came across from here https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1939678 After Update from Ubuntu 18.04 apache2 2.4.29 to Ubuntu 20.04 apache2 2.4.41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To Reproduce i create two new Virtual Box VMs on my local Machine and compile apach2 from the sources 2.4.38 -> 2.4.51 ------------- |Bastian Host | |Apache Proxy | -----------> LB Apache Balancer Manger ------------- Debian 11 -> Bastion Host (Proxy) / 192.168.56.70 Ubuntu 20.04 -> LB Manager / 192.168.56.170 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I use the Proxy as Bastion Host to reache several LB Manager from one Point. Debian 11 Proxy strip down config for reproduce the issue. :~# apt-get install apache2 ~# vim /etc/apache2/sites-enabled/000-default.conf [...] <Location /balancer-manager> ProxyPass http://192.168.56.170:81/balancer-manager ProxyPassReverse http://192.168.56.170:81/balancer-manager SetOutputFilter INFLATE;SUBSTITUTE Substitute "s|http://192.168.56.70:81|http://192.168.56.170|i" </Location> [...] :~# a2enmod proxy_http substitute :~# systemctl restart apache2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Second VM with Ubuntu 20.04 for testing and reproduction. I compile apache from the sources. I Start with apache 2.4.38 wget http://archive.apache.org/dist/httpd/httpd-2.4.38.tar.gz configure / make / make install :~# vim /usr/local/apache2/conf/httpd.conf ServerRoot "/usr/local/apache2" ServerName "localhost" ServerAdmin you@example.com Listen 80 Listen 81 Listen 8100 LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule filter_module modules/mod_filter.so LoadModule substitute_module modules/mod_substitute.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so LoadModule unixd_module modules/mod_unixd.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so <IfModule unixd_module> User daemon Group daemon </IfModule> <Directory /> AllowOverride none Require all denied </Directory> DocumentRoot "/usr/local/apache2/htdocs" <Directory "/usr/local/apache2/htdocs"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.html </IfModule> ErrorLog "logs/error_log" LogLevel warn <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> CustomLog "logs/access_log" common </IfModule> <IfModule headers_module> RequestHeader unset Proxy early </IfModule> <IfModule mime_module> TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz </IfModule> <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> <VirtualHost 192.168.56.170:81 127.0.0.1:81> Servername 127.0.0.1 ServerAdmin root@localhost <Location /balancer-manager> SetHandler balancer-manager Require all granted </Location> LogLevel warn ErrorLog "logs/management_error.log" CustomLog "/management_access.log" combined </VirtualHost> <Proxy "balancer://test"> BalancerMember "http://192.168.168.130/test" BalancerMember "http://192.168.168.131/test" status=+H ProxySet lbmethod=bybusyness </Proxy> <VirtualHost 127.0.0.1:8100> ServerAdmin root@localhost ServerName testapp01 ServerAlias 127.0.0.1:8100 ProxyPass "/test" "balancer://test" ProxyPassReverse "/test" "balancer://test" CustomLog "logs/test-access.log" combined ErrorLog "logs/test-error.log" </VirtualHost> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Direct connection with curl in the Console from the LB Machine :~# curl http://127.0.0.1:81/balancer-manager from outside with the Browser http://192.168.56.170:81/balancer-manager and simultaneously looking in the log :~# tail -f /usr/local/apache2/logs/management_error.log -> no error Log entry LB Manager in Browser is working Now Over Debian 11 Proxy VM http://192.168.56.70/balancer-manager -> LB Manager is working as expected - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - wget http://archive.apache.org/dist/httpd/httpd-2.4.39.tar.gz configure / make / make install Update to 2.4.39 everything is working as expected like above - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - wget http://archive.apache.org/dist/httpd/httpd-2.4.41.tar.gz configure / make / make install But Now with the Update to Version 2.4.41 Direct connection with curl in the Console from the LB Machine :~# curl http://127.0.0.1:81/balancer-manager from outside with the Browser http://192.168.56.170:81/balancer-manager and simultaneously looking in the log :~# tail -f /usr/local/apache2/logs/management_error.log [Fri Dec 10 12:02:15.015978 2021] [proxy_balancer:error] [pid 92187:tid 139705270384384] [client 127.0.0.1:52138] AH10187: ignoring params in balancer-manager cross-site access [Fri Dec 10 12:02:36.039407 2021] [proxy_balancer:error] [pid 92187:tid 139705253582592] [client 192.168.56.1:28366] AH10187: ignoring params in balancer-manager cross-site access From curl localhost and outside with the Browser i trigger on error Log entry. So why "cross-site access" with an connection from/with/in localhost? The LB Manager in the Browser is working. I can change load, disable machines etc. without further error Log entries. BUT Now Over Debian 11 Proxy VM http://192.168.56.70/balancer-manager [Fri Dec 10 12:03:27.341921 2021] [proxy_balancer:error] [pid 92187:tid 139705236780800] [client 192.168.56.70:57986] AH10187: ignoring params in balancer-manager cross-site access [Fri Dec 10 12:03:43.425885 2021] [proxy_balancer:error] [pid 92189:tid 139705245181696] [client 192.168.56.70:57988] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.70/balancer-manager [Fri Dec 10 12:03:44.978644 2021] [proxy_balancer:error] [pid 92189:tid 139705236780800] [client 192.168.56.70:57988] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.70/balancer-manager?b=test&w=http://192.168.168.130/test&nonce=bb418b73-73df-208e-0eb3-343ac2e4d3d6 [Fri Dec 10 12:03:46.721392 2021] [proxy_balancer:error] [pid 92189:tid 139705228379904] [client 192.168.56.70:57988] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.70/balancer-manager?b=test&w=http://192.168.168.131/test&nonce=bb418b73-73df-208e-0eb3-343ac2e4d3d6 I got a same first error Log entry. But the LB Manager ist not Working i can not change things load etc. The Second "Change GUI Part" is not visible and every tray to klick will create a error log entry. I compile/update further one to apache 2.4.51 without no luck. LB Manager reached from the Proxy Machine will not Working. Any suggestion is appreciated. Thx Horst
There is an copy & paste bug in my Substitute it must be. [...] Substitute "s|http://192.168.56.170:81|http://192.168.56.70|i" [...] And i investigate further on i grab some httpd versions i can get from wget http://archive.apache.org/dist/httpd/httpd-2.4.39.tar.gz wget http://archive.apache.org/dist/httpd/httpd-2.4.41.tar.gz wget http://archive.apache.org/dist/httpd/httpd-2.4.51.tar.gz And i diff mod_proxy_balancer.c from version to version for instance. :~$ diff httpd-2.4.39/modules/proxy/mod_proxy_balancer.c httpd-2.4.41/modules/proxy/mod_proxy_balancer.c In version 2.4.41 mod_proxy_balancer.c and in the further versions i found that peace of code. And it looks like that trigger the error. :~$ vim mod_proxy_balancer.c [...] /* Ignore parameters if this looks like XSRF */ ref = apr_table_get(r->headers_in, "Referer"); if (apr_table_elts(params) && (!ref || !safe_referer(r, ref))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10187) "ignoring params in balancer-manager cross-site access"); apr_table_clear(params); } [...] If i delete that and recompile than it looks like anything is working again with the proxy in front of the LB Manager. But i'am not a Developer and i don't know is that an good idea to delete that code. And mybe on different places happening other bad things. Any suggestion is appreciated. Thx Horst
Hi all, what about this bug ? I got three VMs behind an apache-balancer and i got the same issue. Distributor ID: Ubuntu Description: Ubuntu 20.04.5 LTS Release: 20.04 Codename: focal ii apache2 2.4.41-4ubuntu3.12 amd64 Apache HTTP Server Is there a fix for this package ? Regards, Fabrice