I came across from here https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1939678 After Update from Ubuntu 18.04 apache2 2.4.29 to Ubuntu 20.04 apache2 2.4.41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To Reproduce i create two new Virtual Box VMs on my local Machine and compile apach2 from the sources 2.4.38 -> 2.4.51 ------------- |Bastian Host | |Apache Proxy | -----------> LB Apache Balancer Manger ------------- Debian 11 -> Bastion Host (Proxy) / 192.168.56.70 Ubuntu 20.04 -> LB Manager / 192.168.56.170 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I use the Proxy as Bastion Host to reache several LB Manager from one Point. Debian 11 Proxy strip down config for reproduce the issue. :~# apt-get install apache2 ~# vim /etc/apache2/sites-enabled/000-default.conf [...] <Location /balancer-manager> ProxyPass http://192.168.56.170:81/balancer-manager ProxyPassReverse http://192.168.56.170:81/balancer-manager SetOutputFilter INFLATE;SUBSTITUTE Substitute "s|http://192.168.56.70:81|http://192.168.56.170|i" </Location> [...] :~# a2enmod proxy_http substitute :~# systemctl restart apache2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Second VM with Ubuntu 20.04 for testing and reproduction. I compile apache from the sources. I Start with apache 2.4.38 wget http://archive.apache.org/dist/httpd/httpd-2.4.38.tar.gz configure / make / make install :~# vim /usr/local/apache2/conf/httpd.conf ServerRoot "/usr/local/apache2" ServerName "localhost" ServerAdmin you@example.com Listen 80 Listen 81 Listen 8100 LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule filter_module modules/mod_filter.so LoadModule substitute_module modules/mod_substitute.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule slotmem_shm_module modules/mod_slotmem_shm.so LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so LoadModule unixd_module modules/mod_unixd.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so <IfModule unixd_module> User daemon Group daemon </IfModule> <Directory /> AllowOverride none Require all denied </Directory> DocumentRoot "/usr/local/apache2/htdocs" <Directory "/usr/local/apache2/htdocs"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> <IfModule dir_module> DirectoryIndex index.html </IfModule> ErrorLog "logs/error_log" LogLevel warn <IfModule log_config_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common <IfModule logio_module> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> CustomLog "logs/access_log" common </IfModule> <IfModule headers_module> RequestHeader unset Proxy early </IfModule> <IfModule mime_module> TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz </IfModule> <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> <VirtualHost 192.168.56.170:81 127.0.0.1:81> Servername 127.0.0.1 ServerAdmin root@localhost <Location /balancer-manager> SetHandler balancer-manager Require all granted </Location> LogLevel warn ErrorLog "logs/management_error.log" CustomLog "/management_access.log" combined </VirtualHost> <Proxy "balancer://test"> BalancerMember "http://192.168.168.130/test" BalancerMember "http://192.168.168.131/test" status=+H ProxySet lbmethod=bybusyness </Proxy> <VirtualHost 127.0.0.1:8100> ServerAdmin root@localhost ServerName testapp01 ServerAlias 127.0.0.1:8100 ProxyPass "/test" "balancer://test" ProxyPassReverse "/test" "balancer://test" CustomLog "logs/test-access.log" combined ErrorLog "logs/test-error.log" </VirtualHost> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Direct connection with curl in the Console from the LB Machine :~# curl http://127.0.0.1:81/balancer-manager from outside with the Browser http://192.168.56.170:81/balancer-manager and simultaneously looking in the log :~# tail -f /usr/local/apache2/logs/management_error.log -> no error Log entry LB Manager in Browser is working Now Over Debian 11 Proxy VM http://192.168.56.70/balancer-manager -> LB Manager is working as expected - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - wget http://archive.apache.org/dist/httpd/httpd-2.4.39.tar.gz configure / make / make install Update to 2.4.39 everything is working as expected like above - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - wget http://archive.apache.org/dist/httpd/httpd-2.4.41.tar.gz configure / make / make install But Now with the Update to Version 2.4.41 Direct connection with curl in the Console from the LB Machine :~# curl http://127.0.0.1:81/balancer-manager from outside with the Browser http://192.168.56.170:81/balancer-manager and simultaneously looking in the log :~# tail -f /usr/local/apache2/logs/management_error.log [Fri Dec 10 12:02:15.015978 2021] [proxy_balancer:error] [pid 92187:tid 139705270384384] [client 127.0.0.1:52138] AH10187: ignoring params in balancer-manager cross-site access [Fri Dec 10 12:02:36.039407 2021] [proxy_balancer:error] [pid 92187:tid 139705253582592] [client 192.168.56.1:28366] AH10187: ignoring params in balancer-manager cross-site access From curl localhost and outside with the Browser i trigger on error Log entry. So why "cross-site access" with an connection from/with/in localhost? The LB Manager in the Browser is working. I can change load, disable machines etc. without further error Log entries. BUT Now Over Debian 11 Proxy VM http://192.168.56.70/balancer-manager [Fri Dec 10 12:03:27.341921 2021] [proxy_balancer:error] [pid 92187:tid 139705236780800] [client 192.168.56.70:57986] AH10187: ignoring params in balancer-manager cross-site access [Fri Dec 10 12:03:43.425885 2021] [proxy_balancer:error] [pid 92189:tid 139705245181696] [client 192.168.56.70:57988] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.70/balancer-manager [Fri Dec 10 12:03:44.978644 2021] [proxy_balancer:error] [pid 92189:tid 139705236780800] [client 192.168.56.70:57988] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.70/balancer-manager?b=test&w=http://192.168.168.130/test&nonce=bb418b73-73df-208e-0eb3-343ac2e4d3d6 [Fri Dec 10 12:03:46.721392 2021] [proxy_balancer:error] [pid 92189:tid 139705228379904] [client 192.168.56.70:57988] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.70/balancer-manager?b=test&w=http://192.168.168.131/test&nonce=bb418b73-73df-208e-0eb3-343ac2e4d3d6 I got a same first error Log entry. But the LB Manager ist not Working i can not change things load etc. The Second "Change GUI Part" is not visible and every tray to klick will create a error log entry. I compile/update further one to apache 2.4.51 without no luck. LB Manager reached from the Proxy Machine will not Working. Any suggestion is appreciated. Thx Horst
There is an copy & paste bug in my Substitute it must be. [...] Substitute "s|http://192.168.56.170:81|http://192.168.56.70|i" [...] And i investigate further on i grab some httpd versions i can get from wget http://archive.apache.org/dist/httpd/httpd-2.4.39.tar.gz wget http://archive.apache.org/dist/httpd/httpd-2.4.41.tar.gz wget http://archive.apache.org/dist/httpd/httpd-2.4.51.tar.gz And i diff mod_proxy_balancer.c from version to version for instance. :~$ diff httpd-2.4.39/modules/proxy/mod_proxy_balancer.c httpd-2.4.41/modules/proxy/mod_proxy_balancer.c In version 2.4.41 mod_proxy_balancer.c and in the further versions i found that peace of code. And it looks like that trigger the error. :~$ vim mod_proxy_balancer.c [...] /* Ignore parameters if this looks like XSRF */ ref = apr_table_get(r->headers_in, "Referer"); if (apr_table_elts(params) && (!ref || !safe_referer(r, ref))) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10187) "ignoring params in balancer-manager cross-site access"); apr_table_clear(params); } [...] If i delete that and recompile than it looks like anything is working again with the proxy in front of the LB Manager. But i'am not a Developer and i don't know is that an good idea to delete that code. And mybe on different places happening other bad things. Any suggestion is appreciated. Thx Horst