Bug#418925: apache2: mod_proxy_http / ProxyPass uses an invalid Host: header for backend requests
Package: apache2
Version: 2.2.3-4
Severity: important
I have been replacing the sadly-unreliable apt-proxy with an Apache2
mod_cache setup. Opera's Debian archive turns out to be virtual hosted
and fails when used like this:
ProxyPass /opera http://deb.opera.com/opera smax=4 retry=60
tcpdump confirms that ProxyPass is using only "opera" for the host rather than
the "deb.opera.com" specified in the URL:
10:51:17.836508 IP (tos 0x0, ttl 64, id 44916, offset 0, flags [DF], proto: TCP (6), length: 210) economo.example.edu.60062 > 193.69.116.32.www: P, cksum 0x430c (incorrect (-> 0x2887), 0:158(158) ack 1 win 5840 <nop,nop,timestamp 1091036920 2193310869>
0x0000: 4500 00d2 af74 4000 4006 486a c6ca 4617 E....t@.@.Hj..F.
0x0010: c145 7420 ea9e 0050 3ca1 4938 39f2 c73f .Et....P<.I89..?
0x0020: 8018 16d0 430c 0000 0101 080a 4107 e6f8 ....C.......A...
0x0030: 82bb 4495 4745 5420 2f6f 7065 7261 2f20 ..D.GET./opera/.
0x0040: 4854 5450 2f31 2e30 0d0a 486f 7374 3a20 HTTP/1.0..Host:.
0x0050: 6f70 6572 610d 0a43 6f6e 6e65 6374 696f opera..Connectio
0x0060: 6e3a 2063 6c6f 7365 0d0a 5573 6572 2d41 n:.close..User-A
0x0070: 6765 6e74 3a20 6375 726c 2f37 2e31 362e gent:.curl/7.16.
0x0080: 3020 2869 3338 362d 6170 706c 652d 6461 0.(i386-apple-da
0x0090: 7277 696e 392e 3029 206c 6962 6375 726c rwin9.0).libcurl
0x00a0: 2f37 2e31 362e 3020 4f70 656e 5353 4c2f /7.16.0.OpenSSL/
0x00b0: 302e 392e 376c 207a 6c69 622f 312e 322e 0.9.7l.zlib/1.2.
0x00c0: 330d 0a41 6363 6570 743a 202a 2f2a 0d0a 3..Accept:.*/*..
0x00d0: 0d0a ..
The same bug appears to affect everything else; fortunately the main debian
archives don't seem to rely on Host: being set correctly.
10:52:15.830760 IP (tos 0x0, ttl 64, id 22366, offset 0, flags [DF], proto: TCP (6), length: 232) economo.example.edu.60086 > debian-mirror.mirror.umn.edu.www: P, cksum 0x7ef6 (incorrect (-> 0xedfd), 0:180(180) ack 1 win 5840 <nop,nop,timestamp 1091094924 368582266>
0x0000: 4500 00e8 575e 4000 4006 6496 c6ca 4617 E...W^@.@.d...F.
0x0010: 8065 f0d4 eab6 0050 3fec 9fe3 3fe0 b32d .e.....P?...?..-
0x0020: 8018 16d0 7ef6 0000 0101 080a 4108 c98c ....~.......A...
0x0030: 15f8 1e7a 4745 5420 2f64 6562 6961 6e2f ...zGET./debian/
0x0040: 6469 7374 732f 7374 6162 6c65 2f52 656c dists/stable/Rel
0x0050: 6561 7365 2048 5454 502f 312e 300d 0a48 ease.HTTP/1.0..H
0x0060: 6f73 743a 2064 6562 6961 6e0d 0a43 6f6e ost:.debian..Con
0x0070: 6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a nection:.close..
0x0080: 5573 6572 2d41 6765 6e74 3a20 6375 726c User-Agent:.curl
0x0090: 2f37 2e31 362e 3020 2869 3338 362d 6170 /7.16.0.(i386-ap
0x00a0: 706c 652d 6461 7277 696e 392e 3029 206c ple-darwin9.0).l
0x00b0: 6962 6375 726c 2f37 2e31 362e 3020 4f70 ibcurl/7.16.0.Op
0x00c0: 656e 5353 4c2f 302e 392e 376c 207a 6c69 enSSL/0.9.7l.zli
0x00d0: 622f 312e 322e 330d 0a41 6363 6570 743a b/1.2.3..Accept:
0x00e0: 202a 2f2a 0d0a 0d0a .*/*....
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-12-amd64-k8-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages apache2 depends on:
ii apache2-mpm-worker 2.2.3-4 High speed threaded model for Apac
apache2 recommends no packages.
-- no debconf information
Reply to: