[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#418925: apache2: mod_proxy_http / ProxyPass uses an invalid Host: header for backend requests

Package: apache2
Version: 2.2.3-4
Severity: important


I have been replacing the sadly-unreliable apt-proxy with an Apache2
mod_cache setup. Opera's Debian archive turns out to be virtual hosted
and fails when used like this:

ProxyPass /opera http://deb.opera.com/opera smax=4 retry=60

tcpdump confirms that ProxyPass is using only "opera" for the host rather than
the "deb.opera.com" specified in the URL:

10:51:17.836508 IP (tos 0x0, ttl  64, id 44916, offset 0, flags [DF], proto: TCP (6), length: 210) economo.example.edu.60062 > 193.69.116.32.www: P, cksum 0x430c (incorrect (-> 0x2887), 0:158(158) ack 1 win 5840 <nop,nop,timestamp 1091036920 2193310869>
	0x0000:  4500 00d2 af74 4000 4006 486a c6ca 4617  E....t@.@.Hj..F.
	0x0010:  c145 7420 ea9e 0050 3ca1 4938 39f2 c73f  .Et....P<.I89..?
	0x0020:  8018 16d0 430c 0000 0101 080a 4107 e6f8  ....C.......A...
	0x0030:  82bb 4495 4745 5420 2f6f 7065 7261 2f20  ..D.GET./opera/.
	0x0040:  4854 5450 2f31 2e30 0d0a 486f 7374 3a20  HTTP/1.0..Host:.
	0x0050:  6f70 6572 610d 0a43 6f6e 6e65 6374 696f  opera..Connectio
	0x0060:  6e3a 2063 6c6f 7365 0d0a 5573 6572 2d41  n:.close..User-A
	0x0070:  6765 6e74 3a20 6375 726c 2f37 2e31 362e  gent:.curl/7.16.
	0x0080:  3020 2869 3338 362d 6170 706c 652d 6461  0.(i386-apple-da
	0x0090:  7277 696e 392e 3029 206c 6962 6375 726c  rwin9.0).libcurl
	0x00a0:  2f37 2e31 362e 3020 4f70 656e 5353 4c2f  /7.16.0.OpenSSL/
	0x00b0:  302e 392e 376c 207a 6c69 622f 312e 322e  0.9.7l.zlib/1.2.
	0x00c0:  330d 0a41 6363 6570 743a 202a 2f2a 0d0a  3..Accept:.*/*..
	0x00d0:  0d0a                                     ..

The same bug appears to affect everything else; fortunately the main debian
archives don't seem to rely on Host: being set correctly.

10:52:15.830760 IP (tos 0x0, ttl  64, id 22366, offset 0, flags [DF], proto: TCP (6), length: 232) economo.example.edu.60086 > debian-mirror.mirror.umn.edu.www: P, cksum 0x7ef6 (incorrect (-> 0xedfd), 0:180(180) ack 1 win 5840 <nop,nop,timestamp 1091094924 368582266>
	0x0000:  4500 00e8 575e 4000 4006 6496 c6ca 4617  E...W^@.@.d...F.
	0x0010:  8065 f0d4 eab6 0050 3fec 9fe3 3fe0 b32d  .e.....P?...?..-
	0x0020:  8018 16d0 7ef6 0000 0101 080a 4108 c98c  ....~.......A...
	0x0030:  15f8 1e7a 4745 5420 2f64 6562 6961 6e2f  ...zGET./debian/
	0x0040:  6469 7374 732f 7374 6162 6c65 2f52 656c  dists/stable/Rel
	0x0050:  6561 7365 2048 5454 502f 312e 300d 0a48  ease.HTTP/1.0..H
	0x0060:  6f73 743a 2064 6562 6961 6e0d 0a43 6f6e  ost:.debian..Con
	0x0070:  6e65 6374 696f 6e3a 2063 6c6f 7365 0d0a  nection:.close..
	0x0080:  5573 6572 2d41 6765 6e74 3a20 6375 726c  User-Agent:.curl
	0x0090:  2f37 2e31 362e 3020 2869 3338 362d 6170  /7.16.0.(i386-ap
	0x00a0:  706c 652d 6461 7277 696e 392e 3029 206c  ple-darwin9.0).l
	0x00b0:  6962 6375 726c 2f37 2e31 362e 3020 4f70  ibcurl/7.16.0.Op
	0x00c0:  656e 5353 4c2f 302e 392e 376c 207a 6c69  enSSL/0.9.7l.zli
	0x00d0:  622f 312e 322e 330d 0a41 6363 6570 743a  b/1.2.3..Accept:
	0x00e0:  202a 2f2a 0d0a 0d0a                      .*/*....


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-12-amd64-k8-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages apache2 depends on:
ii  apache2-mpm-worker            2.2.3-4    High speed threaded model for Apac

apache2 recommends no packages.

-- no debconf information
Reply to: