Bug#844351: apache2: as a reverse proxy, a 100 continue response is sent prematurely when request contains expects continue
Package: apache2
Version: 2.4.10-10+deb8u7
Severity: important
Tags: upstream
Dear Maintainer,
* What led up to the situation?
a backend with correct 100 continue support and a web client which expects 100-continue
* What exactly did you do (or not do) that was effective (or
ineffective)?
Reverse Proxy a backend.
* What was the outcome of this action?
Premature 100-continue response from apache, before backend responds.
* What outcome did you expect instead?
No 100-continue unless backend responds with 100-continue
https://bz.apache.org/bugzilla/show_bug.cgi?id=60330
As a reverse proxy, a 100 continue response is sent prematurely when a request contains expects: 100-continue. This causes the requesting client to send a body. The apache httpd proxy will then read the body and attempt to send it to the backend, but the backend already sent an error and should be allowed to NOT read the remaining request body, which never should have existed. When the backend does not read the request body mod_proxy_http errors and returns a 500 error to the client. The client never receives the correct error message.
-- Package-specific info:
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.4.0-45-generic (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apache2 depends on:
ii apache2-bin 2.4.10-10+deb8u7
ii apache2-data 2.4.10-10+deb8u7
ii apache2-utils 2.4.10-10+deb8u7
ii dpkg 1.17.27
ii lsb-base 4.1+Debian13+nmu1
ii mime-support 3.58
ii perl 5.20.2-3+deb8u6
ii procps 2:3.3.9-9
Versions of packages apache2 recommends:
ii ssl-cert 1.0.35
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2-bin depends on:
ii libapr1 1.5.1-3
ii libaprutil1 1.5.4-1
ii libaprutil1-dbd-sqlite3 1.5.4-1
ii libaprutil1-ldap 1.5.4-1
ii libc6 2.19-18+deb8u6
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2
ii liblua5.1-0 5.1.5-7.1
ii libpcre3 2:8.35-3.3+deb8u4
ii libssl1.0.0 1.0.1t-1+deb8u3
ii libxml2 2.9.1+dfsg1-5+deb8u3
ii perl 5.20.2-3+deb8u6
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
pn www-browser <none>
Versions of packages apache2 is related to:
ii apache2 2.4.10-10+deb8u7
ii apache2-bin 2.4.10-10+deb8u7
-- no debconf information
Reply to: