search

oerdnj / deb.sury.org

Public bugreports for anything ppa:ondrej/*
811 stars 27 forks source link

Apache 2.4.33-3 breaks reverse-proxy from HTTPS to HTTP backend #896

Open lgiedrius opened 6 years ago

lgiedrius commented 6 years ago

Update to Apache 2.4.33-3.0+ubuntu16.04.1+deb.sury.org+1 reverse-proxy from SSL VirtualHost to plain-text backend. HTTP Vhost -> HTTP backend is STILL working. From logs:
AH01084: pass request body failed to 127.0.0.1:20001 (127.0.0.1) AH01097: pass request body failed to 127.0.0.1:20001 (127.0.0.1)

Looking from tcpdump side - only TCP handshake is done but the DATA packet with actual HTTP request IS NOT SENT to the backend

Configuration excerpt:

<VirtualHost *:80>
    ServerAdmin         some_user@domain
    ServerName          mail.domain
    ServerAlias         some_alias.domain

    DocumentRoot        /var/www/vhosts/webmail/public_html
    HostnameLookups     Off
    UseCanonicalName    On
    ServerSignature On

    include conf-available/SOGo.conf

    <IfModule   suexec_module>
        SuexecUserGroup webmail web_users
    </IfModule>
    <IfModule   fcgid_module>
        <IfModule       php5_module>
            php_engine  off
        </Ifmodule>

        AddHandler      x-httpd-php             .php
        Action          x-httpd-php             /cgi-bin/php.fcgi
        ScriptAlias     /cgi-bin/               /var/www/cgi-bin/webmail/

    </IfModule>
    <Directory "/var/www/vhosts/webmail/public_html">
        Options Indexes SymLinksIfOwnerMatch MultiViews
        AllowOverride All
        Order allow,deny
        Allow from all
    </Directory>

</VirtualHost>

<IfDefine SSL>
<IfDefine !NOSSL>

<VirtualHost *:443>
        DocumentRoot    /var/www/vhosts/webmail/public_html
        ServerName      mail.domain
        ServerAlias     some_alias.domain
        <IfModule       suexec_module>
            SuexecUserGroup     webmail web_users
        </IfModule>
        <IfModule       fcgid_module>
            <IfModule   php5_module>
                php_engine      off
            </Ifmodule>

            AddHandler  x-httpd-php             .php
            Action      x-httpd-php             /cgi-bin/php.fcgi
            ScriptAlias /cgi-bin/               /var/www/cgi-bin/webmail/
    </IfModule>

        include "/etc/apache2/mod_ssl_global.conf"
        CustomLog               /var/www/vhosts/webmail/ssl_transfer.txt   ssl_combined
        HostnameLookups     Off
        UseCanonicalName    On
        ServerSignature On

        ModPageSpeed    off
        include conf-available/SOGo.conf
</VirtualHost>
</IfDefine>
</IfDefine>

SOGo.conf:

Alias /SOGo.woa/WebServerResources/ \
      /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ \
      /usr/lib/GNUstep/SOGo/WebServerResources/

<Directory /usr/lib/GNUstep/SOGo/>
    AllowOverride None

    <IfVersion < 2.4>      
        Order deny,allow
        Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>

    # Explicitly allow caching of static content to avoid browser specific behavior.
    # A resource's URL MUST change in order to have the client load the new version.
    <IfModule expires_module>
      ExpiresActive On
      ExpiresDefault "access plus 1 year"
    </IfModule>
</Directory>

ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On

ProxyPass /Microsoft-Server-ActiveSync \
 http://127.0.0.1:20001/SOGo/Microsoft-Server-ActiveSync \
 retry=60 connectiontimeout=5 timeout=600

ProxyPass /SOGo http://127.0.0.1:20001/SOGo connectiontimeout=5 retry=0 timeout=60

<Proxy http://127.0.0.1:20001/SOGo>
<IfModule headers_module>
  RequestHeader set "x-webobjects-server-port" "443"
  RequestHeader set "x-webobjects-server-name" "%{HTTP_HOST}e" env=HTTP_HOST
  RequestHeader set "x-webobjects-server-url" "https://%{HTTP_HOST}e" env=HTTP_HOST

  RequestHeader unset "x-webobjects-remote-user"
#  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e" env=REMOTE_USER

  RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
</IfModule>

  AddDefaultCharset UTF-8

  Order allow,deny
  Allow from all
</Proxy>

# For Apple autoconfiguration
<IfModule rewrite_module>
  RewriteEngine On
  RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]
  RewriteRule ^/.well-known/carddav/?$ /SOGo/dav [R=301]
  RewriteRule ^/principals              /SOGo/dav [R=301]
#  RewriteRule ^/$                      /SOGo   [R=302]
</IfModule>
oerdnj commented 6 years ago

I've updated the Apache to 2.4.34 today. If it still doesn't work, you'll need to open the bug at httpd.apache.org