Hi,
On Tue, Sep 10, 2024 at 03:35:26PM +0000, Bastien Roucariès wrote:
> control: retitle -1 Regression: Reverse proxy via mod_rewrite broken after
> 2.4.62
>
> Le mardi 10 septembre 2024, 15:18:48 UTC Salvatore Bonaccorso a écrit :
> > Hi,
> >
> > On Tue, Sep 10, 2024 at 05:07:29PM +0200, Salvatore Bonaccorso wrote:
> > > Hi,
> > >
> > > On Tue, Sep 10, 2024 at 06:59:51AM +0000, Markus Wollny wrote:
> > > > Package: apache2
> > > > Version: 2.4.62-1~deb12u1
> > > > Severity: important
> > > > X-Debbugs-Cc: markus.wol...@computec.de, t...@security.debian.org
> > > >
> > > > Dear Maintainer,
> > > >
> > > > After upgrading apache2 packages, we noticed that our SEO rewriting
> > > > rules in apache2 no longer worked and Tomcat tried to access
> > > > non-existing file paths with URL encoded questionmarks.
> > > >
> > > > I have first noticed that is issue affects Debian 12, but I can confirm
> > > > that it also affects Debian 11, so this happens in oldstable, apache2
> > > > 2.4.62-1~deb11u1, too.
> > > >
> > > > To show the issue, you'll want to enable the following mods:
> > > > a2enmod lbmethod_byrequests proxy proxy_ajp proxy_balancer slotmem_shm
> > > > rewrite
> > > >
> > > > I have set up a balancer worker in mods-available/proxy_balancer.conf:
> > > > <Proxy balancer://tomcat>
> > > > BalancerMember ajp://localhost:8009 secret=youllneverknow
> > > > </Proxy>
> > > >
> > > > I have narrowed the issue down to using a proxy RewriteRule inside a
> > > > Directory block. So to reproduce, set up
> > > > /etc/apache2/sites-available/000-default.conf like this:
> > > >
> > > > <VirtualHost *:80>
> > > > ServerAdmin webmaster@localhost
> > > > DocumentRoot /var/www/html
> > > >
> > > > ErrorLog ${APACHE_LOG_DIR}/error.log
> > > > CustomLog ${APACHE_LOG_DIR}/access.log combined
> > > >
> > > > <Directory "/var/www/html">
> > > > DirectoryIndex index.html
> > > > RewriteEngine On
> > > > RewriteRule ^/?(.*?)$
> > > > balancer://tomcat/demo/index.jsp?rewrite=$1
> > > > [P,L,env=AJP_REDIRECT_REAL_URL:$1,QSA]
> > > > </Directory>
> > > > </VirtualHost>
> > > >
> > > > To illustrate the issue, I have set up a simple /demo/ application in
> > > > Tomcat 10, but the problem is caused by the Apache2 webserver, so this
> > > > part is not relevant here.
> > > >
> > > > Before the upgrade, i.e. with apache <= 2.4.61-1~deb12u1, a request to
> > > > http://127.0.0.1/foo/bar/?someparam will result in the following
> > > > request being proxied to tomcat, as is expected:
> > > > GET /demo/index.jsp?rewrite=foo/bar/&someparam
> > > >
> > > > After the upgrade to 2.4.62-1~deb12u1, the same requests gets mangled:
> > > > GET
> > > > /demo/index.jsp%3Frewrite=foo/bar/&someparam?rewrite=foo/bar/&someparam
> > > >
> > > > You can see that the complete parameter string is added twice now, with
> > > > the leading ? being escaped the first time around, which in turn causes
> > > > the path to be completely messed up, so Tomcat won't be able to find
> > > > the file and returns a 404 status.
> > > >
> > > > When turning on debug logging in apache2, one can see that the request
> > > > path is still fine during mod_rewrite processing, it only gets broken
> > > > during mod_proxy processing. The issue does not occur, when the
> > > > RewriteRule is placed outside of the Directory block. Unfortunately,
> > > > this is not a viable workaround for us, we really need to be able to
> > > > use this inside <Directory> and we need the full flexibility of
> > > > mod_rewrite too, so we cannot implement the same thing using ProxyPass,
> > > > either. For now, the only resolution is to downgrade the apache2
> > > > packages:
> > > >
> > > > apt -y --allow-downgrades install apache2=2.4.61-1~deb12u1
> > > > apache2-data=2.4.61-1~deb12u1 apache2-bin=2.4.61-1~deb12u1
> > > > apache2-utils=2.4.61-1~deb12u1
> > > >
> > > > After the downgrade, the RewriteRule with the proxy directive is back
> > > > to working as expected. As 2.4.62-1~deb12u1 contains security fixes, it
> > > > feels like having to pin the previous apache2 version is not a good
> > > > solution, but upgrading it is not possible until this is fixed.
> > > >
> > > > If I had to guess, this may be caused by the following change:
> > > > mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME)
> > > > for
> > > > "balancer:" URLs set via SetHandler, also allowing for "unix:"
> > > > sockets
> > > > with BalancerMember(s). PR 69168. [Yann Ylavic]
> > >
> > > Can you double-check is this #1079172 and as reported upstream in
> > > https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 ?
> >
> > Actually after a quick discussion with Bastien, he pointed out to
> > https://bz.apache.org/bugzilla/show_bug.cgi?id=69241 .
>
> Yes it is another regression of regression.
>
> It was first introduced by https://github.com/apache/httpd/pull/457
So according to a query from Bastien to upstream this should be
addressed with https://svn.apache.org/r1921299
Regards,
Salvatore
