Public bug reported: Description: Ubuntu 20.04.2 LTS Release: 20.04 Codename: focal
Approximately two years ago i creat the following bug report. https://bugs.launchpad.net/apache2/+bug/1842701/ At the end talk to that bug report is a hin "that bug is still opend in apache 2.4.41" and further on "it should be fixed in 2.4.42". mybe this is now forgotten to fix in focal and it is a regression bug or the "(e.g. want to have it broken for better security)." ist happend. any suggestion is appreciated - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To Reproduced i create two new Virtual Box VMs on my local Machine ------------- |Bastian Host | |Apache Proxy | -----------> LB Apache Balancer Manger ------------- Debian 10 -> Bastion Host (Proxy) / 192.168.56.90 Ubuntu 18.04 -> LB Manager / 192.168.56.160 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Ubuntu 18.04 with LB Manager :~# apt-get install apache2 :~# dpkg -l | grep apache2 ii apache2 2.4.29-1ubuntu4.16 amd64 Apache HTTP Server ii apache2-bin 2.4.29-1ubuntu4.16 amd64 Apache HTTP Server (modules and other binary files) ii apache2-data 2.4.29-1ubuntu4.16 all Apache HTTP Server (common files) ii apache2-utils 2.4.29-1ubuntu4.16 amd64 Apache HTTP Server (utility programs for web servers) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - :~# vim /etc/apache2/sites-available/management.conf <VirtualHost 192.168.56.160:81 127.0.0.1:81> Servername 127.0.0.1 ServerAdmin root@localhost <Location /balancer-manager> SetHandler balancer-manager Require local #Require ip 192.168.56.0/24 127.0.0.1/24 Require all granted </Location> <Location /test-web01/balancer-manager> SetHandler balancer-manager Require local #Require ip 192.168.56.0/24 127.0.0.1/24 Require all granted </Location> LogLevel warn ErrorLog ${APACHE_LOG_DIR}/management_error.log CustomLog ${APACHE_LOG_DIR}/management_access.log combined </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - :~# vim /etc/apache2/sites-available/proxytest.conf <Proxy "balancer://test"> BalancerMember "http://192.168.168.130/test"; BalancerMember "http://192.168.168.131/test"; status=+H ProxySet lbmethod=bybusyness </Proxy> <VirtualHost 127.0.0.1:8100> ServerAdmin root@localhost ServerName testapp01 ServerAlias 127.0.0.1:8100 ProxyPass "/test" "balancer://test" ProxyPassReverse "/test" "balancer://test" CustomLog ${APACHE_LOG_DIR}/test-access.log combined ErrorLog ${APACHE_LOG_DIR}/test-error.log </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - :~# a2enmod proxy_balancer proxy_http lbmethod_bybusyness lbmethod_byrequests :~# a2ensite management proxytest :~# vim /etc/apache2/ports.conf [...] Listen 81 Listen 8100 :~# systemctl restart apache2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - At that point i install also some console Browsers for testing. :~# apt-get install lynx elinks :~# tail -f /var/log/apache2/management_error.log :~# elinks http://127.0.0.1:81/balancer-manager :~# lynx http://127.0.0.1:81/balancer-manager LB Manager -> "Edit worker settings for..." is visible and usable, no error log entrys - - - - - - - - - - - - - - - - - - - - - - - - - Connect with firefox from outside http://192.168.56.160:81/balancer-manager LB Manager -> "Edit worker settings for..." is visible and usable, no error log entrys ------------------------------------------------------------------------- Create Debian 10 Proxy VM :~# apt-get install apache2 lynx elinks :~# dpkg -l | grep apache ii apache2 2.4.38-3+deb10u5 amd64 Apache HTTP Server ii apache2-bin 2.4.38-3+deb10u5 amd64 Apache HTTP Server (modules and other binary files) ii apache2-data 2.4.38-3+deb10u5 all Apache HTTP Server (common files) ii apache2-utils 2.4.38-3+deb10u5 amd64 Apache HTTP Server (utility programs for web servers) Check from that VM that LB Manager is usable :~# elinks 192.168.56.160:81/balancer-manager :~# elinks 192.168.56.160:81/test-web01/balancer-manager check direkt in Firefox http://192.168.56.160:81/balancer-manager :~# tail -f /var/log/apache2/management_error.log LB Manager -> "Edit worker settings for..." is visible and usable, no error log entrys - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Create Proxy Config ~# vim /etc/apache2/sites-enabled/000-default.conf [...] <Location /test-web01> ProxyPass http://192.168.56.160:81/test-web01 ProxyPassReverse http://192.168.56.160:81/test-web01 SetOutputFilter INFLATE;SUBSTITUTE Substitute "s|http://192.168.56.90:81|http://192.168.56.160|i" </Location> [...] :~# a2enmod proxy_http substitute :~# systemctl restart apache2 Check now over proxy config :~# elinks 192.168.56.90/test-web01/balancer-manager -> "Edit worker settings for..." is visible and usable, no error log entrys Browser: Firefox and Chrome http://192.168.56.90/test-web01/balancer-manager :~# tail -f /var/log/apache2/management_error.log LB Manager -> "Edit worker settings for..." is visible and usable, no error log entrys => Conclusion everything worked for me as expected. LB Manager is usable through the Proxy Bastion Host. ------------------------------------------------------------------------- dist-upgrade from the LB Manager VM 18.04 -> 20.04 :~# do-release-upgrade :~# shutdown -r now :~# dpkg -l | grep apache2 ii apache2 2.4.41-4ubuntu3.4 amd64 Apache HTTP Server ii apache2-bin 2.4.41-4ubuntu3.4 amd64 Apache HTTP Server (modules and other binary files) ii apache2-data 2.4.41-4ubuntu3.4 all Apache HTTP Server (common files) ii apache2-utils 2.4.41-4ubuntu3.4 amd64 Apache HTTP Server (utility programs for web servers) Check from the LB Manager VM directly now 20.04 :~# elinks http://127.0.0.1:81/balancer-manager :~# lynx http://127.0.0.1:81/balancer-manager :~# tail -f /var/log/apache2/management_error.log [Thu Aug 12 11:07:45.381180 2021] [proxy_balancer:error] [pid 709:tid 139675415078656] [client 127.0.0.1:44158] AH10187: ignoring params in balancer-manager cross-site access check direct in Firefox http://192.168.56.160:81/balancer-manager :~# tail -f /var/log/apache2/management_error.log [Thu Aug 12 11:09:10.362535 2021] [proxy_balancer:error] [pid 709:tid 139675381507840] [client 192.168.56.1:5684] AH10187: ignoring params in balancer-manager cross-site access every connect makes a single Log entry, but LB Manager directly is usable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Check over Proxy on Debian 10 VM :~# elinks http://192.168.56.90/test-web01/balancer-manager [Thu Aug 12 11:11:41.379048 2021] [proxy_balancer:error] [pid 709:tid 139675230439168] [client 192.168.56.90:48336] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.90/test-web01/balancer- manager?b=test&w=http://192.168.168.130/test&nonce=71c9c136-9639-0ce8-7cb7-e545ae00c50f LB Manager ist not usable The "Edit worker settings for..." is not visible - - - - - - - - - - - - - - - - - - - - - - - - - Browser: Firefox and Chrome http://192.168.56.90/test-web01/balancer-manager [Thu Aug 12 11:12:48.035479 2021] [proxy_balancer:error] [pid 709:tid 139675423471360] [client 192.168.56.90:48338] AH10187: ignoring params in balancer-manager cross-site access [Thu Aug 12 11:12:50.842842 2021] [proxy_balancer:error] [pid 709:tid 139675406685952] [client 192.168.56.90:48338] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.90/test-web01/balancer-manager [Thu Aug 12 11:12:51.653153 2021] [proxy_balancer:error] [pid 709:tid 139675398293248] [client 192.168.56.90:48338] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.90/test-web01/balancer-manager?b=test&w=http://192.168.168.130/test&nonce=71c9c136-9639-0ce8-7cb7-e545ae00c50f [Thu Aug 12 11:12:53.183729 2021] [proxy_balancer:error] [pid 709:tid 139675389900544] [client 192.168.56.90:48338] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.90/test-web01/balancer-manager?b=test&w=http://192.168.168.131/test&nonce=71c9c136-9639-0ce8-7cb7-e545ae00c50f [Thu Aug 12 11:12:53.639131 2021] [proxy_balancer:error] [pid 709:tid 139675501659904] [client 192.168.56.90:48338] AH10187: ignoring params in balancer-manager cross-site access, referer: http://192.168.56.90/test-web01/balancer-manager?b=test&w=http://192.168.168.130/test&nonce=71c9c136-9639-0ce8-7cb7-e545ae00c50f First connect and every singel klick create an error entry. LB Manager is not usable The "Edit worker settings for..." is not visible => Conclusion after Update to focal i can't use the LB Manager behind that Proxy Bastion Host. Unfortunately for me there is no other way to jump in the Production environment. As i say any suggestion is appreciated is this now a bug (regression) or is it now a security feature. That will be for me a realy bad news. Regard Horst ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939678 Title: Apache2 Balancer Manager not working after dist-upgrade to focal behind a Proxy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1939678/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
