Ubuntu
apache2 package

apache2 forward proxy socket read error

Bug #1158141 reported by Tim Richardson
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I have an ubuntu 12.04 LTS server. I've set up proxy server on apache2, on port 443.
The server serves SSL web pages, and I can ssh to the server from a remote shell. I can connect to ssh with a password.
I've set up proxytunnel so I can ssh to it from anywhere. But it's failing.

I get this Socket read error. Why?

Server version: Apache/2.2.22 (Ubuntu)

(churchill is my latpop, accessing the system. )
( I also tried running sshd on 2222 and changing the proxytunnel config, same result)

-------------

churchill:~ tim$ proxytunnel -E -p ec2.growthpath.com.au:443 -d 127.0.0.1:22 -N -P tim -v
Enter local proxy password for user tim:
Build Type 1 NTLM Message : TlRMTVNTUAABAAAAAAAAAAeCCKIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
Local proxy ec2.growthpath.com.au resolves to 54.243.214.78
Connected to ec2.growthpath.com.au:443 (local proxy)

Tunneling to 127.0.0.1:22 (destination)
Communication with local proxy:
 -> CONNECT 127.0.0.1:22 HTTP/1.0
 -> Proxy-Authorization: NTLM TlRMTVNTUAABAAAAAAAAAAeCCKIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
 -> Proxy-Connection: Keep-Alive
error: Socket read error.

On the server, I have defined

-------------

ProxyRequests On
AllowCONNECT 22
ProxyVia On
<Proxy *>
        Order deny,allow
        Deny from all
</Proxy>
<Proxy 127.0.0.1>
        Order deny,allow
        Allow from all
</Proxy>

 apachectl -t -D DUMP_MODULES
/usr/sbin/apachectl: 87: ulimit: error setting limit (Operation not permitted)
[Thu Mar 21 06:18:29 2013] [warn] NameVirtualHost *:80 has no VirtualHosts
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_worker_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgid_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 expires_module (shared)
 headers_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_connect_module (shared)
 proxy_html_module (shared)
 proxy_http_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 ssl_module (shared)
 status_module (shared)
 wsgi_module (shared)
Syntax OK

Tags: apache2
Revision history for this message
Robie Basak (racb) wrote :

Thank you for your report.

This looks like a local configuration problem, rather than a bug in Ubuntu, so I'm marking this bug as Incomplete.

If this is indeed a local configuration problem, you can find pointers to get help for this sort of problem here: http://www.ubuntu.com/support/community

Or if you believe that this is really a bug, then you may find it helpful to read "How to report bugs effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful if you would then update your report, and then change the bug status back to New.

The problem here is that you seem to be saying that proxytunnel does not work at all. If this is a problem with apache2, can you pin down exactly what about apache2 does not work, in technical terms? Or if this is a problem with proxytunnel, then likewise?

Changed in apache2 (Ubuntu):
status: New → Incomplete
Revision history for this message
Tim Richardson (tim-richardson) wrote :

I have requested help already via the forums, but didn't get an answer.
I guess it's an Apache problem because the error is a socket read error, but I don't know enough to test this. I actually don't know what a socket read error means. There one another reports of similar problems on RedHat, where fixes have involved SELinux tweaking, so maybe it is a security problem.
If an expert in apache2 forward proxying can help give me some steps to eliminate apache2 that would be great.
Because this is an important tool to bypass internet censorship and because apache2 and proxytunnel are common tools, I hope that someone can provide guidance.

Revision history for this message
Robie Basak (racb) wrote :

Tim,

Sorry but this is a bug tracker, not a support forum. Please continue trying the forums, or the ubuntu-server mailing list, askubuntu.com or IRC.

Changed in apache2 (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Dinçer Kavraal (dkavraal) wrote :

Same problem here

Revision history for this message
AlainKnaff (kubuntu-misc) wrote :

Same problem here.

Works fine with 1.9.0+svn250-3

Broken with 1.9.0+svn250-5 (Package for vivid, installed on a trusty)

Btw, Robie, if you snub one user, in reality you also snub hundreds of others who find his bug report by googling for the same symptoms, so please be a bit more helpful. It reflects badly on the community.

... and if it is not the same problem, maybe the real bug is that the error message is just so goddamn vague. Even with -v (verbose) there was not more detail than "error: Socket read error".

Revision history for this message
Robie Basak (racb) wrote :

Alain,

I'm trying to help, and I'm sorry that you feel that I'm snubbing users. I'm happy to take feedback on what I should be doing instead. Please can you explain how you think I've snubbed users here?

Revision history for this message
AlainKnaff (kubuntu-misc) wrote :

Found it.

Actually it was due to both a pecularity in the proxy server I wanted to get through, and a bug in how proxytunnel sets SNI.

It seems that our proxy server ignores SNI in SSLv3, but considers it in TLSv1.

And proxytunnel sets the wrong SNI.

proxytunnel ---> proxy1 (the one I want to get through) ---> proxy2 (my Apache) ---> ssh.

After sending CONNECT proxy2:443 to the proxy1 (in order to be connected through to proxy2), it starts negotiating the SSL session with proxy2. It would be logical to base that negotiation on the host name of proxy2. However, proxytunnel mistakenly includes proxy1 as the SNI in that negotiation.

With the result that the "evil" proxy1, which snoops at the initial part of the negotiation (which is still clear-text...), sees that SNI, then ignores the host that it got in the CONNECT header, and instead attempts to connect to the host that it saw in the SNI, which would be itself (proxy1 instead of proxy2).

In my case, just dropping the SNI setting code in stream_enable_ssl in pstream.c fixed the issue.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.