Nonce issues with auth_digest when running behind an reverse proxy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Confirmed on Ubuntu 14.04.5 with apache2 2.4.18-2ubuntu3.8
No issues with apache2 2.4.18-2ubuntu3.5 or earlier.
I'm running a front end authenticated reverse proxy on Apache
The backend is my Trac server and authentication is failing with nonce errors if I upgrade the version of Apache2.
Example error in the Apache2 logs when I attempt to authenticate
[Mon Sep 03 15:07:30.830824 2018] [auth_digest:error] [pid 2702] [client 192.168.0.8:50650] AH01776: invalid nonce U6R61+50BQA=
The Apache configuration element for the login URL is as follows
<LocationMatch "/[^/]+/login">
AuthType Digest
AuthName "Trac"
Require valid-user
</LocationM
Are you sure you are in ubuntu 14.04.5? Trusty's latest apache2 is 2.4.7-1ubuntu4.20
I assume you meant xenial, which does have 2.4.18-2ubuntu3.8 in security but has 3.9 in updates.
3.8 has security fixes around "nonce generation":
* SECURITY UPDATE: insecure nonce generation patches/ CVE-2018- 1312.patch: actually use the secret when aaa/mod_ auth_digest. c.
- debian/
generating nonces in modules/
- CVE-2018-1312