Ubuntu
apache2 package

Bug #1875299
Comment #19

Comment 19 for bug 1875299

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-06-16:

#19

2.4.24 30060fb18dcbb189d66bcc5a6f66f50fe7d5d3d4
2.4.18 b82d3c64494b7a59c13f03d169631177c1f6170d

Notes to not-nice-but-working build from git :-):
$ git clean -x -f -d
$ wget https://apache.mirror.digionline.de//apr/apr-util-1.6.1.tar.gz -O /tmp/apru.tgz
$ wget https://apache.mirror.digionline.de//apr/apr-1.7.0.tar.gz -O /tmp/apr.tgz
$ tar -xf /tmp/apr.tgz -C srclib/
$ tar -xf /tmp/apru.tgz -C srclib/
$ mv srclib/apr-1.7.0 srclib/apr
$ mv srclib/apr-util-1.6.1 srclib/apr-util
$ ./buildconf
$ ./configure --enable-layout=Debian --enable-so --with-program-name=apache2 --enable-suexec --with-suexec-caller=www-data --with-suexec-bin=/usr/lib/apache2/suexec --with-suexec-docroot=/var/www --with-suexec-userdir=public_html --with-suexec-logfile=/var/log/apache2/suexec.log --with-suexec-uidmin=100 --enable-suexec=shared --enable-log-config=static --with-apr=/usr/bin/apr-1-config --with-apr-util=/usr/bin/apu-1-config --with-pcre=yes --enable-pie --enable-mpms-shared=all --enable-mods-shared="all cgi ident proxy_fdpass" --enable-mods-static="unixd logio watchdog version" CFLAGS="-pipe" LDFLAGS="-Wl,--as-needed" LTFLAGS="--no-silent"
$ printf "all:\n\techo yeah\ninstall:\n\techo yeah" > srclib/Makefile
$ make
$ make install
$ md5sum /usr/lib/apache2/modules/mod_remoteip.so /usr/lib/apache2/modules/mod_rewrite.so /usr/sbin/apache2; ll /usr/lib/apache2/modules/mod_remoteip.so /usr/lib/apache2/modules/mod_rewrite.so /usr/sbin/apache2
$ systemctl restart apache2

2.2.24
a956ffb3146d4d573c9d5b558f425543 /usr/lib/apache2/modules/mod_remoteip.so
3da6c1a5cd722a5929dbcd7aec3b25da /usr/lib/apache2/modules/mod_rewrite.so
d1bdb21f7aaf9863fd50edd0f47686ab /usr/sbin/apache2
-rwxr-xr-x 1 root root 18288 Jun 16 08:04 /usr/lib/apache2/modules/mod_remoteip.so*
-rwxr-xr-x 1 root root 96384 Jun 16 08:05 /usr/lib/apache2/modules/mod_rewrite.so*
-rwxr-xr-x 1 root root 933200 Jun 16 08:05 /usr/sbin/apache2*

=> works

2.2.18
8bbf7be2a5a718045f85eb88e5cf3c98 /usr/lib/apache2/modules/mod_remoteip.so
bbb2b45e6c1da8e346b19e223fafe6c5 /usr/lib/apache2/modules/mod_rewrite.so
2877029808bfd25df927bc1068d6f4c0 /usr/sbin/apache2
-rwxr-xr-x 1 root root 18288 Jun 16 08:28 /usr/lib/apache2/modules/mod_remoteip.so*
-rwxr-xr-x 1 root root 96264 Jun 16 08:28 /usr/lib/apache2/modules/mod_rewrite.so*
-rwxr-xr-x 1 root root 898528 Jun 16 08:28 /usr/sbin/apache2*

=> Fails

This already looked like git-bisect land, when on testing these builds I found that the local test:
$ curl http://localhost/seo-friendly-url -H "X-Forwarded-For: 1.1.1.1"
can still be fooled
while at the same time any remote access like
$ curl 10.253.194.202/foo -H "X-Forwarded-For: 1.1.1.1"
responds to the fix as expected.

Once that was learned I can say that my fix in the PPA actually works, the only change is that the curl test has to be from another host.

@Marcus - can you confirm that in your testing?

2.4.24 30060fb18dcbb189d66bcc5a6f66f50fe7d5d3d4
2.4.18 b82d3c64494b7a59c13f03d169631177c1f6170d

Notes to not-nice-but-working build from git :-):
$ git clean -x -f -d
$ wget https://apache.mirror.digionline.de//apr/apr-util-1.6.1.tar.gz -O /tmp/apru.tgz
$ wget https://apache.mirror.digionline.de//apr/apr-1.7.0.tar.gz -O /tmp/apr.tgz
$ tar -xf /tmp/apr.tgz -C srclib/
$ tar -xf /tmp/apru.tgz -C srclib/
$ mv srclib/apr-1.7.0 srclib/apr
$ mv srclib/apr-util-1.6.1 srclib/apr-util
$ ./buildconf
$ ./configure --enable-layout=Debian --enable-so --with-program-name=apache2  --enable-suexec --with-suexec-caller=www-data --with-suexec-bin=/usr/lib/apache2/suexec --with-suexec-docroot=/var/www --with-suexec-userdir=public_html --with-suexec-logfile=/var/log/apache2/suexec.log --with-suexec-uidmin=100 --enable-suexec=shared --enable-log-config=static --with-apr=/usr/bin/apr-1-config --with-apr-util=/usr/bin/apu-1-config --with-pcre=yes --enable-pie --enable-mpms-shared=all --enable-mods-shared="all cgi ident proxy_fdpass" --enable-mods-static="unixd logio watchdog version" CFLAGS="-pipe" LDFLAGS="-Wl,--as-needed" LTFLAGS="--no-silent"
$ printf "all:\n\techo yeah\ninstall:\n\techo yeah" > srclib/Makefile
$ make
$ make install
$ md5sum /usr/lib/apache2/modules/mod_remoteip.so /usr/lib/apache2/modules/mod_rewrite.so /usr/sbin/apache2; ll /usr/lib/apache2/modules/mod_remoteip.so /usr/lib/apache2/modules/mod_rewrite.so /usr/sbin/apache2
$ systemctl restart apache2

2.2.24
a956ffb3146d4d573c9d5b558f425543  /usr/lib/apache2/modules/mod_remoteip.so
3da6c1a5cd722a5929dbcd7aec3b25da  /usr/lib/apache2/modules/mod_rewrite.so
d1bdb21f7aaf9863fd50edd0f47686ab  /usr/sbin/apache2
-rwxr-xr-x 1 root root  18288 Jun 16 08:04 /usr/lib/apache2/modules/mod_remoteip.so*
-rwxr-xr-x 1 root root  96384 Jun 16 08:05 /usr/lib/apache2/modules/mod_rewrite.so*
-rwxr-xr-x 1 root root 933200 Jun 16 08:05 /usr/sbin/apache2*

=> works

2.2.18
8bbf7be2a5a718045f85eb88e5cf3c98  /usr/lib/apache2/modules/mod_remoteip.so
bbb2b45e6c1da8e346b19e223fafe6c5  /usr/lib/apache2/modules/mod_rewrite.so
2877029808bfd25df927bc1068d6f4c0  /usr/sbin/apache2
-rwxr-xr-x 1 root root  18288 Jun 16 08:28 /usr/lib/apache2/modules/mod_remoteip.so*
-rwxr-xr-x 1 root root  96264 Jun 16 08:28 /usr/lib/apache2/modules/mod_rewrite.so*
-rwxr-xr-x 1 root root 898528 Jun 16 08:28 /usr/sbin/apache2*

=> Fails

Once that was learned I can say that my fix in the PPA actually works, the only change is that the curl test has to be from another host.

@Marcus - can you confirm that in your testing?

Ubuntuapache2 package

Comment 19 for bug 1875299

Ubuntu
apache2 package