functionality loss in mod_proxy rewritten path
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apache2 (Ubuntu) |
Confirmed
|
Undecided
|
Marc Deslauriers |
Bug Description
= ubuntu release =
Description: Ubuntu 22.04.3 LTS
Release: 22.04
= package version =
2.4.52-1ubuntu4.11
= what I expected to happen =
I have a RewriteRule as such
ErrorDocument 503 /cgi-bin/
RewriteRule ^/cgi-bin/
RewriteCond %{HTTP_HOST} ^([^.]+
RewriteRule ^(.+) %{HTTP_HOST}$1 [C]
RewriteRule ^([^.]+
(/run/instance_
I expect that setup to serve a specific FastCGI script in case of a 503 error, proxying to an external HTTP server normally otherwise. The name of the proxied HTTP server is taken as the first part of the hostname in the original request, separating that with dots.
= what happened instead =
After the last security updates this configuration is no longer working. It is instead logging in apache:
AH01083: error parsing URL http://: Invalid host/port
I think I can actually pinpoint the release that introduced the bug as 2.4.52-1ubuntu4.10 , based on my logs.
Actually, there are probably two incompatibilities with this configuration:
Incompatibility 1. The last RewriteRule is the first one producing the AH01083 error and it had to be rewritten with a leading slash on the search pattern as in
RewriteRule ^/([^.]
which is less than optimal given my aim to have the hostname as part of the pattern matching that I could use in the rewritten path - the slash is preposterous but I could live with that, as it works.
Incompatibility 2. The first RewriteRule that uses unix: as the start of the rewritten path
I had not been able to ever use mod_proxy_fcgi in this way again. Even changing The RewriteRule as I did in several other mod_proxy_http setups, the path was only reachable through the canonical request path and would not trigger as an effect of a 503 error.
Just for context I'm explaining a bit the mod_proxy_http changes I had to perform as a consequence of the same security patches.
I have several other apache web servers which use an internal web application server with a RewriteRule as such:
RewriteRule ^(/.*)$ "proxy:
They all had to be rewritten as
RewriteRule ^(/.*)$ "unix:/
And I kind of see the point. I could also live with that. But a similar bug in the same package bit us two years ago and I would really appreciate some regression tests on the security fixes applied with the Canonical backports.
As far as I can tell, my configuration was not inherently vulnerable so the incident could be avoided having tests which cover similar integrations with external HTTP/FastCGI server server processes on Unix sockets.
This problem also affects the backports for Ubuntu 20.04.
information type: | Public → Public Security |
Changed in apache2 (Ubuntu): | |
status: | New → Confirmed |
Thanks for reporting these issues. There are been a few regression fixes upstream following the security updates from their 2.4.60, 2.4.61 and 2.4.62 releases. I will attempt to reproduce your issue and see if it has been fixed upstream yet.