Re: httpd 2.2.21: mod_cache incorrectly returns HTTP 200 for nonexistent reverse-proxied content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: Re: httpd 2.2.21: mod_cache incorrectly returns HTTP 200 for nonexistent reverse-proxied content
Igor,

We disagree.

This problem can be reproduced without even involving mod_proxy, with the following, simpler, configuration:

---
<IfModule !mod_cache.c>
LoadModule cache_module modules/mod_cache.so
</IfModule>

<IfModule !mod_disk_cache.c>
LoadModule disk_cache_module modules/mod_disk_cache.so
</IfModule>

<IfModule mod_cache.c>
  <IfModule mod_disk_cache.c>
    CacheRoot /data/httpcache/httpd/cache-root
    CacheDirLevels 3
    CacheDirLength 1
    CacheMinFileSize 0
    CacheMaxFileSize 1000000
  </IfModule>
</IfModule>

CacheEnable disk /

ErrorDocument 404 /error.jpg
---

As soon as the error document image is requested, and subsequently cached, all subsequent requests for non-existent resources return a HTTP 200.
mod_cache is plainly interfering with the correct http response code.

It is often desirable to cache error pages. Whether or not these are cached should have no bearing on correct http codes being returned for present/absent resources.

Glen

On 27/07/2012 12:36, "Igor Cicimov" <icicimov@xxxxxxxxx> wrote:

On Fri, Jul 27, 2012 at 7:32 PM, Glen Birnie <glen.birnie@xxxxxxxxx> wrote:
Igor,

Thanks for your reply ... though what you describe sounds like a workaround, rather than a fix, to the problem.

We are considering raising an issue in the main httpd bug database.

Regards,

Glen


On 26/07/2012 01:57, "Igor Cicimov" <icicimov@xxxxxxxxx <http://icicimov@xxxxxxxxx> > wrote:

On Tue, Jul 24, 2012 at 12:28 AM, Glen Birnie <glen.birnie@xxxxxxxxx <http://glen.birnie@xxxxxxxxx> > wrote:
We have seen an issue in httpd 2.2.21 where mod_cache incorrectly returns
HTTP 200 responses instead of HTTP 404 where:

- Reverse proxying is configured.
- ProxyErrorOverride is set to On.
- mod_disk_cache is set up to cache content proxied from mod_proxy.
- A local ErrorDocument 404 URL is configured.
- The error document URL is requested and the contents cached by
mod_disk_cache.
- A nonexistent URL is routed to the proxy destination, the destination
proxy returns a 404, but mod_cache returns the configured ErrorDocument
content with an incorrect 200 response.

We have done some searching of the list archives and bug database but have
not seen reports of any similar problems.

---

Steps to reproduce:

- Create an error image and write to the document root (we assume URI
/error.jpg in the examples below).

- Setup a mod_disk_cache directory (we assume
/data/httpcache/httpd/cache-root) with the necessary permissions.

- Use configuration akin to the following (set "proxy.destination" /
"web.proxy" as appropriate):

<IfModule !mod_cache.c>
LoadModule cache_module modules/mod_cache.so
</IfModule>

<IfModule !mod_disk_cache.c>
LoadModule disk_cache_module modules/mod_disk_cache.so
</IfModule>

<IfModule !mod_rewrite.c>
LoadModule rewrite_module modules/mod_rewrite.so
</IfModule>

<IfModule !mod_proxy.c>
LoadModule proxy_module modules/mod_proxy.so
</IfModule>

<IfModule mod_cache.c>
  <IfModule mod_disk_cache.c>
    CacheRoot /data/httpcache/httpd/cache-root
    CacheDirLevels 3
    CacheDirLength 1
    CacheMinFileSize 0
    CacheMaxFileSize 1000000
  </IfModule>
</IfModule>

CacheEnable disk /

ProxyErrorOverride On
ProxyPassReverse / http://proxy.destination/

# Configure this if the destination server resides behind a proxy
#ProxyRemote http://proxy.destination/ http://web.proxy:80

<Location /proxystuff/>
  RewriteEngine On
  RewriteRule /proxystuff/error$ /error.jpg [L]
  RewriteRule /proxystuff/get http://proxy.destination%{REQUEST_URI} [P,L]

  # This image should reside in the document root,
  # i.e. return a HTTP 200 when requested
  ErrorDocument 404 /error.jpg
</Location>


- Request the error image e.g.:

curl -Lsv -H 'Pragma: ' -o /dev/null http://localhost/error.jpg

This should get written into the cache:

htcacheclean -a -D -p /data/httpcache/httpd/cache-root


- Request a nonexistent proxied URL e.g.:

curl -Lsv -H 'Pragma: ' -o /dev/null http://localhost/proxystuff/get

An incorrect HTTP 200 response is returned instead of the expected HTTP 404.
Note this does not happen if the CacheEnable directive is disabled.

It appears that mod_cache is returning a cached 404 errordocument response
and assuming that (because this exists) a 200 should be issued, rather than
forwarding the 404 response from the destination proxy server.


Glen


http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx <http://users-unsubscribe@xxxxxxxxxxxxxxxx>
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx <http://users-help@xxxxxxxxxxxxxxxx>


Use CacheDisable directive to disable caching for your custom error pages, something like this:

CacheDisable /your_custom_err_pages

and put 404 page inside

Also according to the documentation you can use the no-cache environment variable to disable caching on finer grained set of resources.

Igor


 

http://www.bbc.co.uk

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.


Don't see a reason why would this be a bug or even workaround when it is a documented module feature? The module is obviously designed to work in that way. You have CacheEnable and CacheDisable directives available and is up to you to use them properly. By "CacheEnable disk  /" you tell the module to cache everything and then with CacheDisable you exclude what you don't want to be cached. Similar as mod_proxy lets say. If you proxy the document root with "ProxyPass /" then you have "ProxyPass /somethig/not_me !" available to exclude part of it from being proxy to the remote server.

 


 

http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux