Re: [users@httpd] Apache 2.0.55/win32 + OpenSSL 0.9.8a & OWA Reverse Proxy Problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I run exactly in the same problem, but with another architecture:

Red Hat Enterprise Linux AS release 3+4
Apache 2.0.55
OpenSSL  0.9.7a
I'm using Apache also as a SSL-Proxy for a Zope server and some operations especially with FORMs doesn't work anymore. 

Thanks for a feedback,
Michele

On 20.10.2005, at 18:06, Manuel Martin wrote:

Hello people,

since 2.0.55 a reverse SSL-proxy (on Windows 2000) which I setup for MS
Exchange 2003 Outlook Web Access makes problems. The users stumbled over the problem that they cannot attach files to their emails. I tried it myself: the attachment seems to be uploaded to the server, but is not "registered" by 
Exchange.
If I downgrade to 2.0.54 + OpenSSL 0.9.8 (I changed Apache while back to make 
that compilation possible) it works fine again.
I really suspect this change to be the culprit:
"SECURITY: CAN-2005-2088 (cve.mitre.org)
     proxy: Correctly handle the Transfer-Encoding and Content-Length
     headers.  Discard the request Content-Length whenever T-E: chunked
     is used, always passing one of either C-L or T-E: chunked whenever
     the request includes a request body.  Resolves an entire class of
     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]"

Has anyone run or _not_ run into this problem with this configuration?

Here's part of the conf:

LoadModule proxy_module modules/mod_proxy.so
ProxyRequests Off
LoadModule proxy_http_module modules/mod_proxy_http.so
<VirtualHost _default_:443>
	ServerName owa.server
	SSLEngine On
	SSLProxyEngine on
	ProxyVia On
	ProxyPass / https://owa.server
	ProxyPassReverse / https://owa.server
	SSLCertificateKeyFile c:/apache/conf/ssl/owa.pem
	SSLCertificateFile c:/apache/conf/ssl/owa.crt
	CustomLog "|c:/apache/bin/rotatelogs.exe c:/log/%Y%m%d_owa.log 86400"
combined
	<Location />
		Allow from All
		AuthType Basic
		AuthName "OWA"
		AuthUserFile conf/owa-passwords
		Require valid-user
	</Location>
</VirtualHost>
The internal ip of "owa.server" is setup in the hosts file to facilitate the 
generation of correct URLs by Exchange (as suggested in
http://www.soft-land.org/articoli/exch).

Regards, Manuel Martin

--
michele.marcionelli@xxxxxxxxxxxx / phone: +41 44 632 6193
eth zentrum / hg g 14 / raemistrasse 101 - ch-8092 zurich


!DSPAM:435891e280741364917618!


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux