Hello,since Cyrus is able to share calendars, I try to set up a CalDAV server using Cyrus httpd behind an Apache reverse proxy (mod_proxy). During this I made a security-related observation which makes me a bit concerned. It seems to be about caching private data, probably more an issue of my individual setup and not a bug in Cyrus. Anyway – I am a bit clueless and would be happy to discuss this to find a mitigation.
... Test setup / precondtions: - Cyrus 3.0.11 server (imapd, httpd) freshly restarted- Apache 2.4 with mod_proxy (ssl vhost, no explicit cache configuration, only mod_socache_shmcb)
- Browser A with clean cache - Browser B with clean cache Test steps: 1) Request CalDAV URL from Browser A- Expected: Browser presents HTTP Auth, delivers content after successful login - Observed: Browser presents HTTP Auth, delivers content after successful login
- Result: PASS 2) Request same CalDAV URL from Browser B - Expected: Browser presents HTTP Auth - Observed: Browser delivers content without presenting HTTP Auth - Result: FAIL Test observations:- The result of step 2) seems to differ depending of which Cyrus httpd process is hit by the request - The cache-control header delivered by Cyrus httpd seems to not contain „private“ which seems to allow intermediate caches to cache private data
...My first configuration of Apache did allow mod_proxy to reuse the backend-connections to Cyrus httpd. After I added disablereuse=On (which causes Apache to close the backend-connection immediately after processing a single request), it seems to mitigate the observed issue. How could this be possible? These two questions could help me to investigate further on my system:
- When receiving a HTTP Request with an Etag included, when exactly does Cyrus httpd decide whether to request HTTP Authentication? In case the Etag is valid (content unchanged), will it return the 304 without requesting a HTTP Auth?
- How do the Cyrus httpd workers handle HTTP Auth in general? In case of re-using a worker by a permanent connection from a reverse proxy, does it check Authentication on any request, or only at the very first?
I am happy about suggestions or pointers to best practises in regards of using Cyrus httpd behind a reverse proxy.
Kind regards Matthias -- Matthias Petermann <mp@xxxxxxxxxxxxxxx> | www.petermann-it.de Innovative IT-Lösungen, Systemintegration, Linux/FreeBSD/Unix-Support Wildparkring 13, 01458 Ottendorf-Okrilla | Tel.: +49 (0)35205 597 991
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
