OK, after a few days on other projects, I'm back with more info on this.
Amos Jeffries wrote:
The problem I'm seeing is that whenever a CGI is called via HTTP with a
POST method, it gets converted to GET when the new request comes in on
HTTPS. This, of course, breaks the app.
I should mention that we've experienced this with both IE 7 on WinXP and
with Firefox on Ubuntu Linux.
Has anybody seen this behavior before, or heard anything that would
indicate the conversion is a security feature?
Try squidclient -h ?? -p 80 -m POST http://...
and see what squid gives back in the 301 headers.
It balks because I haven't specified a Content-Length. I assume this is merely a problem with my invocation of squidclient, and unrelated to my root problem of POSTs changing to GETs. How do I specify a Content-Length? I can't find any documentation on squidclient. (There's more important questions below this snippet of output.)
# squidclient -h revproxy.bryanlgh.org -p 80 -m POST http://ocsinf.bryanlgh.org/pls/orasso/orasso.wwsso_app_admin.ls_logout
HTTP/1.0 411 Length Required
Server: squid/2.6.STABLE6
Date: Thu, 31 Jan 2008 22:13:08 GMT
Content-Type: text/html
Content-Length: 1272
Expires: Thu, 31 Jan 2008 22:13:08 GMT
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from revproxy.bryanlgh.org
X-Cache-Lookup: NONE from revproxy.bryanlgh.org:80
Via: 1.0 revproxy.bryanlgh.org:80 (squid/2.6.STABLE6)
Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The requested URL could not be retrieved</TITLE>
<STYLE type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE>
</HEAD><BODY>
<H1>ERROR</H1>
<H2>The requested URL could not be retrieved</H2>
<HR noshade size="1px">
<P>
While trying to process the request:
<PRE>
POST /pls/orasso/orasso.wwsso_app_admin.ls_logout HTTP/1.0
Accept: */*
</PRE>
<P>
The following error was encountered:
<UL>
<LI>
<STRONG>
Invalid Request
</STRONG>
</UL>
<P>
Some aspect of the HTTP Request is invalid. Possible problems:
<UL>
<LI>Missing or unknown request method
<LI>Missing URL
<LI>Missing HTTP Identifier (HTTP/1.0)
<LI>Request is too large
<LI>Content-Length missing for POST or PUT requests
<LI>Illegal character in hostname; underscores are not allowed
</UL>
<P>Your cache administrator is <A HREF="mailto:systems@xxxxxxxxxxxx">systems@xxxxxxxxxxxx</A>.
<BR clear="all">
<HR noshade size="1px">
<ADDRESS>
Generated Thu, 31 Jan 2008 22:13:08 GMT by revproxy.bryanlgh.org (squid/2.6.STABLE6)
</ADDRESS>
</BODY></HTML>
Also, I did some packet dumps during he switchover. In the following, "musketeers" represents the client's web browser. "revproxy" and "192.168.2.67" are the reverse proxy server running squid. "172.22.66.206" are the internal servers behind the proxy.
Here's my original browser request for a POST to the HTTP URL:
16:03:13.709530 IP musketeers-dmz1.bryanlgh.org.44829 > 192.168.2.67.http: P 1:1051(1050) ack 1 win 8192
0x0000: 4500 0442 4cd9 4000 ff06 a540 c0a8 0208 E..BL.@....@....
0x0010: c0a8 0243 af1d 0050 ec76 f273 507b a5b9 ...C...P.v.sP{..
0x0020: 5018 2000 290d 0000 504f 5354 202f 706c P...)...POST./pl
0x0030: 732f 6f72 6173 736f 2f6f 7261 7373 6f2e s/orasso/orasso.
0x0040: 7777 7373 6f5f 6170 705f 6164 6d69 6e2e wwsso_app_admin.
0x0050: 6c73 5f6c 6f67 6f75 7420 4854 5450 2f31 ls_logout.HTTP/1
0x0060: 2e31 0d0a 486f 7374 3a20 6f63 7369 6e66 .1..Host:.ocsinf
0x0070: 2e62 7279 616e 6c67 682e 6f72 670d 0a55 .bryanlgh.org..U
0x0080: 7365 722d 4167 656e 743a 204d 6f7a 696c ser-Agent:.Mozil
0x0090: 6c61 2f35 2e30 2028 5831 313b 2055 3b20 la/5.0.(X11;.U;.
0x00a0: 4c69 6e75 7820 6936 3836 3b20 656e 2d55 Linux.i686;.en-U
0x00b0: 533b 2072 763a 312e 382e 312e 3131 2920 S;.rv:1.8.1.11).
0x00c0: 4765 636b 6f2f 3230 3037 3132 3034 2055 Gecko/20071204.U
0x00d0: 6275 6e74 752f 372e 3130 2028 6775 7473 buntu/7.10.(guts
0x00e0: 7929 2046 6972 6566 6f78 2f32 2e30 2e30 y).Firefox/2.0.0
0x00f0: 2e31 310d 0a41 6363 6570 743a 2074 6578 .11..Accept:.tex
0x0100: 742f 786d 6c2c 6170 706c 6963 6174 696f t/xml,applicatio
0x0110: 6e2f 786d 6c2c 6170 706c 6963 6174 696f n/xml,applicatio
0x0120: 6e2f 7868 746d 6c2b 786d 6c2c 7465 7874 n/xhtml+xml,text
0x0130: 2f68 746d 6c3b 713d 302e 392c 7465 7874 /html;q=0.9,text
0x0140: 2f70 6c61 696e 3b71 3d30 2e38 2c69 6d61 /plain;q=0.8,ima
0x0150: 6765 2f70 6e67 2c2a 2f2a 3b71 3d30 2e35 ge/png,*/*;q=0.5
0x0160: 0d0a 4163 6365 7074 2d4c 616e 6775 6167 ..Accept-Languag
0x0170: 653a 2065 6e2d 7573 2c65 6e3b 713d 302e e:.en-us,en;q=0.
0x0180: 350d 0a41 6363 6570 742d 456e 636f 6469 5..Accept-Encodi
0x0190: 6e67 3a20 677a 6970 2c64 6566 6c61 7465 ng:.gzip,deflate
0x01a0: 0d0a 4163 6365 7074 2d43 6861 7273 6574 ..Accept-Charset
0x01b0: 3a20 4953 4f2d 3838 3539 2d31 2c75 7466 :.ISO-8859-1,utf
0x01c0: 2d38 3b71 3d30 2e37 2c2a 3b71 3d30 2e37 -8;q=0.7,*;q=0.7
0x01d0: 0d0a 4b65 6570 2d41 6c69 7665 3a20 3330 ..Keep-Alive:.30
0x01e0: 300d 0a43 6f6e 6e65 6374 696f 6e3a 206b 0..Connection:.k
0x01f0: 6565 702d 616c 6976 650d 0a43 6f6f 6b69 eep-alive..Cooki
0x0200: 653a 2043 4649 443d 3132 3138 3636 3b20 e:.CFID=121866;.
0x0210: 4346 544f 4b45 4e3d 3333 3738 3939 3132 CFTOKEN=33789912
0x0220: 3b20 5353 4f5f 4944 3d76 312e 327e 317e ;.SSO_ID=v1.2~1~
0x0230: 3944 3141 4239 3831 4338 3342 4437 3445 9D1AB981C83BD74E
... (long hex dump deleted)
16:03:13.709538 IP musketeers-dmz1.bryanlgh.org.44829 > 192.168.2.67.http: P 1051:1122(71) ack 1 win 8192
0x0000: 4500 006f 8190 4000 ff06 745c c0a8 0208 E..o..@...t\....
0x0010: c0a8 0243 af1d 0050 ec76 f68d 507b a5b9 ...C...P.v..P{..
0x0020: 5018 2000 e64b 0000 436f 6e74 656e 742d P....K..Content-
0x0030: 5479 7065 3a20 6170 706c 6963 6174 696f Type:.applicatio
0x0040: 6e2f 782d 7777 772d 666f 726d 2d75 726c n/x-www-form-url
0x0050: 656e 636f 6465 640d 0a43 6f6e 7465 6e74 encoded..Content
0x0060: 2d4c 656e 6774 683a 2034 380d 0a0d 0a -Length:.48....
16:03:13.709542 IP musketeers-dmz1.bryanlgh.org.44829 > 192.168.2.67.http: P 1122:1170(48) ack 1 win 8192
0x0000: 4500 0058 e2b9 4000 ff06 134a c0a8 0208 E..X..@....J....
0x0010: c0a8 0243 af1d 0050 ec76 f6d4 507b a5b9 ...C...P.v..P{..
0x0020: 5018 2000 d0ba 0000 705f 646f 6e65 5f75 P.......p_done_u
0x0030: 726c 3d68 7474 7025 3341 2532 4625 3246 rl=http%3A%2F%2F
0x0040: 6f63 7361 7070 2e62 7279 616e 6c67 682e ocsapp.bryanlgh.
0x0050: 6f72 6725 3246 756d org%2Fum
And here's the proxy's reply containing the 301 redirect to the HTTPS version of the same URL. Content-Length is zero (is that bad at this point?), and no method is specified.
16:03:13.709926 IP 192.168.2.67.http > musketeers-dmz1.bryanlgh.org.44829: P 1:33(32) ack 1170 win 7350
0x0000: 4500 0048 26c1 4000 4006 8e53 c0a8 0243 E..H&.@.@..S...C
0x0010: c0a8 0208 0050 af1d 507b a5b9 ec76 f704 .....P..P{...v..
0x0020: 5018 1cb6 85d6 0000 4854 5450 2f31 2e30 P.......HTTP/1.0
0x0030: 2033 3031 204d 6f76 6564 2050 6572 6d61 .301.Moved.Perma
0x0040: 6e65 6e74 6c79 0d0a nently..
16:03:13.709975 IP 192.168.2.67.http > musketeers-dmz1.bryanlgh.org.44829: P 33:201(168) ack 1170 win 7350
0x0000: 4500 00d0 26c2 4000 4006 8dca c0a8 0243 E...&.@.@......C
0x0010: c0a8 0208 0050 af1d 507b a5d9 ec76 f704 .....P..P{...v..
0x0020: 5018 1cb6 865e 0000 5365 7276 6572 3a20 P....^..Server:.
0x0030: 7371 7569 642f 322e 362e 5354 4142 4c45 squid/2.6.STABLE
0x0040: 360d 0a44 6174 653a 2054 6875 2c20 3331 6..Date:.Thu,.31
0x0050: 204a 616e 2032 3030 3820 3232 3a30 333a .Jan.2008.22:03:
0x0060: 3133 2047 4d54 0d0a 436f 6e74 656e 742d 13.GMT..Content-
0x0070: 4c65 6e67 7468 3a20 300d 0a4c 6f63 6174 Length:.0..Locat
0x0080: 696f 6e3a 2068 7474 7073 3a2f 2f6f 6373 ion:.https://ocs
0x0090: 696e 662e 6272 7961 6e6c 6768 2e6f 7267 inf.bryanlgh.org
0x00a0: 2f70 6c73 2f6f 7261 7373 6f2f 6f72 6173 /pls/orasso/oras
0x00b0: 736f 2e77 7773 736f 5f61 7070 5f61 646d so.wwsso_app_adm
0x00c0: 696e 2e6c 735f 6c6f 676f 7574 0d0a 0d0a in.ls_logout....
Here, the browser issued another request to the proxy at the HTTPS address, but since it's encrypted, there's no useful data in the packet dump. The proxy decrypts that request and sends the following request to the internal server, using the proper URL but the incorrect GET method:
16:03:13.718473 IP revproxy.bryanlgh.org.40293 > 172.22.66.206.http: P 1:1127(1126) ack 1 win 5840
0x0000: 4500 048e def8 4000 4006 a5a4 c0a8 0240 E.....@.@......@
0x0010: ac16 42ce 9d65 0050 5058 5dfa 1aef 2b43 ..B..e.PPX]...+C
0x0020: 5018 16d0 b64d 0000 4745 5420 2f70 6c73 P....M..GET./pls
0x0030: 2f6f 7261 7373 6f2f 6f72 6173 736f 2e77 /orasso/orasso.w
0x0040: 7773 736f 5f61 7070 5f61 646d 696e 2e6c wsso_app_admin.l
0x0050: 735f 6c6f 676f 7574 2048 5454 502f 312e s_logout.HTTP/1.
0x0060: 300d 0a48 6f73 743a 206f 6373 696e 662e 0..Host:.ocsinf.
0x0070: 6272 7961 6e6c 6768 2e6f 7267 0d0a 5573 bryanlgh.org..Us
0x0080: 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c er-Agent:.Mozill
0x0090: 612f 352e 3020 2858 3131 3b20 553b 204c a/5.0.(X11;.U;.L
0x00a0: 696e 7578 2069 3638 363b 2065 6e2d 5553 inux.i686;.en-US
0x00b0: 3b20 7276 3a31 2e38 2e31 2e31 3129 2047 ;.rv:1.8.1.11).G
0x00c0: 6563 6b6f 2f32 3030 3731 3230 3420 5562 ecko/20071204.Ub
0x00d0: 756e 7475 2f37 2e31 3020 2867 7574 7379 untu/7.10.(gutsy
0x00e0: 2920 4669 7265 666f 782f 322e 302e 302e ).Firefox/2.0.0.
0x00f0: 3131 0d0a 4163 6365 7074 3a20 7465 7874 11..Accept:.text
0x0100: 2f78 6d6c 2c61 7070 6c69 6361 7469 6f6e /xml,application
0x0110: 2f78 6d6c 2c61 7070 6c69 6361 7469 6f6e /xml,application
0x0120: 2f78 6874 6d6c 2b78 6d6c 2c74 6578 742f /xhtml+xml,text/
0x0130: 6874 6d6c 3b71 3d30 2e39 2c74 6578 742f html;q=0.9,text/
0x0140: 706c 6169 6e3b 713d 302e 382c 696d 6167 plain;q=0.8,imag
0x0150: 652f 706e 672c 2a2f 2a3b 713d 302e 350d e/png,*/*;q=0.5.
0x0160: 0a41 6363 6570 742d 4c61 6e67 7561 6765 .Accept-Language
0x0170: 3a20 656e 2d75 732c 656e 3b71 3d30 2e35 :.en-us,en;q=0.5
0x0180: 0d0a 4163 6365 7074 2d45 6e63 6f64 696e ..Accept-Encodin
0x0190: 673a 2067 7a69 702c 6465 666c 6174 650d g:.gzip,deflate.
0x01a0: 0a41 6363 6570 742d 4368 6172 7365 743a .Accept-Charset:
0x01b0: 2049 534f 2d38 3835 392d 312c 7574 662d .ISO-8859-1,utf-
0x01c0: 383b 713d 302e 372c 2a3b 713d 302e 370d 8;q=0.7,*;q=0.7.
0x01d0: 0a43 6f6f 6b69 653a 2043 4649 443d 3132 .Cookie:.CFID=12
0x01e0: 3138 3636 3b20 4346 544f 4b45 4e3d 3333 1866;.CFTOKEN=33
0x01f0: 3738 3939 3132 3b20 5353 4f5f 4944 3d76 789912;.SSO_ID=v
0x0200: 312e 327e 317e 3944 3141 4239 3831 4338 1.2~1~9D1AB981C8
0x0210: 3342 4437 3445 4142 3535 3342 4131 3442 3BD74EAB553BA14B
... (more hex dump deleted)
0x0410: 4436 3242 3231 0d0a 5669 613a 2031 2e31 D62B21..Via:.1.1
0x0420: 2072 6576 7072 6f78 792e 6272 7961 6e6c .revproxy.bryanl
0x0430: 6768 2e6f 7267 3a38 3020 2873 7175 6964 gh.org:80.(squid
0x0440: 2f32 2e36 2e53 5441 424c 4536 290d 0a58 /2.6.STABLE6)..X
0x0450: 2d46 6f72 7761 7264 6564 2d46 6f72 3a20 -Forwarded-For:.
0x0460: 3139 322e 3136 382e 322e 380d 0a43 6163 192.168.2.8..Cac
0x0470: 6865 2d43 6f6e 7472 6f6c 3a20 6d61 782d he-Control:.max-
0x0480: 6167 653d 3235 3932 3030 0d0a 0d0a age=259200....
And the internal server responds with "NOT FOUND":
16:03:13.738001 IP 172.22.66.206.http > revproxy.bryanlgh.org.40293: P 1:197(196) ack 1127 win 8192
0x0000: 4500 00ec 9bcf 4000 ff06 2d6f ac16 42ce E.....@...-o..B.
0x0010: c0a8 0240 0050 9d65 1aef 2b43 5058 6260 ...@.P.e..+CPXb`
0x0020: 5018 2000 b548 0000 4854 5450 2f31 2e31 P....H..HTTP/1.1
0x0030: 2034 3034 204e 6f74 2046 6f75 6e64 0d0a .404.Not.Found..
0x0040: 4461 7465 3a20 5468 752c 2033 3120 4a61 Date:.Thu,.31.Ja
0x0050: 6e20 3230 3038 2032 323a 3033 3a31 3320 n.2008.22:03:13.
0x0060: 474d 540d 0a53 6572 7665 723a 204f 7261 GMT..Server:.Ora
0x0070: 636c 652d 4170 706c 6963 6174 696f 6e2d cle-Application-
0x0080: 5365 7276 6572 2d31 3067 2f31 302e 312e Server-10g/10.1.
0x0090: 322e 302e 3220 4f72 6163 6c65 2d48 5454 2.0.2.Oracle-HTT
0x00a0: 502d 5365 7276 6572 0d0a 436f 6e6e 6563 P-Server..Connec
0x00b0: 7469 6f6e 3a20 636c 6f73 650d 0a43 6f6e tion:.close..Con
0x00c0: 7465 6e74 2d54 7970 653a 2074 6578 742f tent-Type:.text/
0x00d0: 6874 6d6c 3b20 6368 6172 7365 743d 6973 html;.charset=is
0x00e0: 6f2d 3838 3539 2d31 0d0a 0d0a o-8859-1....
begin:vcard
fn:Ben Hollingsworth
n:Hollingsworth;Ben
org:BryanLGH Health System;Information Technology
adr:;;1600 S. 48th St.;Lincoln;NE;68506;USA
email;internet:ben.hollingsworth@xxxxxxxxxxxx
title:Systems Programmer
tel;work:402-481-8582
tel;fax:402-481-8354
tel;cell:402-432-5334
url:http://www.bryanlgh.org
version:2.1
end:vcard