Bug 11232

Summary: Proxy's CONNECT hangs
Product: Apache httpd-2 Reporter: Dmitry <sdo>
Component: mod_proxyAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED DUPLICATE    
Severity: normal CC: emmanuel.e, rsnel
Priority: P3    
Version: 2.0.52   
Target Milestone: ---   
Hardware: PC   
OS: Windows XP   

Description Dmitry 2002-07-27 17:59:09 UTC 
Configured Apache as proxy. Proxy for regular HTTP requests works great. The 
server seems to accept the proxy request from a browser for HTTPS connection 
properly, but hangs in CONNECT for unknown reason. 

The debug level error logs contains:

proxy_connect.c(115): proxy: CONNECT: canonicalising URL 
investment.datek.com:443
mod_proxy.c(461): Trying to run scheme_handler
proxy_http.c(1036): proxy: HTTP: declining URL investment.datek.com:443
proxy_ftp.c(819): proxy: FTP: declining URL investment.datek.com:443 - not ftp:
proxy_connect.c(148): proxy: CONNECT: serving URL investment.datek.com:443
proxy_connect.c(164): proxy: CONNECT: connecting investment.datek.com:443 to 
investment.datek.com:443
proxy_connect.c(181): proxy: CONNECT: connecting to remote proxy 
investment.datek.com on port 443
proxy_util.c(1167): proxy: CONNECT: fam 2 socket created to connect to 
investment.datek.com
proxy_connect.c(275): proxy: CONNECT: Returning 200 OK Status
proxy_connect.c(296): proxy: CONNECT: setting up poll()

The configuration file contains the following related statements 

....
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule ssl_module modules/mod_ssl.so
....

<IfModule mod_proxy.c>
ProxyRequests On
AllowCONNECT 443 563
SSLProxyEngine On

<Proxy *>
    Order deny,allow
    Deny from all
    Allow from all
</Proxy>
ProxyVia On

</IfModule>


Access log contains:

192.168.0.1 - - "CONNECT investment.datek.com:443 HTTP/1.0" 200 -
Comment 1 Joshua Slive 2002-10-17 02:35:33 UTC 
[This is a mass bug update.]
This bug reports a problem in an older version of Apache 2.
Could you please update to the most recent version and see
if you can reproduce this problem.  If the bug still exists,
please update the bug with the latest version number.  If 
the bug no longer exists, please close the bug report.

Sorry for this impersonal response, but we get many more bug
reports than our volunteers can keep up with.
Thanks for using Apache!
Comment 2 Joshua Slive 2002-11-02 20:18:55 UTC 
[This is a mass bug update.] [Resolve-20021102]
No response from submitter; assuming issue is resolved.
If the problem still exists in the lastest version,
please reopen this report and update appropriately.
Comment 3 Emmanuel Elango 2005-06-03 08:50:12 UTC 
The bug exists in version 2.0.52 also. I am using the precompiled binary from
http://www.apache.org/dyn/closer.cgi/perl/win32-bin/
Comment 4 Emmanuel Elango 2005-06-08 10:34:09 UTC 
The bug disappeared when I hotfixed the the Apache 2.0.52 version Perl Win32
binary with the files of the 2.0.54 version. 

However the bug reappeared when SSL was enabled and the proxy was being run on
an SSL. Normal GET and POST requests work fine even when the proxy is SSL
enabled (i.e. the requests to the proxy server itself is encrypted).

mod_ssl and mod_proxy_connect do not seem to be compatible.

Will test on apache 1xx and see if the bug exists.

I wonder why everyone has to be so dependent on OpenSSL. Why cant we have a
stable windows port?
Comment 5 Emmanuel Elango 2005-06-08 16:02:48 UTC 
The bug exists in Apache 1.3 also.

My setup is like this:

Client->[ssl encrypted connection to proxy]<->Apache Proxy on SSL enabled
server<->[normal connection to remote server]<->Remote server.

Basically the connection between the client and the apache proxy is encrypted.
Once the client has established a secure connection with the proxy it sends a
normal proxy request. This request works fine as long as its a GET or POST
request. When after establishing the secure channel the client sends a CONNECT
then the connection abruptly fails.

Possibly mod_ssl is not able to handle a stream of unknown length.

I have tested this on Win32. 

Any tips?
Comment 6 Rik Snel 2005-06-18 21:13:19 UTC 
Bug 29744 seems to be a duplicate of this bug. Patches for apache 2.1.x and
2.0.x are available at http://issues.apache.org/bugzilla/show_bug.cgi?id=29744
Comment 7 Emmanuel Elango 2005-06-19 18:22:52 UTC 
Yes it seems to be a duplicate of bug 29744. Thanks a lot. How do I go about
compiling it for Win32? Then we can be sure that its the same thing.

Any ideas on how to get it accepted into the main development tree as soon as
possible? Joshua can you help?
Comment 8 Paul Querna 2005-06-20 01:25:15 UTC 
Bug #29744 has more details, marking this one as dup.

*** This bug has been marked as a duplicate of 29744 ***