Bug 50332

Summary: mod_proxy_http is not aware of SSL handshake failures
Product: Apache httpd-2 Reporter: Daniel Ruggeri <DRuggeri>
Component: mod_proxy_httpAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: enhancement CC: DRuggeri
Priority: P2 Keywords: ErrorMessage, FixedInTrunk, NeedsReleaseNote, PatchAvailable
Version: 2.2.17   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: mod_ssl -> mod_proxy note via conn_rec
Final
Final trunk patch
Added mod_proxy_http SSL error message
Added mod_proxy_http SSL error message (trunk)
Added mod_proxy_http SSL error message (2.2.x)
Added mod_proxy_http SSL error message (trunk)
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR
trunk patch - using HTTP_INTERNAL_SERVER_ERROR
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR
Updated patch for 2.2.x based on r1039304 and r1053584.

Description Daniel Ruggeri 2010-11-24 17:27:16 UTC 
Created attachment 26337 [details]
mod_ssl -> mod_proxy note via conn_rec

In the event an SSL handshake from the httpd proxy to a backend fails, mod_proxy is not aware until it attempts to pass the request.

To duplicate, simply stand up an openssl s_server like so:
/usr/local/openssl/bin/openssl s_server -cert /root/certs/ssl.crt -key /root/certs/ssl.key -www -accept 8001 -Verify 1
/usr/local/openssl/bin/openssl s_server -cert /root/certs/ssl.crt -key /root/certs/ssl.key -www -accept 8002

And set up a balancer like so:
<Proxy balancer://mycluster>
   BalancerMember https://127.0.0.1:8001
   BalancerMember https://127.0.0.1:8002
</Proxy>

ProxyPass /test/ balancer://mycluster/



You will find that all requests to /test will attempt to connect, but fail on the first member. Worse yet, since no request ever gets through, the balancer never considers the next member for usage.

The attached patch utilizes a note on the conn_rec for mod_proxy_httpd to recognize that a failure has occurred. If a failure has been found, it's too late for that request, but the worker used is put in error state.

I am investigating as to whether or not this is needed for 2.3.
Comment 1 Daniel Ruggeri 2010-11-24 23:33:37 UTC 
Created attachment 26338 [details]
Final
Comment 2 Daniel Ruggeri 2010-11-24 23:33:58 UTC 
Created attachment 26339 [details]
Final trunk patch
Comment 3 Daniel Ruggeri 2010-11-24 23:35:41 UTC 
Patch to do the same on httpd-trunk is attached now.
Comment 4 Daniel Ruggeri 2010-11-25 09:55:35 UTC 
Created attachment 26341 [details]
Added mod_proxy_http SSL error message
Comment 5 Daniel Ruggeri 2010-11-25 09:56:18 UTC 
Created attachment 26342 [details]
Added mod_proxy_http SSL error message (trunk)
Comment 6 Daniel Ruggeri 2010-11-25 09:57:47 UTC 
Created attachment 26343 [details]
Added mod_proxy_http SSL error message (2.2.x)

Obsoleted the wrong patch...
Comment 7 Daniel Ruggeri 2010-11-25 09:58:28 UTC 
Created attachment 26344 [details]
Added mod_proxy_http SSL error message (trunk)

Uploaded the wrong patch
Comment 8 Daniel Ruggeri 2010-11-25 10:59:50 UTC 
Created attachment 26345 [details]
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR
Comment 9 Daniel Ruggeri 2010-11-25 11:00:10 UTC 
Created attachment 26346 [details]
trunk patch - using HTTP_INTERNAL_SERVER_ERROR
Comment 10 Ruediger Pluem 2010-11-26 05:35:50 UTC 
Committed as r1039304.
Comment 11 Daniel Ruggeri 2010-12-04 10:49:28 UTC 
Created attachment 26374 [details]
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR

Removed STATUS proposal from this patch - submitting to DEV list separately.
Comment 12 Ruediger Pluem 2010-12-29 04:52:26 UTC 
Created attachment 26450 [details]
Updated patch for 2.2.x based on r1039304 and r1053584.
Comment 13 Ruediger Pluem 2011-02-11 07:31:21 UTC 
Backported to 2.2.x as r1069773.