Bug 50332 - mod_proxy_http is not aware of SSL handshake failures
mod_proxy_http is not aware of SSL handshake failures
Status: RESOLVED FIXED
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_http
2.2.17
All All
: P2 enhancement (vote)
: ---
Assigned To: Apache HTTPD Bugs Mailing List
: ErrorMessage, FixedInTrunk, NeedsReleaseNote, PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2010-11-24 17:27 UTC by Daniel Ruggeri
Modified: 2011-02-11 07:31 UTC (History)
1 user (show)



Attachments
mod_ssl -> mod_proxy note via conn_rec (1.96 KB, application/octet-stream)
2010-11-24 17:27 UTC, Daniel Ruggeri
Details
Final (2.06 KB, patch)
2010-11-24 23:33 UTC, Daniel Ruggeri
Details | Diff
Final trunk patch (2.11 KB, patch)
2010-11-24 23:33 UTC, Daniel Ruggeri
Details | Diff
Added mod_proxy_http SSL error message (3.00 KB, application/octet-stream)
2010-11-25 09:55 UTC, Daniel Ruggeri
Details
Added mod_proxy_http SSL error message (trunk) (3.00 KB, patch)
2010-11-25 09:56 UTC, Daniel Ruggeri
Details | Diff
Added mod_proxy_http SSL error message (2.2.x) (3.00 KB, patch)
2010-11-25 09:57 UTC, Daniel Ruggeri
Details | Diff
Added mod_proxy_http SSL error message (trunk) (2.27 KB, patch)
2010-11-25 09:58 UTC, Daniel Ruggeri
Details | Diff
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR (2.87 KB, patch)
2010-11-25 10:59 UTC, Daniel Ruggeri
Details | Diff
trunk patch - using HTTP_INTERNAL_SERVER_ERROR (2.13 KB, patch)
2010-11-25 11:00 UTC, Daniel Ruggeri
Details | Diff
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR (2.13 KB, patch)
2010-12-04 10:49 UTC, Daniel Ruggeri
Details | Diff
Updated patch for 2.2.x based on r1039304 and r1053584. (2.26 KB, patch)
2010-12-29 04:52 UTC, Ruediger Pluem
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Ruggeri 2010-11-24 17:27:16 UTC
Created attachment 26337 [details]
mod_ssl -> mod_proxy note via conn_rec

In the event an SSL handshake from the httpd proxy to a backend fails, mod_proxy is not aware until it attempts to pass the request.

To duplicate, simply stand up an openssl s_server like so:
/usr/local/openssl/bin/openssl s_server -cert /root/certs/ssl.crt -key /root/certs/ssl.key -www -accept 8001 -Verify 1
/usr/local/openssl/bin/openssl s_server -cert /root/certs/ssl.crt -key /root/certs/ssl.key -www -accept 8002

And set up a balancer like so:
<Proxy balancer://mycluster>
   BalancerMember https://127.0.0.1:8001
   BalancerMember https://127.0.0.1:8002
</Proxy>

ProxyPass /test/ balancer://mycluster/



You will find that all requests to /test will attempt to connect, but fail on the first member. Worse yet, since no request ever gets through, the balancer never considers the next member for usage.

The attached patch utilizes a note on the conn_rec for mod_proxy_httpd to recognize that a failure has occurred. If a failure has been found, it's too late for that request, but the worker used is put in error state.

I am investigating as to whether or not this is needed for 2.3.
Comment 1 Daniel Ruggeri 2010-11-24 23:33:37 UTC
Created attachment 26338 [details]
Final
Comment 2 Daniel Ruggeri 2010-11-24 23:33:58 UTC
Created attachment 26339 [details]
Final trunk patch
Comment 3 Daniel Ruggeri 2010-11-24 23:35:41 UTC
Patch to do the same on httpd-trunk is attached now.
Comment 4 Daniel Ruggeri 2010-11-25 09:55:35 UTC
Created attachment 26341 [details]
Added mod_proxy_http SSL error message
Comment 5 Daniel Ruggeri 2010-11-25 09:56:18 UTC
Created attachment 26342 [details]
Added mod_proxy_http SSL error message (trunk)
Comment 6 Daniel Ruggeri 2010-11-25 09:57:47 UTC
Created attachment 26343 [details]
Added mod_proxy_http SSL error message (2.2.x)

Obsoleted the wrong patch...
Comment 7 Daniel Ruggeri 2010-11-25 09:58:28 UTC
Created attachment 26344 [details]
Added mod_proxy_http SSL error message (trunk)

Uploaded the wrong patch
Comment 8 Daniel Ruggeri 2010-11-25 10:59:50 UTC
Created attachment 26345 [details]
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR
Comment 9 Daniel Ruggeri 2010-11-25 11:00:10 UTC
Created attachment 26346 [details]
trunk patch - using HTTP_INTERNAL_SERVER_ERROR
Comment 10 Ruediger Pluem 2010-11-26 05:35:50 UTC
Committed as 0.
Comment 11 Daniel Ruggeri 2010-12-04 10:49:28 UTC
Created attachment 26374 [details]
2.2.x patch - using HTTP_INTERNAL_SERVER_ERROR

Removed STATUS proposal from this patch - submitting to DEV list separately.
Comment 12 Ruediger Pluem 2010-12-29 04:52:26 UTC
Created attachment 26450 [details]
Updated patch for 2.2.x based on 1 and 2.
Comment 13 Ruediger Pluem 2011-02-11 07:31:21 UTC
Backported to 2.2.x as 0.