From joshua.roys at gtri.gatech.edu Mon May 10 20:50:43 2010 From: joshua.roys at gtri.gatech.edu (Joshua Roys) Date: Mon, 10 May 2010 16:50:43 -0400 Subject: [Mod_nss-list] working with mod_proxy Message-ID: <4BE871A3.6030108@gtri.gatech.edu> Hello, I was wondering if there are any outstanding issues (or patches) concerning mod_nss working with mod_proxy? I ask because we've tried a vanilla httpd/mod_proxy with mod_nss and also a patched mod_proxy as per http://directory.fedoraproject.org/docs/mod_nss.html#FAQ (which didn't compile without some editing- the #if ... above the first hunk needed to be changed to #if 0). Neither seem to proxy properly. Thanks, Josh -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3086 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Mon May 10 21:03:37 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 10 May 2010 17:03:37 -0400 Subject: [Mod_nss-list] working with mod_proxy In-Reply-To: <4BE871A3.6030108@gtri.gatech.edu> References: <4BE871A3.6030108@gtri.gatech.edu> Message-ID: <4BE874A9.8030603@redhat.com> Joshua Roys wrote: > Hello, > > I was wondering if there are any outstanding issues (or patches) > concerning mod_nss working with mod_proxy? > > I ask because we've tried a vanilla httpd/mod_proxy with mod_nss and > also a patched mod_proxy as per > http://directory.fedoraproject.org/docs/mod_nss.html#FAQ (which didn't > compile without some editing- the #if ... above the first hunk needed to > be changed to #if 0). Neither seem to proxy properly. Gah, I need to fix that FAQ it seems... If you have mod_nss 1.0.8 then you should be ok with mod_proxy as long as mod_ssl isn't loaded into Apache (really, even if you don't use it, the shared library being loaded is enough to cause problems). mod_proxy provides a couple of hooks for SSL. It provides no registration mechanism so that multiple SSL providers can duke things out, so there can be only one. In mod_nss I defer to let mod_ssl have the hooks if its shared library is loaded. Otherwise mod_nss grabs those. They are required if you want to do proxying. This is I think the only case where mod_nss and mod_ssl don't play so nice, otherwise they can be loaded together and work fine. With that done you should be all set. regards rob From joshua.roys at gtri.gatech.edu Tue May 11 13:57:11 2010 From: joshua.roys at gtri.gatech.edu (Joshua Roys) Date: Tue, 11 May 2010 09:57:11 -0400 Subject: [Mod_nss-list] working with mod_proxy In-Reply-To: <4BE874A9.8030603@redhat.com> References: <4BE871A3.6030108@gtri.gatech.edu> <4BE874A9.8030603@redhat.com> Message-ID: <4BE96237.9020404@gtri.gatech.edu> On 05/10/2010 05:03 PM, Rob Crittenden wrote: > Gah, I need to fix that FAQ it seems... > > If you have mod_nss 1.0.8 then you should be ok with mod_proxy as long > as mod_ssl isn't loaded into Apache (really, even if you don't use it, > the shared library being loaded is enough to cause problems). > Thanks, it does indeed work - almost. Now it is complaining about not knowing a name for something and tells us to look at apache bug 36468. The patch in that bug seems to no longer apply... help! Thanks, Josh -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3086 bytes Desc: S/MIME Cryptographic Signature URL: From rcritten at redhat.com Tue May 11 14:28:53 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 11 May 2010 10:28:53 -0400 Subject: [Mod_nss-list] working with mod_proxy In-Reply-To: <4BE96237.9020404@gtri.gatech.edu> References: <4BE871A3.6030108@gtri.gatech.edu> <4BE874A9.8030603@redhat.com> <4BE96237.9020404@gtri.gatech.edu> Message-ID: <4BE969A5.9020807@redhat.com> Joshua Roys wrote: > On 05/10/2010 05:03 PM, Rob Crittenden wrote: >> Gah, I need to fix that FAQ it seems... >> >> If you have mod_nss 1.0.8 then you should be ok with mod_proxy as long >> as mod_ssl isn't loaded into Apache (really, even if you don't use it, >> the shared library being loaded is enough to cause problems). >> > > Thanks, it does indeed work - almost. Now it is complaining about not > knowing a name for something and tells us to look at apache bug 36468. > The patch in that bug seems to no longer apply... help! Yeah, that patch was for the 2.0.x version of Apache IIRC and lots has changed since. What version of Apache do you have and what distro are you running? This patch should apply to Apache 2.2.x and address the problem: --- httpd-2.2.3/modules/proxy/proxy_util.c.orig +++ httpd-2.2.3/modules/proxy/proxy_util.c @@ -2432,6 +2432,7 @@ PROXY_DECLARE(int) ap_proxy_connection_c /* For ssl connection to backend */ if (conn->is_ssl) { + conn->connection->remote_host = conn->hostname; if (!ap_proxy_ssl_enable(conn->connection)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "proxy: %s: failed to enable ssl support " rob From joshua.roys at gtri.gatech.edu Tue May 11 15:26:43 2010 From: joshua.roys at gtri.gatech.edu (Joshua Roys) Date: Tue, 11 May 2010 11:26:43 -0400 Subject: [Mod_nss-list] working with mod_proxy In-Reply-To: <4BE969A5.9020807@redhat.com> References: <4BE871A3.6030108@gtri.gatech.edu> <4BE874A9.8030603@redhat.com> <4BE96237.9020404@gtri.gatech.edu> <4BE969A5.9020807@redhat.com> Message-ID: <4BE97733.5030009@gtri.gatech.edu> On 05/11/2010 10:28 AM, Rob Crittenden wrote: > > Yeah, that patch was for the 2.0.x version of Apache IIRC and lots has > changed since. What version of Apache do you have and what distro are > you running? > > This patch should apply to Apache 2.2.x and address the problem: > > --- httpd-2.2.3/modules/proxy/proxy_util.c.orig > +++ httpd-2.2.3/modules/proxy/proxy_util.c > @@ -2432,6 +2432,7 @@ PROXY_DECLARE(int) ap_proxy_connection_c > > /* For ssl connection to backend */ > if (conn->is_ssl) { > + conn->connection->remote_host = conn->hostname; > if (!ap_proxy_ssl_enable(conn->connection)) { > ap_log_error(APLOG_MARK, APLOG_ERR, 0, > s, "proxy: %s: failed to enable ssl support " > > rob We're on F12 with httpd 2.2.14. We'll give that a try - thanks again! Josh -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3086 bytes Desc: S/MIME Cryptographic Signature URL: From staver at fimble.com Sat May 29 18:35:32 2010 From: staver at fimble.com (Mike Staver) Date: Sat, 29 May 2010 12:35:32 -0600 (MDT) Subject: [Mod_nss-list] Mod_nss newbie here - issue with mod_proxy and mod_nss 1.0.8 Message-ID: <4506.159.133.5.133.1275158132.squirrel@www.countryinthevillage.com> I'm running Solaris 10 with self compiled: Apache 2.2.15 mod_nss 1.0.8 nss 3.12.6 nspr 4.8.4 I have all of those successfully compiled and working together, for the most part. I compiled apache so that I had axps and all the proxy modules. I now have all my CRLs updated in the NSS database, and Apache is working very nicely with it that way. The problem comes into play when I try to set up a proxy. I've set up a lot of proxies before here with mod_ssl, and everything was cool. However, now I'm trying to get it to work with mod_nss, and I don't *think* I have mod_ssl even compiled in on this box, and I certainly don't have it loading the config file which just showed up by default. The error I'm getting is: [error] proxy: pass request body failed to 10.0.0.25:443 (10.0.0.25) from 10.0.0.75 () I can get to the 10.0.0.75 box fine from a web browser over SSL. I can ping and see the open port 443 from the proxy web server, so it's not a network issue or anything like that. I've read that the problem could stem from some existing mod_ssl libraries being loaded somewhere. Can somebody tell me how to check for that, and possibly remedy that? Or do I possibly have another problem here that I'm not seeing? From rcritten at redhat.com Fri May 28 19:29:08 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 28 May 2010 15:29:08 -0400 Subject: [Mod_nss-list] Mod_nss newbie here - issue with mod_proxy and mod_nss 1.0.8 In-Reply-To: <4506.159.133.5.133.1275158132.squirrel@www.countryinthevillage.com> References: <4506.159.133.5.133.1275158132.squirrel@www.countryinthevillage.com> Message-ID: <4C001984.1020509@redhat.com> Mike Staver wrote: > I'm running Solaris 10 with self compiled: > > Apache 2.2.15 > mod_nss 1.0.8 > nss 3.12.6 > nspr 4.8.4 > > I have all of those successfully compiled and working together, for the > most part. I compiled apache so that I had axps and all the proxy modules. > I now have all my CRLs updated in the NSS database, and Apache is working > very nicely with it that way. The problem comes into play when I try to > set up a proxy. I've set up a lot of proxies before here with mod_ssl, and > everything was cool. However, now I'm trying to get it to work with > mod_nss, and I don't *think* I have mod_ssl even compiled in on this box, > and I certainly don't have it loading the config file which just showed up > by default. The error I'm getting is: > > [error] proxy: pass request body failed to 10.0.0.25:443 (10.0.0.25) from > 10.0.0.75 () > > I can get to the 10.0.0.75 box fine from a web browser over SSL. I can > ping and see the open port 443 from the proxy web server, so it's not a > network issue or anything like that. > > I've read that the problem could stem from some existing mod_ssl libraries > being loaded somewhere. Can somebody tell me how to check for that, and > possibly remedy that? Or do I possibly have another problem here that I'm > not seeing? mod_proxy provides a single interface for registering the SSL functions it needs. Since mod_ssl blindly registers when it loads mod_nss skips it if it detects mod_ssl. So yes, merely having a 'LoadModule ssl_module modules/mod_ssl.so' somewhere in the configuration is enough to make mod_nss not work with mod_proxy. Note that some recent changes for the mod_nss/mod_proxy interaction were pushed out to the source HEAD recently. You'll probably want to pull the source from CVS if you're using the 1.0.8 tarball. This will let mod_nss work with mod_proxy as a reverse SSL proxy. rob From staver at fimble.com Sat May 29 18:44:57 2010 From: staver at fimble.com (Mike Staver) Date: Sat, 29 May 2010 12:44:57 -0600 (MDT) Subject: [Mod_nss-list] Mod_nss newbie here - issue with mod_proxy and mod_nss 1.0.8 In-Reply-To: <4C001984.1020509@redhat.com> References: <4506.159.133.5.133.1275158132.squirrel@www.countryinthevillage.com> <4C001984.1020509@redhat.com> Message-ID: <4602.159.133.5.133.1275158697.squirrel@www.countryinthevillage.com> > mod_proxy provides a single interface for registering the SSL functions > it needs. Since mod_ssl blindly registers when it loads mod_nss skips it > if it detects mod_ssl. So yes, merely having a 'LoadModule ssl_module > modules/mod_ssl.so' somewhere in the configuration is enough to make > mod_nss not work with mod_proxy. > > Note that some recent changes for the mod_nss/mod_proxy interaction were > pushed out to the source HEAD recently. You'll probably want to pull the > source from CVS if you're using the 1.0.8 tarball. This will let mod_nss > work with mod_proxy as a reverse SSL proxy. Thanks - I'm confident that I'm not loading mod_ssl with my Apache config if that's the only way it's done. In fact, I didn't even compile it on this machine... However, OpenSSL is installed in another directory and I can't imagine it would impact this, but then again, I know next to nothing about this software :) How stable would you say the latest is? I'd like to use this on a production server if possible. From rcritten at redhat.com Fri May 28 19:46:31 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 28 May 2010 15:46:31 -0400 Subject: [Mod_nss-list] Mod_nss newbie here - issue with mod_proxy and mod_nss 1.0.8 In-Reply-To: <4602.159.133.5.133.1275158697.squirrel@www.countryinthevillage.com> References: <4506.159.133.5.133.1275158132.squirrel@www.countryinthevillage.com> <4C001984.1020509@redhat.com> <4602.159.133.5.133.1275158697.squirrel@www.countryinthevillage.com> Message-ID: <4C001D97.9010107@redhat.com> Mike Staver wrote: >> mod_proxy provides a single interface for registering the SSL functions >> it needs. Since mod_ssl blindly registers when it loads mod_nss skips it >> if it detects mod_ssl. So yes, merely having a 'LoadModule ssl_module >> modules/mod_ssl.so' somewhere in the configuration is enough to make >> mod_nss not work with mod_proxy. >> >> Note that some recent changes for the mod_nss/mod_proxy interaction were >> pushed out to the source HEAD recently. You'll probably want to pull the >> source from CVS if you're using the 1.0.8 tarball. This will let mod_nss >> work with mod_proxy as a reverse SSL proxy. > > Thanks - I'm confident that I'm not loading mod_ssl with my Apache config > if that's the only way it's done. In fact, I didn't even compile it on > this machine... However, OpenSSL is installed in another directory and I > can't imagine it would impact this, but then again, I know next to nothing > about this software :) Heh, no, the mod_ssl module needs to be loaded for this to be a problem, the openssl libraries aren't a problem. You might try cranking up the LogLevel to debug and see if you get any interesting data out. > How stable would you say the latest is? I'd like to use this on a > production server if possible. I may be biased but I think it's stable. It's the default SSL engine for the 389-ds admin server, is used in freeIPA and a few other open source projects. It's been available in Fedora for several years now. regards rob From rcritten at redhat.com Fri May 28 20:18:29 2010 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 28 May 2010 16:18:29 -0400 Subject: [Mod_nss-list] Mod_nss newbie here - issue with mod_proxy and mod_nss 1.0.8 In-Reply-To: <1057.159.133.5.133.1275160944.squirrel@www.countryinthevillage.com> References: <4506.159.133.5.133.1275158132.squirrel@www.countryinthevillage.com> <4C001984.1020509@redhat.com> <4602.159.133.5.133.1275158697.squirrel@www.countryinthevillage.com> <4C001D97.9010107@redhat.com> <1057.159.133.5.133.1275160944.squirrel@www.countryinthevillage.com> Message-ID: <4C002515.3080205@redhat.com> Mike Staver wrote: >> I may be biased but I think it's stable. It's the default SSL engine for >> the 389-ds admin server, is used in freeIPA and a few other open source >> projects. It's been available in Fedora for several years now. > > Thanks. Maybe I'm clearly missing something obvious, but I attached the > output from my log file. The only errors I see is about untrusted certs, > which I can't use yet. When we go to prod, obviously we'll have those. > That can't be the problem, can it? > Ok, a couple of comments: The untrusted cert error here is that the SSL server cert being used isn't trusted. You might want to look at the gencert script included in the mod_nss source tree. It will create an NSS cert database with a self-signed CA and a server cert (and it throws in a user cert to boot). If you use this you won't have the untrusted cert error. For SSL to work as designed you want the name of the host you are requesting to match the value of the CN in the remote server. So if you request www.example.com and get back unsafe.hacker.org then you have a problem (or even test.example.com). If the remote host doesn't match what we're requesting the mod_nss is going to reject the request. I suspect that is what is going on here. This is exactly what is fixed in the mod_nss HEAD. mod_proxy wasn't setting the hostname anywhere so mod_nss had no way of comparing values. I had an ancient patch included in the FAQ at one time, dating back to Apache 2.0. That tended to cause more confusion than it helped though :-( I think you need to modify your Proxy rules to use fqdn instead of IP address unless the SSL server at 10.0.0.75 has the IP address in the CN of the subject. rob