Ticket #578 (closed defect: fixed)

Opened 2 years ago

Last modified 1 year ago

Serving pages from fcgi over SSL with digest auth to Safari fails

Reported by: dominique.brezinski@gmail.com Assigned to: jan
Priority: normal Milestone:
Component: core Version: 1.4.11
Severity: normal Keywords:
Cc: Blocking:
Need Feedback:

Description (Last modified by jan)

Configuration: lighttpd 1.4.11, FreeBSD 6.0, Rails 1.0, MySQL 4.1.16, Safari v2.0.3

lighttpd.conf: 

var.appname = "foo"
server.modules = ("mod_rewrite", "mod_accesslog", "mod_fastcgi", "mod_auth")
server.port = 443
ssl.engine = "enable"
ssl.pemfile = "/usr/local/etc/lighttpd/server.pem"
server.username = "www"
server.groupname = "www"
server.pid-file = "/var/run/lighttpd.pid"
accesslog.filename = "/var/log/lighttpd/access.log"
server.errorlog = "/var/log/lighttpd/error.log"
server.indexfiles = ("index.html")
url.rewrite = ("/$" => "index.html", "^.*/([^/.]+)$" => "$1.html")
server.document-root = "/usr/local/www/" + appname + "/public/"
server.error-handler-404 = "/dispatch.fcgi"
server.tag = "Commerce Server"
static-file.exclude-extensions = ( ".rb", ".rhtml", ".fcgi", ".cgi" )
auth.backend = "htdigest"
#auth.backend = "plain"
#auth.debug = 1
auth.backend.htdigest.userfile = "/usr/local/etc/lighttpd/htdigest.user"
#auth.backend.plain.userfile = "/usr/local/etc/lighttpd/plain.user"
#debug.log-response-header         = "enable"
#debug.log-request-header = "enable"
#debug.log-request-handling = "enable"
#debug.log-state-handling = "enable"


mimetype.assign = (
        ".css"  => "text/css",
        ".html" => "text/html",
        ".txt"  => "text/plain",
        ".gif"  => "image/gif",
        ".jpeg" => "image/jpeg",
        ".jpg"  => "image/jpeg",
        ".png"  => "image/png",
        ".ico"  => "image/x-icon",
        ".js"   => "text/javascript",
        ".pdf"  => "application/pdf",
)

fastcgi.server = ( ".fcgi" =>
        ( "localhost" =>
                ( "min-procs"   => 1,
                  "max-procs"   => 1,
                  "socket"      => "/tmp/" + appname + ".fcgi.socket",
                  "bin-path"    => "/usr/local/www/" + appname + "/public/dispat
ch.fcgi",
                  "bin-environment" => ("RAILS_ENV" => "development")
                )
        )
)

auth.require = ( "/" =>
        ( "method"      => "digest",
          "realm"       => "admin",
          "require"     => "valid-user"
        )
)

After more debugging, it appears that it is due to the inclusion of the digest auth headers (from Safari) in requests over ssl handled by fcgi. Static content can be retrieved with this configuration, and fcgi served pages work with FireFox? etc. Here is a trace with auth headers (some values have been changed to protect the guilty): 

GET /stores/list HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: _session_id=752cfec929c1c320a2d650534814efa3
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) 
AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8
Authorization: Digest username="foo", realm="admin", 
nonce="e47e277fef4aceba7107eb82da8283be", uri="/stores/list", 
response="8228457624ba8986c90c2638b1398033", 
cnonce="8e42049231e635ac7e4d808b3d88bf95", nc=00000043, qop="auth"
Connection: keep-alive
Host: 10.168.1.222

2006-03-11 19:22:30: (connections.c.1359) state for fd 6 handle-req
2006-03-11 19:22:30: (response.c.196) -- splitting Request-URI
[snip]
2006-03-11 19:22:30: (response.c.451) -- handling physical path
2006-03-11 19:22:30: (response.c.452) Path         : 
/usr/local/www/commerce-admin/public/dispatch.fcgi
2006-03-11 19:22:30: (response.c.459) -- file found
2006-03-11 19:22:30: (response.c.460) Path         : 
/usr/local/www/commerce-admin/public/dispatch.fcgi
2006-03-11 19:22:30: (response.c.582) -- handling subrequest
2006-03-11 19:22:30: (response.c.583) Path         : 
/usr/local/www/commerce-admin/public/dispatch.fcgi
2006-03-11 19:22:30: (mod_fastcgi.c.3549) handling it in mod_fastcgi
2006-03-11 19:22:30: (connections.c.1679) state at exit: 6 handle-req
2006-03-11 19:22:30: (connections.c.1305) state at start 6 handle-req
2006-03-11 19:22:30: (connections.c.1359) state for fd 6 handle-req
2006-03-11 19:22:30: (connections.c.1445) state for fd 6 resp-start
2006-03-11 19:22:30: (response.c.111) Response-Header:
HTTP/1.1 200 OK
Content-Length: 0
Date: Sat, 11 Mar 2006 19:22:30 GMT
Server: Commerce Server


2006-03-11 19:22:30: (connections.c.1573) state for fd 6 write
2006-03-11 19:22:30: (network_openssl.c.115) SSL (error): 5 0 22 Unknown 
error: 0
2006-03-11 19:22:30: (connections.c.538) connection closed: write failed 
on fd 6
2006-03-11 19:22:30: (connections.c.1652) shutdown for fd 6
2006-03-11 19:22:30: (connections.c.1527) state for fd 6 close
2006-03-11 19:22:30: (connections.c.1556) connection closed for fd 6

Notice that a response header was formulated, but the Content-Length is 0. The ssl error is a red herring, since we know from the response header that something incorrect already occurred when processing the request. Now a trace with auth disabled and the browser restarted, which yields a successful page load: 

GET /stores/list HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: _session_id=8b87f4469d75dc581a33278c28648e60
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) 
AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8
If-Modified-Since: Sat, 11 Mar 2006 19:24:37 GMT
Connection: keep-alive
Host: 10.168.1.222


2006-03-11 19:34:37: (connections.c.1359) state for fd 6 handle-req
2006-03-11 19:34:37: (response.c.196) -- splitting Request-URI
[snip]
2006-03-11 19:34:37: (response.c.582) -- handling subrequest
2006-03-11 19:34:37: (response.c.583) Path         : 
/usr/local/www/commerce-admin/public/dispatch.fcgi
2006-03-11 19:34:37: (mod_fastcgi.c.3549) handling it in mod_fastcgi
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 handle-req
2006-03-11 19:34:37: (connections.c.1305) state at start 6 handle-req
2006-03-11 19:34:37: (connections.c.1359) state for fd 6 handle-req
2006-03-11 19:34:37: (connections.c.1445) state for fd 6 resp-start
2006-03-11 19:34:37: (response.c.111) Response-Header:
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html
Set-Cookie: _session_id=8b87f4469d75dc581a33278c28648e60; path=/
Cache-Control: no-cache
Date: Sat, 11 Mar 2006 19:34:37 GMT
Server: Commerce Server


2006-03-11 19:34:37: (connections.c.1573) state for fd 6 write
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 write
2006-03-11 19:34:37: (connections.c.1305) state at start 6 write
2006-03-11 19:34:37: (connections.c.1573) state for fd 6 write
2006-03-11 19:34:37: (connections.c.1461) state for fd 6 resp-end
2006-03-11 19:34:37: (connections.c.1318) state for fd 6 req-start
2006-03-11 19:34:37: (connections.c.1565) state for fd 6 read
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 read
2006-03-11 19:34:37: (connections.c.1305) state at start 6 read
2006-03-11 19:34:37: (connections.c.1565) state for fd 6 read
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 read
2006-03-11 19:34:37: (connections.c.1305) state at start 6 read
2006-03-11 19:34:37: (connections.c.1565) state for fd 6 read
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 read
2006-03-11 19:34:43: (connections.c.1305) state at start 6 error
2006-03-11 19:34:43: (connections.c.1652) shutdown for fd 6
2006-03-11 19:34:43: (connections.c.1527) state for fd 6 close
2006-03-11 19:34:43: (connections.c.1556) connection closed for fd 6

Attachments

Change History

03/24/2006 11:58:30 AM changed by jan

  • description changed.

updated the bug-report layout

09/24/2006 01:29:17 PM changed by jan

  • status changed from new to closed.
  • resolution set to fixed.

fixed in 1.4.12

Add/Change #578 (Serving pages from fcgi over SSL with digest auth to Safari fails)




Change Properties
Action