Apache HTTP2 h2c mode not working properly - apache

I would like to enable h2c mode on apache, so I can use HTTP2.0 protocol. In my virtual host configuration I have included the line:
Protocols h2c http/1.1
I have also followed the advise to disable prefork but it doesn't work as expected.
Currently I'm using apache 2.4.29 on Ubuntu.
Case 1) curl requesting http2 upgrade
$ curl -vs --http2 http://domain1.com
* Rebuilt URL to: http://domain1.com/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to domain1.com (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: domain1.com
> User-Agent: curl/7.58.0
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
>
< HTTP/1.1 101 Switching Protocols
< Upgrade: h2c
< Connection: Upgrade
* Received 101
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=28
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< date: Sun, 00 Jan 1900 00:00:00 GMT
< server: Apache/2.4.29 (Ubuntu)
< last-modified: Fri, 29 Mar 2019 13:52:29 GMT
< etag: W/"2aa6-5853bfb4c71ac"
< accept-ranges: bytes
< content-length: 10918
< vary: Accept-Encoding
< content-type: text/html
<
.... [snip website code] ....
Case 2) curl directly using http2
$ curl -vs --http2-prior-knowledge http://domain1.com
* Rebuilt URL to: http://domain1.com/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to domain1.com (127.0.0.1) port 80 (#0)
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5604f1cb1580)
> GET / HTTP/2
> Host: domain1.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* http2 error: Remote peer returned unexpected data while we expected SETTINGS frame. Perhaps, peer does not support HTTP/2 properly.
As you can see Case 1 is working as expected, but Case 2 is not returning the site. Why is this happening? Is it because Apache is restricting direct use of HTTP2.0 without security?
Hope you can give me an answer as I don't know why things are not working now.

I think I have found the answer, and I think it is a bug in the lastest Apache versions. If I only enable h2c in a virtual host the error persist, but if I enable it on the default virtual host (000-default.conf) everything seems to be working fine.
Another potential solution I have tested and that is working is to enable the protocols h2 and h2c in every virtual host by modifying the mods-enabled/http2.load file:
LoadModule http2_module /usr/lib/apache2/modules/mod_http2.so
<IfModule http2_module>
Protocols h2 h2c http/1.1
</IfModule>
Any of the above mentioned options seems to make the system works as expected both with protocol negotiation and with prior knowledge.

Related

curl changes the URI in the authorization header for digest behind proxy

The bounty expires in 4 days. Answers to this question are eligible for a +50 reputation bounty.
Mirza Prangon is looking for an answer from a reputable source:
Details how what is going wrong, where it is going wrong and how to fix it.
I am trying to use curl for a http request.
I have to use it behind a enterprise proxy server. The remote host uses digest authentication.
I am using the following curl command.
curl -x "http://proxy_username:proxy_pass#proxyIp.xxx.xxx.xxx:8080" -L -X GET "https://remote-host.something.com:443/tomcat_servlet/UploadServlet" --digest -u digest_auth_user:digest_auth_pass -v -k
But I get 400 bad request from apache httpd. The full output from curl is
* Trying proxyIp.xxx.xxx.xxx:8080...
* Connected to proxyIp.xxx.xxx.xxx (proxyIp.xxx.xxx.xxx) port 8080 (#0)
* allocate connect buffer
* Establish HTTP proxy tunnel to remote-host.something.com:443
* Proxy auth using Basic with user 'proxy_username'
* Server auth using Digest with user 'digest_auth_user'
> CONNECT remote-host.something.com:443 HTTP/1.1
> Host: remote-host.something.com:443
> Proxy-Authorization: Basic <redacted>
> User-Agent: curl/7.83.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
< Via:HTTP/1.1 s_proxy_nrt
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* Server auth using Digest with user 'digest_auth_user'
> GET /tomcat_servlet/UploadServlet HTTP/1.1
> Host: remote-host.something.com
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 307 Temporary Redirect
< Server: Cisco Umbrella
< Date: Tue, 14 Feb 2023 02:52:03 GMT
< Content-Type: text/html
< Content-Length: 190
< Connection: keep-alive
< Set-Cookie: swg_https_a2bc=1; Path=/; Expires=Tue, 14-Feb-23 03:02:03 GMT; domain=remote-host.something.com; SameSite=None; Secure
< Location: https://remote-host.something.com/tomcat_servlet/UploadServlet?swg_a2bc=1
< Via: HTTP/1.1 s_proxy_nrt
<
* Ignoring the response-body
* Connection #0 to host proxyIp.xxx.xxx.xxx left intact
* Issue another request to this URL: 'https://remote-host.something.com/tomcat_servlet/UploadServlet?swg_a2bc=1'
* Found bundle for host: 0x1a0ed47d970 [serially]
* Re-using existing connection #0 with proxy proxyIp.xxx.xxx.xxx
* Connected to proxyIp.xxx.xxx.xxx (proxyIp.xxx.xxx.xxx) port 8080 (#0)
* Server auth using Digest with user 'digest_auth_user'
> GET /tomcat_servlet/UploadServlet?swg_a2bc=1 HTTP/1.1
> Host: remote-host.something.com
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Date: Tue, 14 Feb 2023 02:52:03 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 381
< Connection: keep-alive
< Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k
< WWW-Authenticate: Digest realm="https_transfer", nonce="redacted", algorithm=MD5, qop="auth"
< Via: HTTP/1.1 m_proxy_nrt
<
* Ignoring the response-body
* Connection #0 to host proxyIp.xxx.xxx.xxx left intact
* Issue another request to this URL: 'https://remote-host.something.com/tomcat_servlet/UploadServlet?swg_a2bc=1'
* Found bundle for host: 0x1a0ed47d970 [serially]
* Re-using existing connection #0 with proxy proxyIp.xxx.xxx.xxx
* Connected to proxyIp.xxx.xxx.xxx (proxyIp.xxx.xxx.xxx) port 8080 (#0)
* Server auth using Digest with user 'digest_auth_user'
> GET /tomcat_servlet/UploadServlet?swg_a2bc=1 HTTP/1.1
> Host: remote-host.something.com
> Authorization: Digest username="digest_auth_user",realm="https_transfer",nonce="redacted",uri="/tomcat_servlet/UploadServlet?swg_a2bc=1",cnonce="redacted",nc=00000001,algorithm=MD5,response="redacted",qop="redacted"
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Date: Tue, 14 Feb 2023 02:52:03 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 226
< Connection: keep-alive
< Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k
< Via: HTTP/1.1 m_proxy_nrt
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
* Connection #0 to host proxyIp.xxx.xxx.xxx left intact
Is the server side, I get the following in httpd log.
[auth_digest:error] [pid 3052:tid 1928] [client xxx.xxx.xxx.xxx:xxx] AH01786: uri mismatch - </tomcat_servlet/UploadServlet?swg_a2bc=1> does not match request-uri </tomcat_servlet/UploadServlet>
Indeed, cURL is adding some query it is getting from the proxy server in the authentication header.
Settings of my httpd
<Location /tomcat_servlet>
ProxyPass http://localhost:8080/tomcat_servlet
ProxyPassReverse http://localhost:8080/tomcat_servlet
AuthType Digest
AuthName https_transfer
AuthUserFile ${SRVROOT}/conf/.htpasswd
Require valid-user
</Location>
How do I use cURL in this situation? Or should I change some settings in the httpd side?

PHP prevent header overwriting by Proxy

I want to access a PHP script hosted on dnsserver.icu via this proxy 207.154.231.211:8080 with curl.
The problem is that the Proxy server seems to do overwrite the HTTP 200 code with a 302 code making it impossible to reach the script.
curl -v dnsserver.icu gives the following output:
* Rebuilt URL to: dnsserver.icu/
* Trying 134.122.73.150...
* TCP_NODELAY set
* Connected to dnsserver.icu (134.122.73.150) port 80 (#0)
> GET / HTTP/1.1
> Host: dnsserver.icu
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 15 Apr 2020 20:05:18 GMT
< Server: Apache/2.4.29 (Ubuntu)
< Content-Length: 31
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host dnsserver.icu left intact
whereas curl -v -x 207.154.231.211:8080 dnsserver.icu gives the unexpected result of:
* Rebuilt URL to: dnsserver.icu/
* Trying 207.154.231.211...
* TCP_NODELAY set
* Connected to 207.154.231.211 (207.154.231.211) port 8080 (#0)
> GET http://dnsserver.icu/ HTTP/1.1
> Host: dnsserver.icu
> User-Agent: curl/7.58.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 302 Found
< Location: http://206.189.153.135
< Date: Wed, 15 Apr 2020 20:08:37 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked
<
* Connection #0 to host 207.154.231.211 left intact
The address in the Location header is also changing sometimes.
I already experimented with different header configurations but I couldn't get it to work. When I log every call to the PHP script it doesn't look like the server is even reached by the proxy (no call logged). Futhermore the apache access log is empty.
Strangely this is not the case for all domains. I'm able to access e.g. ip-api.com, google.com or also less popular domains like proxyjudge.us (but not the ip equivalent of 45.33.35.141) through the proxy.
I have no idea what the reason for this behaviour is. Is there any 'trick' in terms of header setting or apache configuration that makes it possible to also access dnsserver.icu through this proxy? Something I havent tought of?
I appreciate any help.

CNAME rule to redirect subdomain to external site not working

I self-host my personal website on myDomain.com, which is a flask app served with apache. I am starting a personal blog, using a static site generator and netlify, which I would like to have hosted at blog.myDomain.com
I have set a CNAME rule for blog on the DNS provider for myDomain, which points to the netlify url customNetlifyDomain.netlify.com but this does not appear to be working. curl -v blog.myDomain.com returns
* Connected to blog.myDomain.com (ipv6.addr) port 80 (#0)
> GET / HTTP/1.1
> Host: blog.myDomain.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Cache-Control: max-age=30, public
< Content-Length: 9
< Content-Type: text/html; charset=utf-8
< Date: Sat, 16 Mar 2019 19:03:28 GMT
< X-Content-Type-Options: nosniff
< X-Frame-Options: ALLOWALL
< X-Request-Id: xxx
< X-Runtime: 0.007337
< Age: 0
< Connection: keep-alive
< Server: Netlify
< X-NF-Request-ID: xxx
<
* Connection #0 to host blog.myDomain.com left intact
Not Found
I am able to ping blog.myDomain.com and get
ping blog.myDomain.com
PING customNetlifyDomain.netlify.com (ip.addr) 56(84) bytes of data.
64 bytes from 142.93.108.123: icmp_seq=1 ttl=57 time=25.2 ms
64 bytes from 142.93.108.123: icmp_seq=2 ttl=57 time=34.7 ms
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
And nslookup blog.myDomain.com:
Server: 127.0.1.1
Address: 127.0.1.1#53
Non-authoritative answer:
blog.myDomain.com canonical name = customNetlifyDomain.netlify.com.
Name: customNetlifyDomain.netlify.com
Address: ip.addr
Any suggestions appreciated!
Make sure the subdomain alias is added to the domain management on your Netlify site.

Apache Forward Proxy With SSL Termination

I'm trying to set up an Apache Forward Proxy that terminates the SSL connection. The reason I'm trying to do this is to run Apache filters (specifically mod_pagespeed) on the returned code. Before I deal with mod_pagespeed, I'm testing this POC by trying to insert a header into the response (which will prove that I can edit the response), but I'm having issues with SSL proxying (non-SSL proxying works fine).
Note that I'm not concerned about any certificate errors or the like -- this is purely for internal testing.
I've got the server set up and see the X-MSCProxy Header on a non-SSL page:
jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy pagespeed_proxy:3ja82ad9#localhost:8080 -D - -o /dev/null http://www.slate.com
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Proxy auth using Basic with user 'pagespeed_proxy'
> GET http://www.slate.com/ HTTP/1.1
> Host: www.slate.com
...
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 30 Oct 2017 18:10:40 GMT
Date: Mon, 30 Oct 2017 18:10:40 GMT
< Server: Apache/2.2.29 (Amazon)
Server: Apache/2.2.29 (Amazon)
...
< Content-Length: 187051
Content-Length: 187051
...
< X-Instart-Request-ID: 8286987369135064135:FWP01-NPPRY22:1509387040:0
X-Instart-Request-ID: 8286987369135064135:FWP01-NPPRY22:1509387040:0
< Via: 1.1 172.17.0.2:8080
Via: 1.1 172.17.0.2:8080
< X-MSCProxy: SansPS
X-MSCProxy: SansPS
But when I make the same request to Slate's SSL page I don't see my proxy:
jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy pagespeed_proxy:3ja82ad9#localhost:8080 -D - -o /dev/null https://www.slate.com
* Connected to localhost (::1) port 8080 (#0)
* Establish HTTP proxy tunnel to www.slate.com:443
* Proxy auth using Basic with user 'pagespeed_proxy'
> CONNECT www.slate.com:443 HTTP/1.1
> Host: www.slate.com:443
< HTTP/1.0 200 Connection Established
HTTP/1.0 200 Connection Established
< Proxy-agent: Apache/2.4.25 (Debian)
Proxy-agent: Apache/2.4.25 (Debian)
<
* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: ssl004.insnw.net
* Server certificate: GlobalSign CloudSSL CA - SHA256 - G3
* Server certificate: GlobalSign Root CA
> GET / HTTP/1.1
> Host: www.slate.com
> User-Agent: curl/7.54.0
> Accept: */*
>
< Content-Length: 187044
Content-Length: 187044
< Connection: keep-alive
Connection: keep-alive
< Server: Apache/2.2.29 (Amazon)
Server: Apache/2.2.29 (Amazon)
< X-Instart-Request-ID: 762420041708891440:FWP01-NPPRY21:1509387251:0
X-Instart-Request-ID: 762420041708891440:FWP01-NPPRY21:1509387251:0
I've found a lot of posts that say this is possible (and, technically, it should be) with various httpd.conf suggestions, but nothing I've tried has worked. Right now my httpd.conf looks like:
<VirtualHost *:8080>
ProxyRequests On
ProxyVia On
Header set X-MSCProxy SansPS
#SSLEngine On
# suggestion that this allows termination
ProxyPreserveHost On
SSLProxyEngine on
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerExpire Off
SSLProxyCheckPeerName Off
SSLCertificateFile /etc/apache2/ssl/localhost.crt
SSLCertificateKeyFile /etc/apache2/ssl/localhost.key
ModPagespeed Off
</VirtualHost>
FWIW, when I enable SSLEngine on this proxy (as has been suggested) then the request simply doesn't work with this error from Apache:
[Mon Oct 30 18:20:20.705047 2017] [ssl:info] [pid 372:tid 140147985901312] [client 172.17.0.1:34012] AH01996: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Mon Oct 30 18:20:20.705107 2017] [ssl:info] [pid 372:tid 140147985901312] SSL Library Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking HTTP to HTTPS port!?
Which I guess makes sense as the proxy protocol isn't expecting an HTTPS connection directly to the proxy.
I would try to use the output filter feautre fom apache.
https://www.modpagespeed.com/doc/configuration#apache_specific
AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html
Try to add https:// to the curl proxy command like this:
jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy https://pagespeed_proxy:3ja82ad9#localhost:8080 -D - -o /dev/null https://www.slate.com
Apache complained about connecting to port 8080 with http even though https is configured for this port.

Vagrant is not port forwarding with VirtualBox and PuPHPet

Problem
I cannot connect to my virtual machine's environment, despite using an accepted private network and forwarded ports.
Description
System
MAC OSX 10.9.3
Vagrant 1.6.3
VirtualBox 4.3.12
Vagrantfile file
Puphpet file
Cisco AnyConnect VPN
Using Private Company Network
ifconfig results
Virtual Host file for Web Project.
Upon vagrant up, I vagrant ssh into my virtualbox. The following request work as expected:
[06:04 PM]-[vagrant#precise64]-[~]
$ curl -v 192.168.56.101
* About to connect() to 192.168.56.101 port 80 (#0)
* Trying 192.168.56.101... connected
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: 192.168.56.101
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 09 Jul 2014 18:05:05 GMT
< Server: Apache/2.4.9 (Ubuntu)
< Vary: Accept-Encoding
< Content-Length: 481
< Connection: close
< Content-Type: text/html;charset=UTF-8
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /</title>
</head>
<body>
<h1>Index of /</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th>Name</th><th>Last modified</th><th>Size</th><th>Description</th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
</body></html>
* Closing connection #0
[06:05 PM]-[vagrant#precise64]-[~]
$ curl -v playworldsystems.dev
* About to connect() to playworldsystems.dev port 80 (#0)
* Trying 192.168.56.101... connected
> GET / HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: playworldsystems.dev
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 09 Jul 2014 18:05:52 GMT
< Server: Apache/2.4.9 (Ubuntu)
< X-Powered-By: PHP/5.5.14-2+deb.sury.org~precise+1
< Vary: Accept-Encoding
< Content-Length: 122
< Connection: close
< Content-Type: text/html
<
<pre class='xdebug-var-dump' dir='ltr'><small>string</small> <font color='#cc0000'>'hello'</font> <i>(length=5)</i>
* Closing connection #0
</pre>
However, when I try both commands from within my HOST terminal, I receive the following error:
curl -v 192.168.56.101
* About to connect() to 192.168.56.101 port 80 (#0)
* Trying 192.168.56.101...
* Adding handle: conn: 0x7fc6f1000000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fc6f1000000) send_pipe: 1, recv_pipe: 0
* Failed connect to 192.168.56.101:80; Operation timed out
* Closing connection 0
curl: (7) Failed connect to 192.168.56.101:80; Operation timed out
☁ ~ curl -v playworldsystems.dev
* Adding handle: conn: 0x7fdbe9803000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fdbe9803000) send_pipe: 1, recv_pipe: 0
* About to connect() to playworldsystems.dev port 80 (#0)
* Trying 192.168.56.101...
* Failed connect to playworldsystems.dev:80; Operation timed out
* Closing connection 0
curl: (7) Failed connect to playworldsystems.dev:80; Operation timed out
Even after trying cURLing from both port 6969 and 8080, I still have no success. I've used random IP Addresses as well as Ports. I've tried altering my virtual host to other port numbers. Nothing seems to work. I will mention that when first starting out, I noticed that this vagrant setup has worked --both only twice. Each time it was working, i would vagrant suspend and vagrant up the next morning to find that my prior solution is no longer working.
Perhaps this fact is what makes this process so frustrating. I want to get of MAMP for my current projects but fear that it is either my work machine's settings that are interfering or perhaps some other application or network related issue. I'm unsure what steps to take and am looking forward to any and all solutions.
a few tips/pointers.
check that the firewall rules are not blocking the ports, if all else fails, just disable it for testing "iptables -F"
make sure ports are forwarded correctly https://docs.vagrantup.com/v2/networking/forwarded_ports.html
so what you want for http is host:8080 guest:80
sometimes your IP address changes on your host ( for example, acquiring new dhcp or joining new network home/work/vpn )
check that you can ping your VM guest from your host via the correct IP from the correct adapter. On the host run "ifconfig -a" (on the mac there should be some en0 for ethernet and en1 for airport) if you can ping the vm guest, then you can hit the web server via port 8080 ( http://mylocal.dev:8080/ ) provided of course that you edited your /etc/hosts to point your vhost to the above mentioned IP address.