Project

General

Profile

Actions

Bug #578

closed

Serving pages from fcgi over SSL with digest auth to Safari fails

Added by Anonymous about 18 years ago. Updated over 16 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
-
ASK QUESTIONS IN Forums:

Description

Configuration:
lighttpd 1.4.11, FreeBSD 6.0, Rails 1.0, MySQL 4.1.16, Safari v2.0.3

lighttpd.conf:


var.appname = "foo" 
server.modules = ("mod_rewrite", "mod_accesslog", "mod_fastcgi", "mod_auth")
server.port = 443
ssl.engine = "enable" 
ssl.pemfile = "/usr/local/etc/lighttpd/server.pem" 
server.username = "www" 
server.groupname = "www" 
server.pid-file = "/var/run/lighttpd.pid" 
accesslog.filename = "/var/log/lighttpd/access.log" 
server.errorlog = "/var/log/lighttpd/error.log" 
server.indexfiles = ("index.html")
url.rewrite = ("/$" => "index.html", "^.*/([^/.]+)$" => "$1.html")
server.document-root = "/usr/local/www/" + appname + "/public/" 
server.error-handler-404 = "/dispatch.fcgi" 
server.tag = "Commerce Server" 
static-file.exclude-extensions = ( ".rb", ".rhtml", ".fcgi", ".cgi" )
auth.backend = "htdigest" 
#auth.backend = "plain" 
#auth.debug = 1
auth.backend.htdigest.userfile = "/usr/local/etc/lighttpd/htdigest.user" 
#auth.backend.plain.userfile = "/usr/local/etc/lighttpd/plain.user" 
#debug.log-response-header         = "enable" 
#debug.log-request-header = "enable" 
#debug.log-request-handling = "enable" 
#debug.log-state-handling = "enable" 

mimetype.assign = (
        ".css"  => "text/css",
        ".html" => "text/html",
        ".txt"  => "text/plain",
        ".gif"  => "image/gif",
        ".jpeg" => "image/jpeg",
        ".jpg"  => "image/jpeg",
        ".png"  => "image/png",
        ".ico"  => "image/x-icon",
        ".js"   => "text/javascript",
        ".pdf"  => "application/pdf",
)

fastcgi.server = ( ".fcgi" =>
        ( "localhost" =>
                ( "min-procs"   => 1,
                  "max-procs"   => 1,
                  "socket"      => "/tmp/" + appname + ".fcgi.socket",
                  "bin-path"    => "/usr/local/www/" + appname + "/public/dispat
ch.fcgi",
                  "bin-environment" => ("RAILS_ENV" => "development")
                )
        )
)

auth.require = ( "/" =>
        ( "method"      => "digest",
          "realm"       => "admin",
          "require"     => "valid-user" 
        )
)

After more debugging, it appears that it is due to the inclusion of the
digest auth headers (from Safari) in requests over ssl handled by fcgi.
Static content can be retrieved with this configuration, and fcgi served pages work with FireFox etc.
Here is a trace with auth headers (some values have been changed to protect the guilty):


GET /stores/list HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: _session_id=752cfec929c1c320a2d650534814efa3
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) 
AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8
Authorization: Digest username="foo", realm="admin", 
nonce="e47e277fef4aceba7107eb82da8283be", uri="/stores/list", 
response="8228457624ba8986c90c2638b1398033", 
cnonce="8e42049231e635ac7e4d808b3d88bf95", nc=00000043, qop="auth" 
Connection: keep-alive
Host: 10.168.1.222

2006-03-11 19:22:30: (connections.c.1359) state for fd 6 handle-req
2006-03-11 19:22:30: (response.c.196) -- splitting Request-URI
[snip]
2006-03-11 19:22:30: (response.c.451) -- handling physical path
2006-03-11 19:22:30: (response.c.452) Path         : 
/usr/local/www/commerce-admin/public/dispatch.fcgi
2006-03-11 19:22:30: (response.c.459) -- file found
2006-03-11 19:22:30: (response.c.460) Path         : 
/usr/local/www/commerce-admin/public/dispatch.fcgi
2006-03-11 19:22:30: (response.c.582) -- handling subrequest
2006-03-11 19:22:30: (response.c.583) Path         : 
/usr/local/www/commerce-admin/public/dispatch.fcgi
2006-03-11 19:22:30: (mod_fastcgi.c.3549) handling it in mod_fastcgi
2006-03-11 19:22:30: (connections.c.1679) state at exit: 6 handle-req
2006-03-11 19:22:30: (connections.c.1305) state at start 6 handle-req
2006-03-11 19:22:30: (connections.c.1359) state for fd 6 handle-req
2006-03-11 19:22:30: (connections.c.1445) state for fd 6 resp-start
2006-03-11 19:22:30: (response.c.111) Response-Header:
HTTP/1.1 200 OK
Content-Length: 0
Date: Sat, 11 Mar 2006 19:22:30 GMT
Server: Commerce Server

2006-03-11 19:22:30: (connections.c.1573) state for fd 6 write
2006-03-11 19:22:30: (network_openssl.c.115) SSL (error): 5 0 22 Unknown 
error: 0
2006-03-11 19:22:30: (connections.c.538) connection closed: write failed 
on fd 6
2006-03-11 19:22:30: (connections.c.1652) shutdown for fd 6
2006-03-11 19:22:30: (connections.c.1527) state for fd 6 close
2006-03-11 19:22:30: (connections.c.1556) connection closed for fd 6

Notice that a response header was formulated, but the Content-Length is
0. The ssl error is a red herring, since we know from the response header that
something incorrect already occurred when processing the request.
Now a trace with auth disabled and the browser restarted, which yields a successful page load:


GET /stores/list HTTP/1.1
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Cookie: _session_id=8b87f4469d75dc581a33278c28648e60
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) 
AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8
If-Modified-Since: Sat, 11 Mar 2006 19:24:37 GMT
Connection: keep-alive
Host: 10.168.1.222

2006-03-11 19:34:37: (connections.c.1359) state for fd 6 handle-req
2006-03-11 19:34:37: (response.c.196) -- splitting Request-URI
[snip]
2006-03-11 19:34:37: (response.c.582) -- handling subrequest
2006-03-11 19:34:37: (response.c.583) Path         : 
/usr/local/www/commerce-admin/public/dispatch.fcgi
2006-03-11 19:34:37: (mod_fastcgi.c.3549) handling it in mod_fastcgi
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 handle-req
2006-03-11 19:34:37: (connections.c.1305) state at start 6 handle-req
2006-03-11 19:34:37: (connections.c.1359) state for fd 6 handle-req
2006-03-11 19:34:37: (connections.c.1445) state for fd 6 resp-start
2006-03-11 19:34:37: (response.c.111) Response-Header:
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html
Set-Cookie: _session_id=8b87f4469d75dc581a33278c28648e60; path=/
Cache-Control: no-cache
Date: Sat, 11 Mar 2006 19:34:37 GMT
Server: Commerce Server

2006-03-11 19:34:37: (connections.c.1573) state for fd 6 write
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 write
2006-03-11 19:34:37: (connections.c.1305) state at start 6 write
2006-03-11 19:34:37: (connections.c.1573) state for fd 6 write
2006-03-11 19:34:37: (connections.c.1461) state for fd 6 resp-end
2006-03-11 19:34:37: (connections.c.1318) state for fd 6 req-start
2006-03-11 19:34:37: (connections.c.1565) state for fd 6 read
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 read
2006-03-11 19:34:37: (connections.c.1305) state at start 6 read
2006-03-11 19:34:37: (connections.c.1565) state for fd 6 read
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 read
2006-03-11 19:34:37: (connections.c.1305) state at start 6 read
2006-03-11 19:34:37: (connections.c.1565) state for fd 6 read
2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 read
2006-03-11 19:34:43: (connections.c.1305) state at start 6 error
2006-03-11 19:34:43: (connections.c.1652) shutdown for fd 6
2006-03-11 19:34:43: (connections.c.1527) state for fd 6 close
2006-03-11 19:34:43: (connections.c.1556) connection closed for fd 6

-- dominique.brezinski

Actions #1

Updated by jan about 18 years ago

updated the bug-report layout

Actions #2

Updated by jan over 17 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

fixed in 1.4.12

Actions

Also available in: Atom