Bug #578
closedServing pages from fcgi over SSL with digest auth to Safari fails
Description
Configuration:
lighttpd 1.4.11, FreeBSD 6.0, Rails 1.0, MySQL 4.1.16, Safari v2.0.3
lighttpd.conf:
var.appname = "foo" server.modules = ("mod_rewrite", "mod_accesslog", "mod_fastcgi", "mod_auth") server.port = 443 ssl.engine = "enable" ssl.pemfile = "/usr/local/etc/lighttpd/server.pem" server.username = "www" server.groupname = "www" server.pid-file = "/var/run/lighttpd.pid" accesslog.filename = "/var/log/lighttpd/access.log" server.errorlog = "/var/log/lighttpd/error.log" server.indexfiles = ("index.html") url.rewrite = ("/$" => "index.html", "^.*/([^/.]+)$" => "$1.html") server.document-root = "/usr/local/www/" + appname + "/public/" server.error-handler-404 = "/dispatch.fcgi" server.tag = "Commerce Server" static-file.exclude-extensions = ( ".rb", ".rhtml", ".fcgi", ".cgi" ) auth.backend = "htdigest" #auth.backend = "plain" #auth.debug = 1 auth.backend.htdigest.userfile = "/usr/local/etc/lighttpd/htdigest.user" #auth.backend.plain.userfile = "/usr/local/etc/lighttpd/plain.user" #debug.log-response-header = "enable" #debug.log-request-header = "enable" #debug.log-request-handling = "enable" #debug.log-state-handling = "enable" mimetype.assign = ( ".css" => "text/css", ".html" => "text/html", ".txt" => "text/plain", ".gif" => "image/gif", ".jpeg" => "image/jpeg", ".jpg" => "image/jpeg", ".png" => "image/png", ".ico" => "image/x-icon", ".js" => "text/javascript", ".pdf" => "application/pdf", ) fastcgi.server = ( ".fcgi" => ( "localhost" => ( "min-procs" => 1, "max-procs" => 1, "socket" => "/tmp/" + appname + ".fcgi.socket", "bin-path" => "/usr/local/www/" + appname + "/public/dispat ch.fcgi", "bin-environment" => ("RAILS_ENV" => "development") ) ) ) auth.require = ( "/" => ( "method" => "digest", "realm" => "admin", "require" => "valid-user" ) )
After more debugging, it appears that it is due to the inclusion of the
digest auth headers (from Safari) in requests over ssl handled by fcgi.
Static content can be retrieved with this configuration, and fcgi served pages work with FireFox etc.
Here is a trace with auth headers (some values have been changed to protect the guilty):
GET /stores/list HTTP/1.1 Accept: */* Accept-Language: en Accept-Encoding: gzip, deflate Cookie: _session_id=752cfec929c1c320a2d650534814efa3 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8 Authorization: Digest username="foo", realm="admin", nonce="e47e277fef4aceba7107eb82da8283be", uri="/stores/list", response="8228457624ba8986c90c2638b1398033", cnonce="8e42049231e635ac7e4d808b3d88bf95", nc=00000043, qop="auth" Connection: keep-alive Host: 10.168.1.222 2006-03-11 19:22:30: (connections.c.1359) state for fd 6 handle-req 2006-03-11 19:22:30: (response.c.196) -- splitting Request-URI [snip] 2006-03-11 19:22:30: (response.c.451) -- handling physical path 2006-03-11 19:22:30: (response.c.452) Path : /usr/local/www/commerce-admin/public/dispatch.fcgi 2006-03-11 19:22:30: (response.c.459) -- file found 2006-03-11 19:22:30: (response.c.460) Path : /usr/local/www/commerce-admin/public/dispatch.fcgi 2006-03-11 19:22:30: (response.c.582) -- handling subrequest 2006-03-11 19:22:30: (response.c.583) Path : /usr/local/www/commerce-admin/public/dispatch.fcgi 2006-03-11 19:22:30: (mod_fastcgi.c.3549) handling it in mod_fastcgi 2006-03-11 19:22:30: (connections.c.1679) state at exit: 6 handle-req 2006-03-11 19:22:30: (connections.c.1305) state at start 6 handle-req 2006-03-11 19:22:30: (connections.c.1359) state for fd 6 handle-req 2006-03-11 19:22:30: (connections.c.1445) state for fd 6 resp-start 2006-03-11 19:22:30: (response.c.111) Response-Header: HTTP/1.1 200 OK Content-Length: 0 Date: Sat, 11 Mar 2006 19:22:30 GMT Server: Commerce Server 2006-03-11 19:22:30: (connections.c.1573) state for fd 6 write 2006-03-11 19:22:30: (network_openssl.c.115) SSL (error): 5 0 22 Unknown error: 0 2006-03-11 19:22:30: (connections.c.538) connection closed: write failed on fd 6 2006-03-11 19:22:30: (connections.c.1652) shutdown for fd 6 2006-03-11 19:22:30: (connections.c.1527) state for fd 6 close 2006-03-11 19:22:30: (connections.c.1556) connection closed for fd 6
Notice that a response header was formulated, but the Content-Length is
0. The ssl error is a red herring, since we know from the response header that
something incorrect already occurred when processing the request.
Now a trace with auth disabled and the browser restarted, which yields a successful page load:
GET /stores/list HTTP/1.1 Accept: */* Accept-Language: en Accept-Encoding: gzip, deflate Cookie: _session_id=8b87f4469d75dc581a33278c28648e60 User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8 If-Modified-Since: Sat, 11 Mar 2006 19:24:37 GMT Connection: keep-alive Host: 10.168.1.222 2006-03-11 19:34:37: (connections.c.1359) state for fd 6 handle-req 2006-03-11 19:34:37: (response.c.196) -- splitting Request-URI [snip] 2006-03-11 19:34:37: (response.c.582) -- handling subrequest 2006-03-11 19:34:37: (response.c.583) Path : /usr/local/www/commerce-admin/public/dispatch.fcgi 2006-03-11 19:34:37: (mod_fastcgi.c.3549) handling it in mod_fastcgi 2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 handle-req 2006-03-11 19:34:37: (connections.c.1305) state at start 6 handle-req 2006-03-11 19:34:37: (connections.c.1359) state for fd 6 handle-req 2006-03-11 19:34:37: (connections.c.1445) state for fd 6 resp-start 2006-03-11 19:34:37: (response.c.111) Response-Header: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/html Set-Cookie: _session_id=8b87f4469d75dc581a33278c28648e60; path=/ Cache-Control: no-cache Date: Sat, 11 Mar 2006 19:34:37 GMT Server: Commerce Server 2006-03-11 19:34:37: (connections.c.1573) state for fd 6 write 2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 write 2006-03-11 19:34:37: (connections.c.1305) state at start 6 write 2006-03-11 19:34:37: (connections.c.1573) state for fd 6 write 2006-03-11 19:34:37: (connections.c.1461) state for fd 6 resp-end 2006-03-11 19:34:37: (connections.c.1318) state for fd 6 req-start 2006-03-11 19:34:37: (connections.c.1565) state for fd 6 read 2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 read 2006-03-11 19:34:37: (connections.c.1305) state at start 6 read 2006-03-11 19:34:37: (connections.c.1565) state for fd 6 read 2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 read 2006-03-11 19:34:37: (connections.c.1305) state at start 6 read 2006-03-11 19:34:37: (connections.c.1565) state for fd 6 read 2006-03-11 19:34:37: (connections.c.1679) state at exit: 6 read 2006-03-11 19:34:43: (connections.c.1305) state at start 6 error 2006-03-11 19:34:43: (connections.c.1652) shutdown for fd 6 2006-03-11 19:34:43: (connections.c.1527) state for fd 6 close 2006-03-11 19:34:43: (connections.c.1556) connection closed for fd 6
-- dominique.brezinski
Updated by jan over 17 years ago
- Status changed from New to Fixed
- Resolution set to fixed
fixed in 1.4.12
Also available in: Atom