Possible solution for NoDecode and Apache < 2.2.18

780 views
Skip to first unread message

Joshua J. Kugler

unread,
May 22, 2013, 7:59:24 PM5/22/13
to repo-d...@googlegroups.com, Shawn Pearce, Doug Kelly
Shawn, et al -

In the thread about the missing Apache features, Doug Kelly pointed out they
were using this:

> AllowEncodedSlashes On
> <Location /code-review>
> ProxyPass http://127.0.0.1:8081/code-review nocanon
> ...
> </Location>

The mod_proxy module has a "canon" option, which the mod_proxy docs describe
thus:

"""
Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be
incompatible with some backends, particularly those that make use of
PATH_INFO. The optional nocanon keyword suppresses this, and passes the URL
path "raw" to the backend. Note that may affect the security of your backend,
as it removes the normal limited protection against URL-based attacks provided
by the proxy.
"""

That sounds exactly like what NoDecode does for the AllowEncodedSlashes rule.
That may just work.

Is it possible to get this tested and officially vetted by the Gerrit team? If
this works, it would be fantastic, and would allow us to upgrade beyond 2.5.

Thanks!

j

--
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: peda...@gmail.com
PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A

Steffen Gebert

unread,
May 29, 2013, 2:44:35 AM5/29/13
to repo-discuss@googlegroups.com Discussion, Joshua J. Kugler
Hi Joshua,

>> ProxyPass http://127.0.0.1:8081/code-review nocanon

> That sounds exactly like what NoDecode does for the AllowEncodedSlashes rule.
While I was first motivated to move our Gerrit to a new server on Debian Wheezy, I admit that it would be a bit easier to just get Gerrit 2.6+ running with older Apache versions - and as Joshua said I think it would be good for Gerrit to have an approved setup based on ProxyPass .. nocanon.

In my tests it also worked flawlessly. Has anybody else tried this and experienced (no) problems?

Yours
Steffen
> --
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

Steffen Gebert

unread,
Jun 3, 2013, 3:47:53 PM6/3/13
to repo-discuss@googlegroups.com Discussion
Hi,

I've made an attempt [1] to get this documented, as several people (including me) already ran into that issue.

Yours
Steffe
--
[1] https://gerrit-review.googlesource.com/46471

Will Saxon

unread,
Mar 10, 2014, 9:05:28 PM3/10/14
to repo-d...@googlegroups.com
Hello,

Sorry to resurrect an old thread, but we just hit this same issue upgrading from 2.5 to 2.8.1. 

For some reason, setting AllowEncodedSlashes On + ProxyPass http://url nocanon DID NOT WORK. We were seeing HTTP 400 errors in the access log whenever someone tried to review a file. 

We were running w/ Apache 2.2.15 and Gerrit in Tomcat 7.0.29. We built a new, separate machine with all configs identical except we upgraded Apache to 2.2.26 and ran Gerrit w/ stock Jetty instead of using Tomcat. The problem did not manifest in this configuration. Then on our production system we moved from Tomcat to Jetty and the problem stopped. 

So for us, it looks like something w/ our Tomcat config vs. Jetty contributes to or causes this issue.

-Will

Doug Kelly

unread,
Mar 12, 2014, 10:54:59 AM3/12/14
to repo-d...@googlegroups.com


On Monday, March 10, 2014 8:05:28 PM UTC-5, Will Saxon wrote:
Hello,

Sorry to resurrect an old thread, but we just hit this same issue upgrading from 2.5 to 2.8.1. 

For some reason, setting AllowEncodedSlashes On + ProxyPass http://url nocanon DID NOT WORK. We were seeing HTTP 400 errors in the access log whenever someone tried to review a file. 

HTTP 400? You sure it's not 404?  400 is Bad Request, which the Apache server would *not* return when you had encoded slashes in a request.  I have a feeling something else is going on, as we currently run 2.8.1 with Apache frontending the embedded Jetty server.


We were running w/ Apache 2.2.15 and Gerrit in Tomcat 7.0.29. We built a new, separate machine with all configs identical except we upgraded Apache to 2.2.26 and ran Gerrit w/ stock Jetty instead of using Tomcat. The problem did not manifest in this configuration. Then on our production system we moved from Tomcat to Jetty and the problem stopped. 

So for us, it looks like something w/ our Tomcat config vs. Jetty contributes to or causes this issue.

-Will
 
I'd agree.  The Tomcat configuration seems more likely here, although, I haven't configured Gerrit to run in Tomcat (or used Tomcat at all, really), so I'm not very useful here.

James Moger

unread,
Mar 12, 2014, 11:04:54 AM3/12/14
to Doug Kelly, repo-discuss@googlegroups.com Discussion
Tomcat is openly hostile to encoded forward-slashes. This is a long
standing issue for me and another good reason why Gitblit sticks with
Jetty.

You can force Tomcat to accept them [1][2] - but I haven't had success
getting Apache to allow them to pass-through despite
AllowEncodedSlashes.

-J

[1]: http://gitblit.com/faq.html#H9
[2]: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10
Reply all
Reply to author
Forward
0 new messages