Re: issue with using digest with jetty backends

From: Matt <mattmoran76#gmail.com>
Date: Wed, 7 Apr 2010 13:25:51 +0100


On 7 April 2010 11:10, Matt <mattmoran76#gmail.com> wrote:

> On 6 April 2010 19:43, Willy Tarreau <w#1wt.eu> wrote:
>
>> On Tue, Apr 06, 2010 at 11:42:53AM +0100, Matt wrote:
>> > Hi all,
>> >
>> > Using HA-Proxy version 1.3.19 2009/07/27. Set-up is HA-Proxy balancing
>> a
>> > pool of Jetty servers.
>> >
>> > We had a tomcat application using keep-alive that was having issues
>> (kept on
>> > opening many connections), so to stop that and other clients getting the
>> > same problem we used the option httpclose which fixed the problem.
>> >
>> > This though has added another issue when using digest authentication
>> with
>> > curl. When sending to the HA-Proxy IP:-
>> >
>> > **request**
>> > > User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5
>> OpenSSL/0.9.8g
>> > zlib/1.2.3.3 libidn/1.15
>> > > Host: ...........
>> > > Accept: */*
>> > > content-type:application/xml
>> > > Content-Length: 0
>> > > Expect: 100-continue
>> >
>> > **response**
>> > < HTTP/1.1 100 Continue
>> > < Connection: close
>> > * Empty reply from server
>> > * Closing connection #0
>> > curl: (52) Empty reply from server
>> >
>> > It looks like HA-Proxy is sending 100-continue and not 401 and adding
>> the
>> > connection closed header. If I use curl with the --http1.0 option, then
>> it
>> > works as expected, but I guess this is forcing Jetty to work in http 1.0
>> > mode.
>>
>> This was fixed in 1.3.23 and 1.3.24. The issue is not what you describe
>> above.
>> What happens is that the client sends the "Expect: 100-continue" header,
>> which
>> is forwarded to the server. The server then replies with "HTTP/1.1 100
>> Continue"
>> and haproxy adds the "Connection: close" response there. Strictly
>> speaking, both
>> curl and haproxy are incorrect here :
>> - haproxy should not add any header on a 100-continue response
>> - libcurl should ignore any header in a 100-continue response.
>>
>> But the reality is that both do probably not consider the 100-continue
>> response as a special case, which it is.
>>
>> There is nothing you can do with the configuration to fix this, you should
>> really update your version (also other annoying issues have been fixed
>> since
>> 1.3.19). Either you install 1.3.24 (or 1.3.23 if you don't find 1.3.24 yet
>> for
>> your distro), or you can switch to 1.4.3.
>>
>> Well, maybe if you remove "option httpclose" and replace it with
>> "reqadd Connection:\ close", without the corresponding "rspadd", it could
>> work,
>> if you don't have anything else touching the response (no cookie
>> insertion, ...).
>> This would rely on the server to correctly close the response. But it
>> would be
>> an awful hack.
>>
>> > When using apache in front of HA-Proxy with both force-proxy-request-1.0
>> and
>> > proxy-nokeepalive the request is successful.
>>
>> This is because the Expect header appeared in 1.1, so the client cannot
>> use it
>> if you force the request as 1.0.
>>
>> On second thoughts I don't think this is going to work. If 1.3.24 is the
> same as 1.4.3, i'm getting an error on the first request not the challenge
> when using 1.4.3 and option httpclose, or option http-server-close.
>
> When using curl :-
> * Server auth using Digest with user 'su'
> > PUT ............. HTTP/1.1
> > User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g
> zlib/1.2.3.3 libidn/1.15
> > Host: ..........
> > Accept: */*
> > content-type:application/xml
> > Content-Length: 0
> > Expect: 100-continue
> >
> < HTTP/1.1 100 Continue
> * HTTP 1.0, assume close after body
> < HTTP/1.0 502 Bad Gateway
> < Cache-Control: no-cache
> < Connection: close
> < Content-Type: text/html
> <
> <html><body><h1>502 Bad Gateway</h1>
> The server returned an invalid or incomplete response.
> </body></html>
> * Closing connection #0
>
> The Jetty server throws an exception :-
> HTTP/1.1 PUT
> Request URL: http://..........
> User-Agent: curl/7.19.5 (i486-pc-linux-gnu) libcurl/7.19.5 OpenSSL/0.9.8g
> zlib/1.2.3.3 libidn/1.15
> Host: ............
> Accept: */*
> Content-Type: application/xml
> Content-Length: 0
> Expect: 100-continue
> X-Forwarded-For: ...........
> Connection: close
> Querystring: null
> -ERROR Authenticator Authenticator caught IO Error when trying
> to authenticate user!
> org.mortbay.jetty.EofException
> org.mortbay.jetty.HttpGenerator.flush(HttpGenerator.java:760)
>
> org.mortbay.jetty.AbstractGenerator$Output.flush(AbstractGenerator.java:565)
> org.mortbay.jetty.HttpConnection$Output.flush(HttpConnection.java:904)
>
> org.mortbay.jetty.AbstractGenerator$Output.write(AbstractGenerator.java:633)
>
> org.mortbay.jetty.AbstractGenerator$Output.write(AbstractGenerator.java:586)
>
> org.mortbay.jetty.security.DigestAuthenticator.authenticate(DigestAuthenticator.java:131)
> ...........
> Caused by: java.nio.channels.ClosedChannelException
> ...........
>
> HA Proxy debug:-
> accept(0007)=0008 from [...........:49194]
> clireq[0008:ffff]: PUT ........... HTTP/1.1
> clihdr[0008:ffff]: User-Agent: curl/7.19.5 (i486-pc-linux-gnu)
> libcurl/7.19.5 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.15
> clihdr[0008:ffff]: Host: ................
> clihdr[0008:ffff]: Accept: */*
> clihdr[0008:ffff]: content-type:application/xml
> clihdr[0008:ffff]: Content-Length: 0
> clihdr[0008:ffff]: Expect: 100-continue
> srvrep[0008:0009]: HTTP/1.1 100 Continue
> srvcls[0008:0009]
> clicls[0008:0009]
> closed[0008:0009]
>
> Making sure that both httpclose and http-server-close are absent causes the
> requests to work.
>
> Thanks,
>

1.3.23 gives the same issue as above. If you think it could be an issue with HA Proxy and need me to test a patch/setting just shout.

Matt Received on 2010/04/07 14:25

This archive was generated by hypermail 2.2.0 : 2010/04/07 14:30 CEST