Resolves: RHEL-68660 - RewriteRule proxying to UDS (unix domain socket)

configured in .htaccess doesn't work on httpd-2.4.62-1

httpd-2.4.62-r1921299.patch

@@ -0,0 +1,133 @@
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 53fb1e9..f735c50 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -4477,20 +4477,6 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
+      * ourself).
+      */
+     if (p->flags & RULEFLAG_PROXY) {
+-        /* For rules evaluated in server context, the mod_proxy fixup
+-         * hook can be relied upon to escape the URI as and when
+-         * necessary, since it occurs later.  If in directory context,
+-         * the ordering of the fixup hooks is forced such that
+-         * mod_proxy comes first, so the URI must be escaped here
+-         * instead.  See PR 39746, 46428, and other headaches. */
+-        if (ctx->perdir && (p->flags & RULEFLAG_NOESCAPE) == 0) {
+-            char *old_filename = r->filename;
+-
+-            r->filename = ap_escape_uri(r->pool, r->filename);
+-            rewritelog((r, 2, ctx->perdir, "escaped URI in per-dir context "
+-                        "for proxy, %s -> %s", old_filename, r->filename));
+-        }
+-
+         fully_qualify_uri(r);
+ 
+         rewritelog((r, 2, ctx->perdir, "forcing proxy-throughput with %s",
+@@ -5013,7 +4999,7 @@ static int hook_uri2file(request_rec *r)
+             }
+             if ((r->args != NULL)
+                 && ((r->proxyreq == PROXYREQ_PROXY)
+-                    || (rulestatus == ACTION_NOESCAPE))) {
++                    || apr_table_get(r->notes, "proxy-nocanon"))) {
+                 /* see proxy_http:proxy_http_canon() */
+                 r->filename = apr_pstrcat(r->pool, r->filename,
+                                           "?", r->args, NULL);
+@@ -5304,13 +5290,28 @@ static int hook_fixup(request_rec *r)
+         if (to_proxyreq) {
+             /* it should go on as an internal proxy request */
+ 
+-            /* make sure the QUERY_STRING and
+-             * PATH_INFO parts get incorporated
++            /* check if the proxy module is enabled, so
++             * we can actually use it!
++             */
++            if (!proxy_available) {
++                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10160)
++                              "attempt to make remote request from mod_rewrite "
++                              "without proxy enabled: %s", r->filename);
++                return HTTP_FORBIDDEN;
++            }
++
++            if (rulestatus == ACTION_NOESCAPE) {
++                apr_table_setn(r->notes, "proxy-nocanon", "1");
++            }
++
++            /* make sure the QUERY_STRING gets incorporated in the case
++             * [NE] was specified on the Proxy rule. We are preventing
++             * mod_proxy canon handler from incorporating r->args as well
++             * as escaping the URL.
+              * (r->path_info was already appended by the
+              * rewriting engine because of the per-dir context!)
+              */
+-            if (r->args != NULL) {
+-                /* see proxy_http:proxy_http_canon() */
++            if ((r->args != NULL) && apr_table_get(r->notes, "proxy-nocanon")) {
+                 r->filename = apr_pstrcat(r->pool, r->filename,
+                                           "?", r->args, NULL);
+             }
+@@ -5610,10 +5611,7 @@ static void ap_register_rewrite_mapfunc(char *name, rewrite_mapfunc_t *func)
+ 
+ static void register_hooks(apr_pool_t *p)
+ {
+-    /* fixup after mod_proxy, so that the proxied url will not
+-     * escaped accidentally by mod_proxy's fixup.
+-     */
+-    static const char * const aszPre[]={ "mod_proxy.c", NULL };
++    static const char * const aszModProxy[] = { "mod_proxy.c", NULL };
+ 
+     /* make the hashtable before registering the function, so that
+      * other modules are prevented from accessing uninitialized memory.
+@@ -5625,10 +5623,12 @@ static void register_hooks(apr_pool_t *p)
+     ap_hook_pre_config(pre_config, NULL, NULL, APR_HOOK_MIDDLE);
+     ap_hook_post_config(post_config, NULL, NULL, APR_HOOK_MIDDLE);
+     ap_hook_child_init(init_child, NULL, NULL, APR_HOOK_MIDDLE);
+-
+-    ap_hook_fixups(hook_fixup, aszPre, NULL, APR_HOOK_FIRST);
++    
++    /* allow to change the uri before mod_proxy takes over it */
++    ap_hook_translate_name(hook_uri2file, NULL, aszModProxy, APR_HOOK_FIRST);
++    /* fixup before mod_proxy so that a [P] URL gets fixed up there */
++    ap_hook_fixups(hook_fixup, NULL, aszModProxy, APR_HOOK_FIRST);
+     ap_hook_fixups(hook_mimetype, NULL, NULL, APR_HOOK_LAST);
+-    ap_hook_translate_name(hook_uri2file, NULL, NULL, APR_HOOK_FIRST);
+ }
+ 
+     /* the main config structure */
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 8f13e68..bd0aa68 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -3344,27 +3344,26 @@ static int proxy_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
+ }
+ static void register_hooks(apr_pool_t *p)
+ {
+-    /* fixup before mod_rewrite, so that the proxied url will not
+-     * escaped accidentally by our fixup.
+-     */
+-    static const char * const aszSucc[] = { "mod_rewrite.c", NULL};
+     /* Only the mpm_winnt has child init hook handler.
+      * make sure that we are called after the mpm
+      * initializes.
+      */
+     static const char *const aszPred[] = { "mpm_winnt.c", "mod_proxy_balancer.c",
+                                            "mod_proxy_hcheck.c", NULL};
++    static const char * const aszModRewrite[] = { "mod_rewrite.c", NULL };
++
+     /* handler */
+     ap_hook_handler(proxy_handler, NULL, NULL, APR_HOOK_FIRST);
+     /* filename-to-URI translation */
+     ap_hook_pre_translate_name(proxy_pre_translate_name, NULL, NULL,
+                                APR_HOOK_MIDDLE);
+-    ap_hook_translate_name(proxy_translate_name, aszSucc, NULL,
++    /* mod_rewrite has a say on the uri before proxy translation */
++    ap_hook_translate_name(proxy_translate_name, aszModRewrite, NULL,
+                            APR_HOOK_FIRST);
+     /* walk <Proxy > entries and suppress default TRACE behavior */
+     ap_hook_map_to_storage(proxy_map_location, NULL,NULL, APR_HOOK_FIRST);
+-    /* fixups */
+-    ap_hook_fixups(proxy_fixup, NULL, aszSucc, APR_HOOK_FIRST);
++    /* fixup after mod_rewrite so that a [P] URL from there gets fixed up */
++    ap_hook_fixups(proxy_fixup, aszModRewrite, NULL, APR_HOOK_FIRST);
+     /* post read_request handling */
+     ap_hook_post_read_request(proxy_detect, NULL, NULL, APR_HOOK_FIRST);
+     /* pre config handling */

httpd.spec

@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.62
-Release: 2%{?dist}
+Release: 3%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -98,6 +98,8 @@ Patch101: httpd-2.4.48-full-release.patch
 Patch102: httpd-2.4.62-r1919325.patch
 # https://issues.redhat.com/browse/RHEL-36755
 Patch103: httpd-2.4.62-engine-fallback.patch
+# https://issues.redhat.com/browse/RHEL-68660
+Patch104: httpd-2.4.62-r1921299.patch
 
 # Security fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=...
@@ -261,6 +263,7 @@ written in the Lua programming language.
 %patch101 -p1 -b .full-release
 %patch102 -p1 -b .r1919325
 %patch103 -p0 -b .engine-fallback
+%patch104 -p1 -b .r1921299
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -822,6 +825,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Thu Jan 09 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-3
+- Resolves: RHEL-68660 - RewriteRule proxying to UDS (unix domain socket)
+  configured in .htaccess doesn't work on httpd-2.4.62-1
+
 * Thu Sep 12 2024 Joe Orton <jorton@redhat.com> - 2.4.62-2
 - mod_ssl: fix loading keys via ENGINE API
   Resolves: RHEL-36755