The Network Manager at Westminster School presents solutions to sticky problems...

Tuesday, 16 April 2013

RPC over HTTP with Apache's mod_proxy

Well, let us get the bad news over and done with. Unless you revert to 2.0.53 or earlier, you can forget proxying RPC over HTTP with Apache web server.

Why is this?

Apache prefetches the entire body before establishing a connection. This mitigates a serious smuggling exploit that is detailed here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088

Microsoft's idiosyncratic implementation of RPC over HTTP establishes two connections, RPC_DATA_IN and RPC_DATA_OUT, in order to send data between the Outlook Client and the Exchange Server, or between the Remote Desktop Client and Desktop Gateway. The problem is that the client sends a minuscule amount of data over the RPC_DATA_IN connection, somewhere in the region of 100 bytes. This is not enough to trigger a connection in the Apache implementation of HTTP/1.1

While not strictly forbidden in the RFC, it does mean that allowing the connection creates an insecure environment. Consequently no amount of begging is going to make Apache developers change their minds. To make matters worse, Microsoft in their protocol publication, have applied their right to enforce patents on the use of their protocol. Game over.

So if you are looking for RPC over HTTP, you will have to stay with Microsoft, who, in their infinite wisdom, have apparently ditched their very successful ISA/TMG product without a replacement. Either that or not use Microsoft products in future. We may well tell our users that Outlook Anywhere is no longer an option rather than punch holes in our firewalls to allow what is by design an insecure protocol.

Tuesday, 9 April 2013

Building Apache 2.4.4 from the Unix source with Openssl, zlib, libxml2, ipv6 support on Windows with Visual Studio 2012 to x86 binaries

Why would I want to even think about it? Well, because all the binaries compiled for windows have IPv6 disabled by default and the only way to enable it is to compile it yourself. Now I have to warn you, it took me well over a week to figure out what was going on and had endless failures. This procedure that follows is likely to test your patience, however, the result is a working Apache httpd running on Windows Server 2012.

That is, one that has been compiled from the original sources, and not one that has been added to by Bob down the road who has slipped in his own datalogger, if you know what I mean...

The main requirements are: Visual Studio 2012, the Platform latest SDK, perl and awk in the environment path, and CMake. Next...

Download it all

Download the latest version of apache source and unpack (Unix sources suffice) into a httpdxx root directory. All the following packages will end up in the srclib directory.
Download latest version of openssl source and unpack in to sub directory srclib\openssl
Download latest version of zlib source and unpack into in to subdirectory srclib\zlib
Download latest pcre source
Download the expat binaries compiled for windows and put into srclib\win32\bin\release
Download the prceombiled binaries and the dev packages for libiconv and copy into srclib\libiconv
Download the source for libxml2 and place into srclib\libxml

Build pcre

Unzip source into a seperate directory from your httpdxx directory. Add a build subirectory as a destination for your CMake build. Use CMake to create a solution for native Visual C 11 with the following options:
• BUILD_SHARED_LIBS Yes
• CMAKE_INSTALL_PREFIX (your httpdxx\srclib\pcre folder)
• PCRE_SUPPORT_UTF
Open the solution in Visual Studio and change to Release. Check the project to make sure that PDB’s are created. Compile the BUILDALL project. If all compiles, build the INSTALL project. Make sure the binaries end up in the same place.
Copy the pcre.dll and pcre.pdb into the srclib\pcre (needed because of badly written includes and this was the easiest option.)

Build zlib

Open your Visual Studio Dev Environment command line and cd to httpdxx\srclib\zlib
open VS Command Prompt and navigate to srrclib\zlib. build using:
nmake /f win32\Makefile.msc
nmake /f win32\Makefile.msc test

Build Openssl

cd to httpdxx\srclib\openssl
perl Configure VC-WIN32 enable-camellia no-idea no-rc5
(You do not really want zlib compiled into openssl do you? I’m shocked. Really!)
ms\do_ms.bat
nmake -f ms\ntdll.mak
Create an empty file store.h in srclib\openssl\inc32\openssl or OpenSSL will fail to build into the rest of the projects.

Prepare httpd

Update srclib\apr\include\apr.hw and change: (default is 0) This enables IPv6
#define APR_HAVE_IPV6           1
Run the following from the root of the httpd source to deal with UNIX line endings and prepared the projects for use with .net compilers:
>Perl .\srclib\apr\build\lineends.pl
>Perl .\srclib\apr\build\cvtdsp.pl -2005
Now open Visual Studio and open the Apache.dsw workspace file. It will convert the file to a Apache.sln and convert all the projects to .vcxproj.
Change properties of libhttpd:
Configuration Properties -> Linker -> General -> Additional Library Directories add .\srclib\pcre\lib (Location of pcre.lib)
Configuration Properties -> C/C++ -> General -> Additional Include Directories add ./srclib/pcre/include (location of pcre.h)
Open ApacheMonitor.rc and comment out the following line with a #:
"CREATEPROCESS_MANIFEST_RESOURCE_IF RT_MANIFEST "ApacheMonitor.manifest""
Change the Properties of ApacheMonitor:
Configuration Properties -> C/C++ -> Manifest Tool -> Input and Output -> Additional Manifest Files. Add ApacheMonitor.manifest
Change the properties of Mod_xml2enc
Configuration Properties -> C/C++ -> General -> Additional Include Directories add ./srclib/apr-iconv/lib

Build Libxml2

The Libxml2 source contains a folder called win32\VC10. Add the libxml2.vcxproj to your Apache solution. Change the properties of the libxml2 project. (You may need to upgrade the project first by going to Project -> Upgrade Projects.)
Configuration Properties -> General
-Configuration Type Dynamic Library (.dll)
Configuration Properties -> C/C++ -> All Options
-Enable Function-Level Linking: No
-Enable Instrisic Function: No
-Output Directory ..\Release (Or it will go into the httpd\Release folder. Not a good idea. You will need to create a win32\Release folder)
Configuration Properties -> Linker -> All Options
-Output File: ../Release/libxml2.dll
-Additional Library Directories: ../../../libiconv/lib;../../../libiconv/bin
-SubSystem: Windows
-Additional Dependencies: libiconv.lib;libcharset.lib;ws2_32.lib;mswsock.lib;
-Link Time Code Generation: Default
-Generate Debug Info: Yes
Modify mod_proy_html and mo_xml2enc. These two projects need Lib2xml.
Configuration Properties -> C/C++ -> All Options
-Additional Include Directories: ../../include;../../srclib/apr/include;../../srclib/libiconv/include;../../srclib/apr-iconv/include;../../srclib/apr-util/include;../../srclib/libxml2/include;
Configuration Properties -> Linker -> All Options
-Additional Library Directories: ../../srclib/libxml2/win32/Release;../../srclib/libiconv/lib;../../srclib/libxml2/win32/bin.msvc;
-Additional Depdencies: (Add) ws2_32.lib;mswsock.lib;

Build Apache

Go to Solution Congifuration. Change to Release and remove the build tick from the following projects:
• all projects beginning apr_db
• BuildAll
• BuildBin
• Fcgistarter
• gen_test_char
• InstallBin
• Libarpiconv_ccs_modules
• Libarpiconv_ces_modules
• Mod_lbmethod_rr
• Mod_lua
• Mod_session_crypto
• Mod_socache_dc
Build the Solution. This should allow everything to build successfully. There may well be something I have missed. Believe me, it is possible to fix it! I did.
Open your Visual Studio Dev Environment command line.
>Cd \htppdxx\srclib\apr-iconv\ces
Use NMake to create a batch file from the MakeFile instructions:
>NMAKE /nologo /f Makefile.win BUILD_MODE="Win32 Release" BIND_MODE=shared /N /U >>make.bat
Edit the make.bat file to remove all the leading tabs and remove all of " /Yuinconv.h " This stops the building of components using precompiled headers, otherwise you get an external reference error.
Run the batch file to compile these, do NOT compile them in Visual Studio.
Do the same in the ccs directory.
Amend Makefile.win. Find the section list below and add the line in bold:
!IF EXIST("srclib\libxml2")
 copy srclib\libxml2\win32\$(LONG)\libxml2.$(src_dll) "$(inst_dll)" <.y 

 copy modules\filters\$(LONG)\mod_proxy_html.$(src_so)  "$(inst_so)" <.y
 copy modules\filters\$(LONG)\mod_xml2enc.$(src_so)  "$(inst_so)" <.y
Save MakeFile.win.
Finally go to the root of the source directory and run the install script to pull out all the compiled files into an installation directory (in my case D:\Apache24)
>cd \httpdxx
>nmake -f makefile.win INSTDIR=D:\apache24 SHORT=R LONG=Release _install

Strip the Binaries

You now have about 86MB of Apache Server. You can make that a lot lighter by doing the following.
Remove all the debug information (i.e. del /S /Q *.pdb)
Delete the Manual Directory (That why Google was invented)
Delete the Include and Lib directories (Unless you are going to do some development work using this set of binaries.)
You should now have about 8MB of web server.

Install on Server 2008 R2/2012

Install the Visual C redistributable (You will need the 2012 version, of course)
Copy your cut down binaries to your chosen location on your server.
From a (elevated) Command Prompt, navigate to bin directory and run:
httpd.exe –k install (installs as a service and starts…)
Configure Server using the configuration files
Now – I cheated – of sorts. In order to get an initially working conf file, I installed apache using the MSI and ran through the initial configuration. When I then compiled my own version of apache, I used the same working configuration file and amended it from there.

Configuration Gotchas

SSLPassPhraseDialog The default setting (builtin) does not work on windows so you need to point to a pass phrase programme. I used Notepad.exe. I removed the pass phrases from my passwords (Just Google “retrieving a key and certificate from a PFX file.” Very effective)
SSLSessionCache This requires a path not broken by spaces. If you have installed to the default location (as with the msi installed provided by apache) then you’re not quite stuck, but it feels it. Create a shortcut in the root of the c drive that points to your apache directory. Then use shmcb:C:\Apache\etc…

And that is it. As I have said, I have probably missed some things out here, but I do have a working solution, so it is possible, if akin to having your fingernail being pulled out.