[BlueOnyx:10412] Re: 5108R Web Alias Redirects

Michael Stauber mstauber at blueonyx.it
Tue May 1 13:46:11 -05 2012 

Hi Randy,

> > Was this a certificate that you had exported *through* the GUI before?
> 
> Manage Certificate Authority. Single cert (one cert part of the the
> gd_bundle). I worked around this issue.

Oh, I see. Just for the record: How did you work around the issue? I'd be 
interested to see if there is something that we can do to improve matters.
 
> I setup a test server today.
> 
> Could it be that mod_perl is jumbling the order of the variables. On the
> test box I have three domains. The first one was imported, the second two
> were created and use self signed certs. Installed the rewrite update. Site
> one and three are 301 looping. Site two works. The only difference is the
> order of the debug variables.

Ah, now there we are onto something!

I just replicated your setup (more or less). On my testbox I had three sites. 
One had SSL enabled and it was working.

I moved one of the other sites to a different IP and enabled SSL as well (self 
signed certificate).

Once I did that, only the last SSL enabled site continued to work and the 
first one failed with an endless redirect loop.

While this isn't what the doctor ordered, it helps to troubleshoot the issue 
further. So I went looking and what I found made me scratch my head.

On 5106R we use the Perl module "Apache::PerlSections" in 
/etc/httpd/conf.d/ssl_perl.conf for dynamically parsing the configs of SSL 
enabled Vsites and to create the <Virtualhost> containers for SSL enabled 
sites on the fly.

On 5107R and 5108R the newer Apache forces us to use the newer 
"Apache2::PerlSections" Perl module instead, because the old one no longer 
works with the Apache we now have on RHEL6 clones.

All good so far. Except for one thing: "Apache2::PerlSections" is a complete 
rewrite of the older "Apache::PerlSections" and simply put: It doesn't work 
right and has problems with certain things that used to work fine on the older 
version.

So after some Google digging I found this:

http://marc.info/?l=apache-modperl&m=93582026208762&w=2

The problem here is that we "feed" "Apache2::PerlSections" with data from a 
Hash like this:

$VAR1 = {
    RewriteEngine =>    'on',
    RewriteCond =>      '%{HTTP_HOST} !^192.168.0.3(:443)?$',
    RewriteCond =>      '%{HTTP_HOST} !^www.domain3.com(:443)?$ [NC]',
    RewriteOptions =>  'inherit',
    RewriteRule =>        '^/(.*)   https://www.domain2.com/$1 [L,R=301]'
}

The problem there is that a hash consists of key and value pairs. In our 
example above we end up with a hash which has duplicate key names. For example 
the "RewriteCond" is listed at least twice - or more often if the site has 
more WebAliasses. And Perl doesn't like that. In fact we rather end up with 
something like this ...

$VAR1 = {
    RewriteEngine =>    'on',
    RewriteCond =>      '%{HTTP_HOST} !^www.domain3.com(:443)?$ [NC]',
    RewriteOptions =>  'inherit',
    RewriteRule =>        '^/(.*)   https://www.domain2.com/$1 [L,R=301]'
}

... because the second usage of the key "RewriteCond" overwrote the value of 
what we previously had stored.

But it gets worse than that: 

"Apache2::PerlSections" also doesn't keep the sort order of the key/value 
pairs when the final processing is done.

When we use the above to write our dynamic Apache config, we will end up with 
a different arrangement of "RewriteEngine", "RewriteCond", "RewriteOptions" 
and "RewriteRule".

For most of the things in an Apache Virtualhost containers it doesn't really 
matter in which order the config options are. But the Rewrite stuff is of 
course very, very picky and if we jumble them around, we end up with different 
redirecting results than intended.

Like said: In "Apache::PerlSections" it worked, but in "Apache2::PerlSections" 
it doesn't.

The solution to this problem seems to be the "Tie::DxHash" Perl module from 
CPAN:

http://search.cpan.org/~kruscoe/Tie-DxHash-1.05/lib/Tie/DxHash.pm

Tie::DxHash - keeps insertion order; allows duplicate keys [...] This module 
was written to allow the use of rewrite rules in Apache configuration files 
written with Perl Sections. 

Here is one example of code where someone used "Tie::DxHash" for that purpose:

http://mail-archives.apache.org/mod_mbox/perl-
dev/200510.mbox/%3C43459E39.4070307 at usgn.net%3E

Now that we know what the issue is, I can try to find a solution for it. Most 
likely it'll end up with a substantial rewrite of 
/etc/httpd/conf.d/ssl_perl.conf on 5107R and 5108R <sigh>.

Many thanks, Randy! That helped a lot!

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list