Caching related security issue? (Cyrus httpd CalDAV server behind Apache mod_proxy)

Mon Oct 7 01:45:50 EDT 2019

Hello,

since Cyrus is able to share calendars, I try to set up a CalDAV server 
using Cyrus httpd behind an Apache reverse proxy (mod_proxy). During 
this I made a security-related observation which makes me a bit 
concerned. It seems to be about caching private data, probably more an 
issue of my individual setup and not a bug in Cyrus. Anyway – I am a bit 
clueless and would be happy to discuss this to find a mitigation.

...

Test setup / precondtions:

- Cyrus 3.0.11 server (imapd, httpd) freshly restarted
- Apache 2.4 with mod_proxy (ssl vhost, no explicit cache configuration, 
only mod_socache_shmcb)
- Browser A with clean cache
- Browser B with clean cache

Test steps:

1) Request CalDAV URL from Browser A

- Expected: Browser presents HTTP Auth, delivers content after 
successful login
- Observed: Browser presents HTTP Auth, delivers content after 
successful login
- Result: PASS

2) Request same CalDAV URL from Browser B

- Expected: Browser presents HTTP Auth
- Observed: Browser delivers content without presenting HTTP Auth
- Result: FAIL

Test observations:

- The result of step 2) seems to differ depending of which Cyrus httpd 
process is hit by the request
- The cache-control header delivered by Cyrus httpd seems to not contain 
„private“ which seems to allow intermediate caches to cache private data

...

My first configuration of Apache did allow mod_proxy to reuse the 
backend-connections to Cyrus httpd. After I added disablereuse=On (which 
causes Apache to close the backend-connection immediately after 
processing a single request), it seems to mitigate the observed issue. 
How could this be possible? These two questions could help me to 
investigate further on my system:

- When receiving a HTTP Request with an Etag included, when exactly does 
Cyrus httpd decide whether to request HTTP Authentication? In case the 
Etag is valid (content unchanged), will it return the 304 without 
requesting a HTTP Auth?

- How do the Cyrus httpd workers handle HTTP Auth in general? In case of 
re-using a worker by a permanent connection from a reverse proxy, does 
it check Authentication on any request, or only at the very first?

I am happy about suggestions or pointers to best practises in regards of 
using Cyrus httpd behind a reverse proxy.

Kind regards
Matthias

-- 
Matthias Petermann <mp at petermann-it.de> | www.petermann-it.de
Innovative IT-Lösungen, Systemintegration, Linux/FreeBSD/Unix-Support
Wildparkring 13, 01458 Ottendorf-Okrilla | Tel.: +49 (0)35205 597 991

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4001 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20191007/a9660bbf/attachment.p7s>