Warning: I've found a weird reason for this behaviour. The question below is obsolete. Here is the followup for all the gory details.
Setup:
- A production server running SuSE Enterprise 11 and my Django 1.1 application.
- The application is being served with Apache (
mod_wsgi) over HTTPS with client certificates (SSLVerifyClient require). - Testing is done from the same box by going to the actual IP of the server, i.e. there are no proxies in between.
- No caching modules in Apache are installed (the following are active: alias dir env expires headers include log_config mime rewrite setenvif ssl authz_host proxy proxy_http proxy_connect (no configuration for these three) unique_id wsgi).
The actual problem:
- One particular page (a missing image) produces a 500 error instead of 404 under certain circumstances (because of Django, there is always a 302 redirect first to add a trailing slash).
- It is somehow certificate-dependant: most client certificates always get a 404, but some don't. Certificates have been compared and no difference found.
- When a "Cache-control: no-cache" is sent to the server, no 500 is returned, but a proper 404 instead.
- All this happens only on one server, test servers do not expose this problem even though the software is mostly identical.
So to reiterate:
- "Good" client certificate = always 302 + 404
- "Bad" client certificate + "Cache-control: no-cache" = always 302 + 404
- "Bad" client certificate without cache control = always 302 + 500.
Any ideas?
PS: If this is better suited for ServerFault, please move it or leave a notice for me to ask this question there.
Additional info as requested by commenters
- When this 500 error occurs, I'm getting a
Request origin could not be validated.frommod_wsgiin the logs, which, according to the author ofmod_wsgiactually should not happen, ever.