RE: Forward proxy for non-443 port fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Well the debug log is not really helpful, I looked into the source code of mod_proxy_connect to realise all ports besides 443 and 563 are blocked for CONNECT.

I added a AllowCONNECT 443 8443 to the config and now it works.


David Balažic


> -----Original Message-----
> From: David Balažic [mailto:david.balazic@xxxxxxxxxxxx]
> Sent: 31. July 2015 23:07
> To: users@xxxxxxxxxxxxxxxx
> Subject:  Forward proxy for non-443 port fails
> Importance: Low
> 
> Hi!
> 
> I have set up apache2-2.2.10-2.24.5 on SLES 11 SP1 as a forward proxy.
> (see conf file below)
> 
> Then I set it as a proxy in Firefox on another PC and did some test.
> 
> HTTP access works fine to all tested sites (local and public internet) on
> different ports (80, 7001 etc...)
> HTTPS works to port 433 ( https://www.google.com and so) but it fails for all
> other (tested) ports.
> 
> For example:
> 
> http://some.public.internet.site.org:8443
> https://some-intranet-server:8081
> 
> The error reported by Firefox is a boilerplate error page:
> 
> The proxy server is refusing connections
> Firefox is configured to use a proxy server that is refusing connections.
>     Check the proxy settings to make sure that they are correct.
>     Contact your network administrator to make sure the proxy server is
> working.
> 
> I sniffed the traffic between firefox and apache in this case and it is:
> 
> From Firefox to proxy:
> CONNECT some.public.internet.site.org:8443 HTTP/1.1
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101
> Firefox/39.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host: some.public.internet.site.org:8443
> 
> From proxy to Firefox:
> HTTP/1.1 403 Forbidden
> Date: Fri, 31 Jul 2015 20:54:19 GMT
> Server: Apache/2.2.10 (Linux/SUSE)
> Vary: accept-language,accept-charset
> Accept-Ranges: bytes
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=iso-8859-1
> Content-Language: en
> 
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
>   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
> <html xmlns="http://www.w3.org/1999/xhtml"; lang="en" xml:lang="en">
> <head>
> <title>Access forbidden!</title>
> <link rev="made" href="mailto:my_personal_address@xxxxxxxxxxx"; />
> <style type="text/css"><!--/*--><![CDATA[/*><!--*/
>     body { color: #000000; background-color: #FFFFFF; }
>     a:link { color: #0000CC; }
>     p, address {margin-left: 3em;}
>     span {font-size: smaller;}
> /*]]>*/--></style>
> </head>
> 
> <body>
> <h1>Access forbidden!</h1>
> <p>
>     You don't have permission to access the requested object.
>     It is either read-protected or not readable by the server.
> </p>
> <p>
> If you think this is a server error, please contact
> the <a href="mailto:my_personal_address@xxxxxxxxxxx";>webmaster</a>.
> </p>
> 
> <h2>Error 403</h2>
> <address>
>   <a href="/">some.public.internet.site.org</a><br />
>   <span>
> Fri Jul 31 22:54:19 2015<br />
> Apache/2.2.10 (Linux/SUSE)</span>
> </address>
> </body>
> </html>
> 
> 
> It is an error page generated by apache (it has my email address I set in the
> config)
> 
> Here is the debug log for:
>  - failed SSL connection to port 8443
> 
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(68): proxy:
> CONNECT: canonicalising URL some.public.internet.site.org:8443
> [Fri Jul 31 21:40:57 2015] [debug] proxy_util.c(1345): [client 10.49.9.212]
> proxy: *: found forward proxy worker for some.public.internet.site.org:8443
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy.c(756): Running scheme
> some.public.internet.site.org handler (attempt 0)
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(104): proxy:
> CONNECT: serving URL some.public.internet.site.org:8443
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(120): proxy:
> CONNECT: connecting some.public.internet.site.org:8443 to
> some.public.internet.site.org:8443
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(137): proxy:
> CONNECT: connecting to remote proxy some.public.internet.site.org on port
> 8443
> 
>  - failed SSL connection to port 8081
> 
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(68): proxy:
> CONNECT: canonicalising URL some-intranet-server:8081
> [Fri Jul 31 22:41:28 2015] [debug] proxy_util.c(1498): [client 10.49.9.212]
> proxy: *: found forward proxy worker for some-intranet-server:8081
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy.c(988): Running scheme some-
> intranet-server handler (attempt 0)
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(104): proxy:
> CONNECT: serving URL some-intranet-server:8081
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(121): proxy:
> CONNECT: connecting some-intranet-server:8081 to some-intranet-
> server:8081
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(144): proxy:
> CONNECT: connecting to remote proxy some-intranet-server on port 8081
> 
>  - successful SSL connection to port 443
> 
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(68): proxy:
> CONNECT: canonicalising URL another.public.internet.site.org:443
> [Fri Jul 31 21:40:50 2015] [debug] proxy_util.c(1345): [client 10.49.9.212]
> proxy: *: found forward proxy worker for
> another.public.internet.site.org:443
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy.c(756): Running scheme
> another.public.internet.site.org handler (attempt 0)
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(104): proxy:
> CONNECT: serving URL another.public.internet.site.org:443
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(120): proxy:
> CONNECT: connecting another.public.internet.site.org:443 to
> another.public.internet.site.org:443
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(137): proxy:
> CONNECT: connecting to remote proxy another.public.internet.site.org on
> port 443
> 
> The proxy's response for a successful connection is:
> 
> CONNECT another.public.internet.site.org:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101
> Firefox/39.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host: another.public.internet.site.org:443
> 
> HTTP/1.0 200 Connection Established
> Proxy-agent: Apache/2.2.10 (Linux/SUSE)
> 
> (then Firefox sets up an SSL channel to the remote server)
> 
> 
> Config:
> 
> Loaded modules (besides the default) : proxy proxy_http headers
> proxy_connect
> 
> Listen 8080
> ServerAdmin my_personal_address@xxxxxxxxxxx
> 
>  <VirtualHost _default_:8080>
> 
>     ProxyRequests On
>     SSLProxyEngine On # this does not make a difference
> 
>     ErrorLog /var/log/apache2/debug.log
>     LogLevel debug
> 
>     <Proxy *>
>       Order deny,allow
>       Deny from all
>       Allow from 127.0.0.1 192.168.3.55  # the PC running Firefox
>     </Proxy>
>   </VirtualHost>
> 
> 
> Is there something obvious I am missing?
> 
> Both the firefox PC and the PC running apache2 have unrestricted access to
> all tested websites. The sites work from Firefox when no proxy is set. They
> are also accessible from the PC running apache.
> 
> Kind regards,
> David Balažic
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux