Hi David, The problem seems to be that you receive plain HTTP traffic on your HTTPS port (55000) instead of an SSL handshake. The openssl under Zorp recognizes this common error, and instead of returning a handshake error it adds the http request. The cause of this can be: - your client enters http://IP_ADDRESS:55000 into the browser instead of https://IP_ADDRESS:55000, or - the address in the browser is OK, but the website redirects it from https to http, though this should be visible in the URL bar of the client browser - a packet filter messes up the ports (in your config you have both 55000 and 5500, but I guess that's not the entire config) As for upgrading to 3.9.2, unfortunately there is no automated method, just reinstall, copy the config files, and tweak them until they work (the changes between 3.3 and 3.9.2 may or may not affect your current config file). HTH Regards, Robert Fekete On 11/29/2011 02:49 PM, David Yerger wrote:
Using Zorp GPL 3.3, have a reverse proxy for OWA, I added
def Zcommunicator(): Service("INcommunicator", INcommunicator, chainer=SideStackChainer(CommunicatorHttpProxy), router=DirectedRouter(SockAddrInet("<LAN IP>", 80))) Listener(SockAddrInet("<public ip>", 55000), "INcommunicator")
class CommunicatorHttpProxy(HttpProxy): def config(self): HttpProxy.config(self) self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL) self.request["POST"] = (HTTP_REQ_POLICY, self.filterURL)
def filterURL(self, method, url, version): if ("http://<public DNS>:5500/cas" in url): self.session.setServer(SockAddrInet("10.0.7.2", 5447)) elif ("http://<public DNS>:5500/director2" in url): self.session.setServer(SockAddrInet("10.0.7.2", 5449)) elif ("http://<public DNS>:5500/techops" in url): self.session.setServer(SockAddrInet("10.0.0.6", 80)) elif ("http://<public DNS>:5500/fubar" in url): self.session.setServer(SockAddrInet("10.0.0.6", 80)) else: self.session.setServer(SockAddrInet("10.0.7.2", 80)) return HTTP_REQ_ACCEPT
class INcommunicator(PsslProxy): def config(self): PsslProxy.config(self) self.client_verify_type = SSL_VERIFY_NONE self.client_ca_directory = "/etc/ssl/certs" self.server_need_ssl=FALSE self.client_key_file = "/etc/ssl/private/xxx.key" self.client_cert_file = "/etc/ssl/certs/xxx.crt" #self.stack_proxy = CommunicatorHttpProxy
the "fubar" URL doesn't point to a real location--and I get the 500 error page back from the web server.
But when I try a (larger) real page, I'm seeing
Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]: (svc/INcommunicator:9): Starting proxy instance; client_fd='15', client_address='AF_INET(<public ip>:2220)', client_zone='Zone(inter, 0.0.0.0/0)', client_local='AF_INET(<public ip>:5500)', client_protocol='TCP' Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]: (svc/INcommunicator:9/pssl): SSL handshake failed on the client side; error='error:1407609C:SSL routines:lib(20):SSL23_GET_CLIENT_HELLO:func(118):http request:reason(156)'
Ideas? Should I just reinstall 3.9.2 and copy my config files over? (no apt-get dist-upgrade option I see)
Thanks in advance _______________________________________________ zorp mailing list zorp@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp