in your config you have both 55000 and 5500, but I guess that's not the entire config
Correct, I have a TPROXY from 5500 to 55000 in iptables.conf.in: -A PRinter -p tcp --dport 5500 -j TPROXY --on-port 55000 I thought something like that was needed to work. Seems to be working now, the only difference that I see, is that I have both of my HTTPS and HTTP services listed in my inbound_services and outbound_services. Maybe python indentation bit me? Another question: is it possible to rewrite a URL like Def filterURL(self, method, url, version): If ("http://foo.bar.com:5500/fubar" in url): self.request_url = "http://<inside address>/bugzilla" self.session.setServer(SockAddrInet("<inside address>", 80)) for my reverse proxy? I am now getting an error Firefox can't establish a connection to the server at <inside address>:5500. So I probably want somewhere else in the object hierarchy (self.session.owner.proxy.request_url doesn't work either...) Thanks everyone! -----Original Message----- From: zorp-bounces@lists.balabit.hu [mailto:zorp-bounces@lists.balabit.hu] On Behalf Of Fekete Robert Sent: Wednesday, November 30, 2011 8:00 AM To: Zorp users mailing list Subject: Re: [zorp] Reverse proxy + side stacking broken (config?) for large pages? Hi David, The problem seems to be that you receive plain HTTP traffic on your HTTPS port (55000) instead of an SSL handshake. The openssl under Zorp recognizes this common error, and instead of returning a handshake error it adds the http request. The cause of this can be: - your client enters http://IP_ADDRESS:55000 into the browser instead of https://IP_ADDRESS:55000, or - the address in the browser is OK, but the website redirects it from https to http, though this should be visible in the URL bar of the client browser - a packet filter messes up the ports (in your config you have both 55000 and 5500, but I guess that's not the entire config) As for upgrading to 3.9.2, unfortunately there is no automated method, just reinstall, copy the config files, and tweak them until they work (the changes between 3.3 and 3.9.2 may or may not affect your current config file). HTH Regards, Robert Fekete On 11/29/2011 02:49 PM, David Yerger wrote:
Using Zorp GPL 3.3, have a reverse proxy for OWA, I added
def Zcommunicator(): Service("INcommunicator", INcommunicator, chainer=SideStackChainer(CommunicatorHttpProxy), router=DirectedRouter(SockAddrInet("<LAN IP>", 80))) Listener(SockAddrInet("<public ip>", 55000), "INcommunicator")
class CommunicatorHttpProxy(HttpProxy): def config(self): HttpProxy.config(self) self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL) self.request["POST"] = (HTTP_REQ_POLICY, self.filterURL)
def filterURL(self, method, url, version): if ("http://<public DNS>:5500/cas" in url):
self.session.setServer(SockAddrInet("10.0.7.2", 5447))
elif ("http://<public DNS>:5500/director2" in url):
self.session.setServer(SockAddrInet("10.0.7.2", 5449))
elif ("http://<public DNS>:5500/techops" in url):
self.session.setServer(SockAddrInet("10.0.0.6", 80))
elif ("http://<public DNS>:5500/fubar" in url):
self.session.setServer(SockAddrInet("10.0.0.6", 80))
else: self.session.setServer(SockAddrInet("10.0.7.2",
80))
return HTTP_REQ_ACCEPT
class INcommunicator(PsslProxy): def config(self): PsslProxy.config(self) self.client_verify_type = SSL_VERIFY_NONE self.client_ca_directory = "/etc/ssl/certs" self.server_need_ssl=FALSE self.client_key_file = "/etc/ssl/private/xxx.key" self.client_cert_file = "/etc/ssl/certs/xxx.crt" #self.stack_proxy = CommunicatorHttpProxy
the "fubar" URL doesn't point to a real location--and I get the 500
error page back from the web server.
But when I try a (larger) real page, I'm seeing
Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]:
(svc/INcommunicator:9): Starting proxy instance; client_fd='15', client_address='AF_INET(<public ip>:2220)', client_zone='Zone(inter, 0.0.0.0/0)', client_local='AF_INET(<public ip>:5500)', client_protocol='TCP'
Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]: (svc/INcommunicator:9/pssl): SSL handshake failed on the client side; error='error:1407609C:SSL routines:lib(20):SSL23_GET_CLIENT_HELLO:func(118):http request:reason(156)'
Ideas? Should I just reinstall 3.9.2 and copy my config files over? (no apt-get dist-upgrade option I see)
Thanks in advance _______________________________________________ zorp mailing list zorp@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp
_______________________________________________ zorp mailing list zorp@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/zorp