[zorp-hu] 3.9 https side stack chainer

Csányi Krisztián chris at eotvos19.hu
2011. Jún. 20., H, 16:28:25 CEST 

 On Mon, 20 Jun 2011 16:15:45 +0200, Csányi Krisztián wrote:
> On Mon, 20 Jun 2011 16:05:28 +0200, Balazs Scheidler wrote:
>> On Wed, 2011-06-15 at 15:48 +0200, Csányi Krisztián wrote:
>>> Sziasztok!
>>>
>>>  Egy Zorp 3.3-mon működő megoldást szeretnék 3.9-re átültetni.
>>>  Röviden így néz ki:
>>>
>>>  Service('outside_HTTPS_wildcard.xyz.hu', HttpsPublicWildcardXyz,
>>>  chainer=SideStackChainer(right_class=HttpPublicDirector,
>>>  right_chainer=ConnectChainer(protocol=ZD_PROTO_AUTO)),
>>>  router=TransparentRouter(forge_addr=TRUE))
>>>  Dispatcher(DBSockAddr(SockAddrInet('__IP_OUTSIDE', 50443,
>>>  ZD_PROTO_TCP), 'outside_HTTPS_wildcard.xyz.hu', transparent=TRUE)
>>>
>>>  A HttpsPublicWildcardXyz egy sima PsslProxy aminek van egy
>>>  self.client_cert_file és client_key_file megadva. (wildcardos)
>>>
>>>  A HttpPublicDirector pedig egy sima HttpProxy, ahol
>>>  self.request_url_host alapján döntünk, hogy melyik szervernek
>>> dobódjon
>>>  át a forgalom.
>>>
>>>
>>>  A kérdésem, hogy mi a fentieknek az elegáns megoldása 3.9 alatt?
>>>  (Tekintettel arra, hogy már minden proxy támogat SSL-t)
>>>  A fenti megoldás már nem működik 3.9-en.
>>
>> be tudnad dobni a proxy class-t is?
>  Persze:
>
>  ###########################
>  class PublicHttpProxyBase(HttpProxy):
>          def config(self):
>                  HttpProxy.config(self)
>                  self.request['GET'] = (HTTP_REQ_POLICY, 
> self.filterURL)
>                  self.request['POST'] = (HTTP_REQ_POLICY,
>  self.filterURL)
>                  self.request['HEAD'] = (HTTP_REQ_POLICY,
>  self.filterURL)
>
>                  self.response['*', '401'] = (HTTP_RSP_ACCEPT)
>                  self.response['*', '4'] = (HTTP_RSP_POLICY,
>  self.filterError)
>                  self.response['*', '5'] = (HTTP_RSP_POLICY,
>  self.filterError)
>
>                  self.response_headers['Server'] = (HTTP_HDR_DROP)
>                  self.response_headers['X-Powered-By'] = 
> (HTTP_HDR_DROP)
>                  self.response_headers['X-AspNet-Version'] =
>  (HTTP_HDR_DROP)
>
>                  self.error_silent = TRUE
>
>                  self.transparent_mode = TRUE
>                  self.permit_proxy_requests = FALSE
>
>          def filterURL(self, method, url, version):
>                  log('http.info', 3, "%s: %s" % (method, url))
>                  return HTTP_REQ_ACCEPT
>
>          def filterError(self, method, url, version, response):
>                  self.error_status = 404
>                  self.error_msg = 'not found'
>                  return HTTP_RSP_DENY
>
>  ###########################
>  class HttpPublicDirector(PublicHttpProxyBase):
>                  def config(self):
>                          PublicHttpProxyBase.config(self)
>
>                  def filterURL(self, method, url, version):
>                          if self.request_url_host == 'a.xyz.hu':
>
>  self.session.setServer(SockAddrInet('192.168.168.100', 80))
>                          elif self.request_url_host == 'b.xyz.hu':
>
>  self.session.setServer(SockAddrInet('192.168.168.25', 80))
>                          elif self.request_url_host == 'c.xyz.hu':
>
>  self.session.setServer(SockAddrInet('192.168.169.10', 80))
>                          elif self.request_url_host == 
> '192.168.169.10':
>
>  self.session.setServer(SockAddrInet('192.168.169.10', 80))
>                          else:
>                                  log('http.info', 3, "Public http 
> access
>  denied: %s: %s" % (method, url))
>                                  return HTTP_REQ_ABORT
>
>                          log('http.info', 3, "%s: %s" % (method, 
> url))
>                          return HTTP_REQ_ACCEPT
>
>                  def __destroy__(self):
>                          log(self.session.session_id, CORE_DEBUG, 3,
>  "Accounting data: client_address='%s', server_address='%s',
>  client_stream_recvd='%s', client_stream_sent='%s'",
>  (self.session.client_address, self.session.server_address,
>
> 
> self.session.client_stream.bytes_recvd,self.session.client_stream.bytes_sent))
>                          PublicHttpProxyBase.__destroy__(self)
>
>  ###########################
>  class HttpsPublicWildcardXyz(PsslProxy):
>          def config(self):
>                  PsslProxy.config(self)
>
>                  self.client_cert_file =
>  "/etc/zorp/certs/wildcard.xyz.hu-cert.pem"
>                  self.client_key_file =
>  "/etc/zorp/certs/wildcard.xyz.hu-key.pem"
> _______________________________________________
> zorp-hu mailing list
> zorp-hu at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/zorp-hu

 Még csak annyi, hogy amikor 3.9-en próbálkoztam a fentiekkel, akkor az 
 alábbi logot kaptam:

 Jun 16 16:59:00 svc0 zorp/iPublic[3148]: core.session(3): 
 (svc/outside_HTTPS_wildcard.xyz.hu:27): Starting proxy instance; 
 client_fd='15', client_address='AF_INET(84.206.45.43:56118)', 
 client_zone='Zone(outside, 0.0.0.0/0)', 
 client_local='AF_INET(192.168.169.10:443)', client_protocol='TCP'
 Jun 16 16:59:00 svc0 zorp/iPublic[3148]: core.error(1): 
 (svc/outside_HTTPS_wildcard.xyz.hu:27/plug): SSL handshake failed; 
 side='client', error='error:140890C7:SSL 
 routines:lib(20):SSL3_GET_CLIENT_CERTIFICATE:func(137):peer did not 
 return a certificate:reason(199), supressed 1 messages'
 Jun 16 16:59:00 svc0 zorp/iPublic[3148]: core.session(4): 
 (svc/outside_HTTPS_wildcard.xyz.hu:27): Ending proxy instance;

További információk a(z) zorp-hu levelezőlistáról