[zorp] Rewriting URLs for reverse proxy WAS: Reverse proxy + side stacking broken (config?) for large pages?

David Yerger dyerger at stcservices.com
Mon Dec 12 22:27:12 CET 2011 

> in your config you have both 55000 and 5500, but I guess that's not
the entire config

Correct, I have a TPROXY from 5500 to 55000 in iptables.conf.in:

	-A PRinter -p tcp --dport 5500 -j TPROXY --on-port 55000

I thought something like that was needed to work.

Seems to be working now, the only difference that I see, is that I have
both of my HTTPS and HTTP services listed in my inbound_services and
outbound_services.  Maybe python indentation bit me?

Another question:  is it possible to rewrite a URL like

  Def filterURL(self, method, url, version):
    If ("http://foo.bar.com:5500/fubar" in url):
       self.request_url = "http://<inside address>/bugzilla"
       self.session.setServer(SockAddrInet("<inside address>", 80))

for my reverse proxy?  I am now getting an error

    Firefox can't establish a connection to the server at <inside
address>:5500.

So I probably want somewhere else in the object hierarchy
(self.session.owner.proxy.request_url doesn't work either...)

Thanks everyone!

-----Original Message-----
From: zorp-bounces at lists.balabit.hu
[mailto:zorp-bounces at lists.balabit.hu] On Behalf Of Fekete Robert
Sent: Wednesday, November 30, 2011 8:00 AM
To: Zorp users mailing list
Subject: Re: [zorp] Reverse proxy + side stacking broken (config?) for
large pages?

Hi David,

The problem seems to be that you receive plain HTTP traffic on your
HTTPS port 
(55000) instead of an SSL handshake. The openssl under Zorp recognizes
this 
common error, and instead of returning a handshake error it adds the
http request.

The cause of this can be:
-  your client enters http://IP_ADDRESS:55000 into the browser instead
of 
https://IP_ADDRESS:55000, or
- the address in the browser is OK, but the website redirects it from
https to 
http, though this should be visible in the URL bar of the client browser
- a packet filter messes up the ports (in your config you have both
55000 and 
5500, but I guess that's not the entire config)


As for upgrading to 3.9.2, unfortunately there is no automated method,
just 
reinstall, copy the config files, and tweak them until they work (the
changes 
between 3.3 and 3.9.2 may or may not affect your current config file).

HTH

Regards,

Robert Fekete


On 11/29/2011 02:49 PM, David Yerger wrote:

> Using Zorp GPL 3.3, have a reverse proxy for OWA, I added
>
> def Zcommunicator():
>          Service("INcommunicator", INcommunicator,
>                  chainer=SideStackChainer(CommunicatorHttpProxy),
>                  router=DirectedRouter(SockAddrInet("<LAN IP>", 80)))
>          Listener(SockAddrInet("<public ip>", 55000),
"INcommunicator")
>
>
> class CommunicatorHttpProxy(HttpProxy):
>          def config(self):
>                  HttpProxy.config(self)
>                  self.request["GET"] = (HTTP_REQ_POLICY,
self.filterURL)
>                  self.request["POST"] = (HTTP_REQ_POLICY,
self.filterURL)
>
>          def filterURL(self, method, url, version):
>                  if ("http://<public DNS>:5500/cas" in url):
>
self.session.setServer(SockAddrInet("10.0.7.2", 5447))
>                  elif ("http://<public DNS>:5500/director2" in url):
>
self.session.setServer(SockAddrInet("10.0.7.2", 5449))
>                  elif ("http://<public DNS>:5500/techops" in url):
>
self.session.setServer(SockAddrInet("10.0.0.6", 80))
>                  elif ("http://<public DNS>:5500/fubar" in url):
>
self.session.setServer(SockAddrInet("10.0.0.6", 80))
>                  else: self.session.setServer(SockAddrInet("10.0.7.2",
80))
>                  return HTTP_REQ_ACCEPT
>
> class INcommunicator(PsslProxy):
>          def config(self):
>                  PsslProxy.config(self)
>                  self.client_verify_type = SSL_VERIFY_NONE
>                  self.client_ca_directory = "/etc/ssl/certs"
>                  self.server_need_ssl=FALSE
>                  self.client_key_file = "/etc/ssl/private/xxx.key"
>                  self.client_cert_file = "/etc/ssl/certs/xxx.crt"
>                  #self.stack_proxy = CommunicatorHttpProxy
>
> the "fubar" URL doesn't point to a real location--and I get the 500
error page back from the web server.
>
> But when I try a (larger) real page, I'm seeing
>
> Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]:
(svc/INcommunicator:9): Starting proxy instance; client_fd='15',
client_address='AF_INET(<public ip>:2220)', client_zone='Zone(inter,
0.0.0.0/0)', client_local='AF_INET(<public ip>:5500)',
client_protocol='TCP'
> Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]:
(svc/INcommunicator:9/pssl): SSL handshake failed on the client side;
error='error:1407609C:SSL
routines:lib(20):SSL23_GET_CLIENT_HELLO:func(118):http
request:reason(156)'
>
> Ideas?  Should I just reinstall 3.9.2 and copy my config files over?
(no apt-get dist-upgrade option I see)
>
> Thanks in advance
> _______________________________________________
> zorp mailing list
> zorp at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/zorp
>






_______________________________________________
zorp mailing list
zorp at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/zorp

More information about the zorp mailing list