[zorp] Reverse proxy + side stacking broken (config?) for large pages?

KOVACS Krisztian hidden at balabit.hu
Wed Nov 30 09:31:52 CET 2011 

Hi David,

On Tue, 2011-11-29 at 08:49 -0500, David Yerger wrote:
> def Zcommunicator():
>         Service("INcommunicator", INcommunicator,
>                 chainer=SideStackChainer(CommunicatorHttpProxy),
>                 router=DirectedRouter(SockAddrInet("<LAN IP>", 80)))
>         Listener(SockAddrInet("<public ip>", 55000), "INcommunicator")
> 
> 
> class CommunicatorHttpProxy(HttpProxy):
>         def config(self):
>                 HttpProxy.config(self)
>                 self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL)
>                 self.request["POST"] = (HTTP_REQ_POLICY, self.filterURL)
> 
>         def filterURL(self, method, url, version):
>                 if ("http://<public DNS>:5500/cas" in url):
>                         self.session.setServer(SockAddrInet("10.0.7.2", 5447))
>                 elif ("http://<public DNS>:5500/director2" in url):
>                         self.session.setServer(SockAddrInet("10.0.7.2", 5449))
>                 elif ("http://<public DNS>:5500/techops" in url):
>                         self.session.setServer(SockAddrInet("10.0.0.6", 80))
>                 elif ("http://<public DNS>:5500/fubar" in url):
>                         self.session.setServer(SockAddrInet("10.0.0.6", 80))
>                 else: self.session.setServer(SockAddrInet("10.0.7.2", 80))
>                 return HTTP_REQ_ACCEPT
> 
> class INcommunicator(PsslProxy):
>         def config(self):
>                 PsslProxy.config(self)
>                 self.client_verify_type = SSL_VERIFY_NONE
>                 self.client_ca_directory = "/etc/ssl/certs"
>                 self.server_need_ssl=FALSE
>                 self.client_key_file = "/etc/ssl/private/xxx.key"
>                 self.client_cert_file = "/etc/ssl/certs/xxx.crt"
>                 #self.stack_proxy = CommunicatorHttpProxy
> 
> the "fubar" URL doesn't point to a real location--and I get the 500 error page back from the web server.
> 
> But when I try a (larger) real page, I'm seeing
> 
> Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]: (svc/INcommunicator:9): Starting proxy instance; client_fd='15', client_address='AF_INET(<public ip>:2220)', client_zone='Zone(inter, 0.0.0.0/0)', client_local='AF_INET(<public ip>:5500)', client_protocol='TCP'
> Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]: (svc/INcommunicator:9/pssl): SSL handshake failed on the client side; error='error:1407609C:SSL routines:lib(20):SSL23_GET_CLIENT_HELLO:func(118):http request:reason(156)' 

Based on the OpenSSL error message you're getting I think the client did
speak plain HTTP and not HTTPS. You could use tcpdump/wireshark to
confirm this.

> Ideas?  Should I just reinstall 3.9.2 and copy my config files over?   (no apt-get dist-upgrade option I see)

I don't think that would solve this problem.

-- 
KOVACS Krisztian

More information about the zorp mailing list