[zorp] Reverse proxy + side stacking broken (config?) for large pages?
Fekete Robert
frobert at balabit.hu
Wed Nov 30 14:00:24 CET 2011
Hi David,
The problem seems to be that you receive plain HTTP traffic on your HTTPS port
(55000) instead of an SSL handshake. The openssl under Zorp recognizes this
common error, and instead of returning a handshake error it adds the http request.
The cause of this can be:
- your client enters http://IP_ADDRESS:55000 into the browser instead of
https://IP_ADDRESS:55000, or
- the address in the browser is OK, but the website redirects it from https to
http, though this should be visible in the URL bar of the client browser
- a packet filter messes up the ports (in your config you have both 55000 and
5500, but I guess that's not the entire config)
As for upgrading to 3.9.2, unfortunately there is no automated method, just
reinstall, copy the config files, and tweak them until they work (the changes
between 3.3 and 3.9.2 may or may not affect your current config file).
HTH
Regards,
Robert Fekete
On 11/29/2011 02:49 PM, David Yerger wrote:
> Using Zorp GPL 3.3, have a reverse proxy for OWA, I added
>
> def Zcommunicator():
> Service("INcommunicator", INcommunicator,
> chainer=SideStackChainer(CommunicatorHttpProxy),
> router=DirectedRouter(SockAddrInet("<LAN IP>", 80)))
> Listener(SockAddrInet("<public ip>", 55000), "INcommunicator")
>
>
> class CommunicatorHttpProxy(HttpProxy):
> def config(self):
> HttpProxy.config(self)
> self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL)
> self.request["POST"] = (HTTP_REQ_POLICY, self.filterURL)
>
> def filterURL(self, method, url, version):
> if ("http://<public DNS>:5500/cas" in url):
> self.session.setServer(SockAddrInet("10.0.7.2", 5447))
> elif ("http://<public DNS>:5500/director2" in url):
> self.session.setServer(SockAddrInet("10.0.7.2", 5449))
> elif ("http://<public DNS>:5500/techops" in url):
> self.session.setServer(SockAddrInet("10.0.0.6", 80))
> elif ("http://<public DNS>:5500/fubar" in url):
> self.session.setServer(SockAddrInet("10.0.0.6", 80))
> else: self.session.setServer(SockAddrInet("10.0.7.2", 80))
> return HTTP_REQ_ACCEPT
>
> class INcommunicator(PsslProxy):
> def config(self):
> PsslProxy.config(self)
> self.client_verify_type = SSL_VERIFY_NONE
> self.client_ca_directory = "/etc/ssl/certs"
> self.server_need_ssl=FALSE
> self.client_key_file = "/etc/ssl/private/xxx.key"
> self.client_cert_file = "/etc/ssl/certs/xxx.crt"
> #self.stack_proxy = CommunicatorHttpProxy
>
> the "fubar" URL doesn't point to a real location--and I get the 500 error page back from the web server.
>
> But when I try a (larger) real page, I'm seeing
>
> Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]: (svc/INcommunicator:9): Starting proxy instance; client_fd='15', client_address='AF_INET(<public ip>:2220)', client_zone='Zone(inter, 0.0.0.0/0)', client_local='AF_INET(<public ip>:5500)', client_protocol='TCP'
> Nov 28 15:42:39 localhost zorp/Zcommunicator[4334]: (svc/INcommunicator:9/pssl): SSL handshake failed on the client side; error='error:1407609C:SSL routines:lib(20):SSL23_GET_CLIENT_HELLO:func(118):http request:reason(156)'
>
> Ideas? Should I just reinstall 3.9.2 and copy my config files over? (no apt-get dist-upgrade option I see)
>
> Thanks in advance
> _______________________________________________
> zorp mailing list
> zorp at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/zorp
>
More information about the zorp
mailing list