Return-Path: Delivered-To: apmail-jakarta-httpclient-user-archive@www.apache.org Received: (qmail 20824 invoked from network); 8 Jan 2007 19:47:45 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Jan 2007 19:47:45 -0000 Received: (qmail 42986 invoked by uid 500); 8 Jan 2007 19:47:50 -0000 Delivered-To: apmail-jakarta-httpclient-user-archive@jakarta.apache.org Received: (qmail 42970 invoked by uid 500); 8 Jan 2007 19:47:50 -0000 Mailing-List: contact httpclient-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: "HttpClient User Discussion" Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-user@jakarta.apache.org Received: (qmail 42959 invoked by uid 99); 8 Jan 2007 19:47:50 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jan 2007 11:47:50 -0800 X-ASF-Spam-Status: No, hits=2.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of erxiang@us.ibm.com designates 32.97.110.150 as permitted sender) Received: from [32.97.110.150] (HELO e32.co.us.ibm.com) (32.97.110.150) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 08 Jan 2007 11:47:36 -0800 Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com [9.17.195.11]) by e32.co.us.ibm.com (8.13.8/8.12.11) with ESMTP id l08Jk9Aw002215 for ; Mon, 8 Jan 2007 14:46:09 -0500 Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167]) by westrelay02.boulder.ibm.com (8.13.6/8.13.6/NCO v8.1.1) with ESMTP id l08JlEG8475416 for ; Mon, 8 Jan 2007 12:47:14 -0700 Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1]) by d03av01.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id l08JlE5s008533 for ; Mon, 8 Jan 2007 12:47:14 -0700 Received: from d03nm120.boulder.ibm.com (d03nm120.boulder.ibm.com [9.17.195.146]) by d03av01.boulder.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id l08JlEph008517 for ; Mon, 8 Jan 2007 12:47:14 -0700 In-Reply-To: <459D7EA0.4040601@dubioso.net> Subject: Re: why https site returns 403 when using proxy server? To: "HttpClient User Discussion" X-Mailer: Lotus Notes Release 7.0 HF85 November 04, 2005 Message-ID: From: Erxiang Liu Date: Mon, 8 Jan 2007 13:47:12 -0600 X-MIMETrack: Serialize by Router on D03NM120/03/M/IBM(Release 7.0.2HF32 | October 17, 2006) at 01/08/2007 12:47:14 MIME-Version: 1.0 Content-type: multipart/related; Boundary="0__=09BBF8CEDFF955B18f9e8a93df938690918c09BBF8CEDFF955B1" X-Virus-Checked: Checked by ClamAV on apache.org --0__=09BBF8CEDFF955B18f9e8a93df938690918c09BBF8CEDFF955B1 Content-type: multipart/alternative; Boundary="1__=09BBF8CEDFF955B18f9e8a93df938690918c09BBF8CEDFF955B1" --1__=09BBF8CEDFF955B18f9e8a93df938690918c09BBF8CEDFF955B1 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: quoted-printable Hi, Roland: Just want to thank you so much for your quick and precise support. Yes. the proxy server is not configured right. So we tried to reconfigure the IBM http server. We first enable the ssl module and make sure we can access the server from https://x.xx.xx.xxx. then did quite a lot other configurations. It= is not that straightforward. Then we can get the https site programmatically and through the web bro= wser via the proxy server. I also tried to configure another apache http server. What confused me = a little is that i did not need to enable the ssl module and still can get to t= he https site programmatically and through the web browser via this apache server.. Anyway, this is a very good learning experience. thank you. this is a v= ery helpful mailing list. thanks, Michelle = Roland Weber = = To HttpClient User Discussion = 01/04/2007 04:24 = = cc = Please respond to Subj= ect "HttpClient User Re: why https site returns 403 w= hen Discussion" using proxy server? = = = = = Hi Michelle, > Again, thanks for the quick response! I am amazed you figure out the > product name with the limited information. I learned just before christmas that Lotus Expeditor replaces the default HTTP connection with one based on HttpClient. I don't know of any other IBM product that does, so it was an easy guess :-) > LoadModule proxy_module modules/mod_proxy.so > #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so > #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so > LoadModule proxy_connect_module modules/mod_proxy_connect.so > LoadModule proxy_http_module modules/mod_proxy_http.so > #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so > > sounds right? I did test it with a http site and it works fine. Sorry, I can't tell you how to configure an Apache proxy. The Apache server folks have their own mailing lists. >> Have you made sure that the proxy requires only NTLMv1 and not NTLMv= 2? > How to find out it needs NTLMv1 or NTLMv2? actually one can access > the apache proxy server I setup without any user and password. Ok, so the code that sets up proxy credentials is actually pointless in this particular test case. This is confirmed by the log, since no authentication is requested by the proxy, and none is attempted by HttpClient. > hostConfig=3DHostConfiguration[host=3Dhttps://www.adobe.com, > proxyHost=3Dhttp://x.xx.xx.xxx] > 2007/01/04 13:54:09:218 CST [DEBUG] HttpConnection - Open connection = to > x.xx.xx.xxx:80 > 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "CONNECT www.adobe.com:443 > HTTP/1.1" > 2007/01/04 13:54:09:234 CST [DEBUG] HttpMethodBase - Adding Host requ= est > header > 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "User-Agent: Jakarta > Commons-HttpClient/3.0[\r][\n]" > 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "Host: > www.adobe.com[\r][\n]" > 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "Proxy-Connection: > Keep-Alive[\r][\n]" > 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "[\r][\n]" > 2007/01/04 13:54:09:250 CST [DEBUG] header - << "HTTP/1.1 405 Method = Not > Allowed[\r][\n]" > 2007/01/04 13:54:09:250 CST [DEBUG] header - << "Date: Thu, 04 Jan 20= 07 > 19:54:09 GMT[\r][\n]" > 2007/01/04 13:54:09:250 CST [DEBUG] header - << "Server: Apache/2.2.3= > (Win32)[\r][\n]" > 2007/01/04 13:54:09:250 CST [DEBUG] header - << "Allow: > GET,HEAD,POST,OPTIONS,TRACE[\r][\n]" This looks very much as if the proxy is not configured as a proxy, or at least not for tunnelling. You said you did use that proxy from a browser. Are you sure that the browser picked up the very same proxy settings you want to use with HttpClient? Maybe you can try with different browsers, just to be sure. Also make sure that you try an https: connection via the proxy. A plain http: request does not require tunnelling, so no CONNECT request would be sent. I suspect a misconfiguration of the proxy server. Loading the module is one thing, but some modules require additional configuration. If you can indeed access an https: URL through that proxy on that port with a browser, could you please use a network sniffer and post a trace of the browser communication? The Apache server documentation for the proxy modules mentions an AllowCONNECT directive, though 443 should be allowed by default. http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#allowconnect Have you defined a section as in the "Forward Proxy" basic example? cheers, Roland --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: httpclient-user-help@jakarta.apache.or= g = --1__=09BBF8CEDFF955B18f9e8a93df938690918c09BBF8CEDFF955B1 Content-type: text/html; charset=US-ASCII Content-Disposition: inline Content-transfer-encoding: quoted-printable

Hi, Roland:

Just want to thank you so much for your quick and precise support.

Yes. the proxy server is not configured right.
So we tried to reconfigure the IBM http server. We first enable
the ssl module and make sure we can access the server
from https://x.xx.xx.xxx. then did = quite a lot other configurations. It is not that straightforward.
Then we can get the https site programmatically and through the web bro= wser via the proxy server.

I also tried to configure another apache http server. What confused me = a little
is that i did not need to enable the ssl module and still can get to t= he https site programmatically and
through the web browser via this apache server..

Anyway, this is a very good learning experience. thank you. this is a v= ery helpful mailing list.

thanks,

Michelle

3D"InactiveRoland Weber <http-async@dub= ioso.net>


=
          Roland Weber <http-async@dubioso.net>

          01/04/2007 04:24 PM
          Please respond to
          "HttpClient User Discussion" <httpclient-user@jakarta.apac= he.org>

 =
3D=
To
3D""
HttpClient User Discussion <httpclient-user@jakarta= .apache.org>
3D=
cc
3D""
3D=
Subject
3D""
Re: why https site returns 403 when using proxy server= ?
3D=3D""

Hi Michelle,

> Again, thanks for the quick response! I am amazed you figure out t= he
> product name with the limited information.

I learned just before christmas that Lotus Expeditor replaces the
default HTTP connection with one based on HttpClient. I don't know
of any other IBM product that does, so it was an easy guess :-)

> LoadModule proxy_module modules/mod_proxy.so
> #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
> #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so > LoadModule proxy_connect_module modules/mod_proxy_connect.so
> LoadModule proxy_http_module modules/mod_proxy_http.so
> #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
>
> sounds right? I did test it with a http site and it works fine.
Sorry, I can't tell you how to configure an Apache proxy.
The Apache server folks have their own mailing lists.

>> Have you made sure that the proxy requires only NTLMv1 and not= NTLMv2?
> How to find out it needs NTLMv1 or NTLMv2? actually one can access=
> the apache proxy server I setup without any user and password.
=
Ok, so the code that sets up proxy credentials is actually
pointless in this particular test case. This is confirmed
by the log, since no authentication is requested by the
proxy, and none is attempted by HttpClient.

> hostConfig=3DHostConfiguration[host=3Dhttps://www.adobe.com,
> proxyHost=3Dhttp://x.xx.xx.xxx]
> 2007/01/04 13:54:09:218 CST [DEBUG] HttpConnection - Open connecti= on to
> x.xx.xx.xxx:80
> 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "CONNEC= T www.adobe.com:443
> HTTP/1.1"
> 2007/01/04 13:54:09:234 CST [DEBUG] HttpMethodBase - Adding Host r= equest
> header
> 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "User-A= gent: Jakarta
> Commons-HttpClient/3.0[\r][\n]"
> 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "Host:<= br> > www.adobe.com[\r][\n]"
> 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "Proxy-= Connection:
> Keep-Alive[\r][\n]"
> 2007/01/04 13:54:09:234 CST [DEBUG] header - >> "[\r][\= n]"
> 2007/01/04 13:54:09:250 CST [DEBUG] header - << "HTTP/1= .1 405 Method Not
> Allowed[\r][\n]"
> 2007/01/04 13:54:09:250 CST [DEBUG] header - << "Date: = Thu, 04 Jan 2007
> 19:54:09 GMT[\r][\n]"
> 2007/01/04 13:54:09:250 CST [DEBUG] header - << "Server= : Apache/2.2.3
> (Win32)[\r][\n]"
> 2007/01/04 13:54:09:250 CST [DEBUG] header - << "Allow:=
> GET,HEAD,POST,OPTIONS,TRACE[\r][\n]"

This looks very much as if the proxy is not configured as a proxy,
or at least not for tunnelling. You said you did use that proxy
from a browser. Are you sure that the browser picked up the very same proxy settings you want to use with HttpClient? Maybe you can try
with different browsers, just to be sure. Also make sure that you
try an https: connection via the proxy. A plain http: request does
not require tunnelling, so no CONNECT request would be sent.
I suspect a misconfiguration of the proxy server. Loading the module is one thing, but some modules require additional configuration. If
= you can indeed access an https: URL through that proxy on that port
= with a browser, could you please use a network sniffer and post a
trace of the browser communication?

The Apache server documentation for the proxy modules mentions
an AllowCONNECT directive, though 443 should be allowed by default.
= http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#allo= wconnect
Have you defined a <Proxy *> section as in the "Forward Prox= y"
basic example?

cheers,
 Roland


--------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org<= br> For additional commands, e-mail: httpclient-user-help@jakarta.apache.or= g


= --1__=09BBF8CEDFF955B18f9e8a93df938690918c09BBF8CEDFF955B1-- --0__=09BBF8CEDFF955B18f9e8a93df938690918c09BBF8CEDFF955B1--