httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Balažic <david.bala...@comtrade.com>
Subject [users@httpd] Forward proxy for non-443 port fails
Date Fri, 31 Jul 2015 21:07:14 GMT
Hi!

I have set up apache2-2.2.10-2.24.5 on SLES 11 SP1 as a forward proxy.
(see conf file below)

Then I set it as a proxy in Firefox on another PC and did some test.

HTTP access works fine to all tested sites (local and public internet) on different ports
(80, 7001 etc...)
HTTPS works to port 433 ( https://www.google.com and so) but it fails for all other (tested)
ports.

For example:

http://some.public.internet.site.org:8443
https://some-intranet-server:8081

The error reported by Firefox is a boilerplate error page:

The proxy server is refusing connections
Firefox is configured to use a proxy server that is refusing connections.
    Check the proxy settings to make sure that they are correct.
    Contact your network administrator to make sure the proxy server is working.

I sniffed the traffic between firefox and apache in this case and it is:

>From Firefox to proxy:
CONNECT some.public.internet.site.org:8443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: some.public.internet.site.org:8443

>From proxy to Firefox:
HTTP/1.1 403 Forbidden
Date: Fri, 31 Jul 2015 20:54:19 GMT
Server: Apache/2.2.10 (Linux/SUSE)
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Access forbidden!</title>
<link rev="made" href="mailto:my_personal_address@example.org" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
    body { color: #000000; background-color: #FFFFFF; }
    a:link { color: #0000CC; }
    p, address {margin-left: 3em;}
    span {font-size: smaller;}
/*]]>*/--></style>
</head>

<body>
<h1>Access forbidden!</h1>
<p>
    You don't have permission to access the requested object.
    It is either read-protected or not readable by the server.
</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:my_personal_address@example.org">webmaster</a>.
</p>

<h2>Error 403</h2>
<address>
  <a href="/">some.public.internet.site.org</a><br />
  <span>
Fri Jul 31 22:54:19 2015<br />
Apache/2.2.10 (Linux/SUSE)</span>
</address>
</body>
</html>


It is an error page generated by apache (it has my email address I set in the config)

Here is the debug log for:
 - failed SSL connection to port 8443

[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(68): proxy: CONNECT: canonicalising
URL some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] proxy_util.c(1345): [client 10.49.9.212] proxy: *: found
forward proxy worker for some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy.c(756): Running scheme some.public.internet.site.org
handler (attempt 0)
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(104): proxy: CONNECT: serving URL some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(120): proxy: CONNECT: connecting some.public.internet.site.org:8443
to some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(137): proxy: CONNECT: connecting to
remote proxy some.public.internet.site.org on port 8443

 - failed SSL connection to port 8081

[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(68): proxy: CONNECT: canonicalising
URL some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] proxy_util.c(1498): [client 10.49.9.212] proxy: *: found
forward proxy worker for some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy.c(988): Running scheme some-intranet-server handler
(attempt 0)
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(104): proxy: CONNECT: serving URL some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(121): proxy: CONNECT: connecting some-intranet-server:8081
to some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(144): proxy: CONNECT: connecting to
remote proxy some-intranet-server on port 8081

 - successful SSL connection to port 443

[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(68): proxy: CONNECT: canonicalising
URL another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] proxy_util.c(1345): [client 10.49.9.212] proxy: *: found
forward proxy worker for another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy.c(756): Running scheme another.public.internet.site.org
handler (attempt 0)
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(104): proxy: CONNECT: serving URL another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(120): proxy: CONNECT: connecting another.public.internet.site.org:443
to another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(137): proxy: CONNECT: connecting to
remote proxy another.public.internet.site.org on port 443

The proxy's response for a successful connection is:

CONNECT another.public.internet.site.org:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: another.public.internet.site.org:443

HTTP/1.0 200 Connection Established
Proxy-agent: Apache/2.2.10 (Linux/SUSE)

(then Firefox sets up an SSL channel to the remote server)


Config:

Loaded modules (besides the default) : proxy proxy_http headers proxy_connect 

Listen 8080
ServerAdmin my_personal_address@example.org

 <VirtualHost _default_:8080>

    ProxyRequests On
    SSLProxyEngine On # this does not make a difference

    ErrorLog /var/log/apache2/debug.log
    LogLevel debug

    <Proxy *>
      Order deny,allow
      Deny from all
      Allow from 127.0.0.1 192.168.3.55  # the PC running Firefox
    </Proxy>
  </VirtualHost>


Is there something obvious I am missing?

Both the firefox PC and the PC running apache2 have unrestricted access to all tested websites.
The sites work from Firefox when no proxy is set. They are also accessible from the PC running
apache.

Kind regards,
David Balažic

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message