Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 2726 views
  • Users 0 members are here
Options
Suggested

[8.940][CLOSED] HTTPS Traffic Proxy

trixor
Hi 

I currently have a problem with HTTPS when I use the proxy. 

Setup: 
- 1 Astaro
- 5 Interface, 3 Dynamic uplinks, 2 local adapters, 1 HA link (offline atm) 

Problem: 
When I use Astaro as a proxy, normal operation mode. (Not transparant). I have a problem when I'm surfing to a https website. 

Log: 
2012:05:08-12:14:09 snake-jailbird httpproxy[32175]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.13.37.240" dstip="109.131.67.12" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2582" request="0x9593a18" url="https://www.example.com:8080/" exceptions="" error="Invalid argument"
2012:05:08-12:14:09 snake-jailbird httpproxy[32175]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.13.37.240" dstip="109.131.67.12" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2582" request="0x948de30" url="https://www.example.com:8080/" exceptions="" error="Invalid argument"
2012:05:08-12:14:10 snake-jailbird httpproxy[32175]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.13.37.240" dstip="109.131.67.12" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2582" request="0x965f060" url="https://www.example.com:8080/" exceptions="" error="Invalid argument" 



I disabled all surf protection. However, I noticed the error = "Invalid argument" 

I know that the https site is on a strange port, then again this used to work with Astaro V8. 

I tried the same with an other port that isn't allowed by default, 2222, when adding the port to the allowed services everything worked perfectly.
Parents
  • 0
    Yorkim,

    ok, I succeeded to reproduce your setup here. I get the following lines in http.log, which should explain why the HTTP proxy refuses to do what you want it to do: 
    httpproxy[4651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="connect_server" file="dns.c" line="986" message="loopback detected"

    httpproxy[4651]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x96dd5a8" function="dns_lookup_proto" file="dns.c" line="1070" message="connect_server failed: Invalid argument"

    httpproxy[4651]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.128.129.130" dstip="192.168.2.1" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2592" request="0x96dd5a8" url="192.168.2.1:8080/" exceptions="" error="Invalid argument"


    Unfortunately this setup will not work as the proxy detects that on the connection to the server the source and destination address are equal and the destination port equals the configured HTTP proxy listening port. Usually this condition is only true for loopback connections.

    Please change your configuration to use another port.

    Regards,
    mlenk
  • 0 in reply to mle
    I did as you requested. However, this does not solve my problem. 

    Me new setup: 

    Astaro Proxy expects incoming port 8081 to proxy traffic. I can confirm this works. 

    when I surf to http://www.linux-answered.com/ using my own proxy, this works. 


    2012:05:08-15:45:36 snake-jailbird httpproxy[7657]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.13.37.247" dstip="109.131.67.12" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="29681" request="0x108751c0" url="http://www.linux-answered.com/" exceptions="" error="" content-type="text/html"
    2012:05:08-15:45:36 snake-jailbird httpproxy[7657]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.13.37.247" dstip="109.131.67.12" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x10837328" url="http://www.linux-answered.com/wp-includes/css/admin-bar.css?ver=20111209" exceptions="" error=""
    2



    However, when I use the https protocol and I try to surf to https://www.linux-answered.com, I'm getting a time out. 


    2012:05:08-15:43:29 snake-jailbird httpproxy[7657]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.13.37.247" dstip="109.131.67.12" user="" statuscode="500" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="175" request="0x10922cd0" url="https://www.linux-answered.com/" exceptions="" error="Connection timed out" 
    2012:05:08-15:44:13 snake-jailbird httpproxy[7657]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.13.37.247" dstip="109.131.67.12" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2594" request="0x109a5cb0" url="https://www.linux-answered.com/" exceptions="" error="Connection to server timed out" 



    Any clue why? And why things work over the http protocol, but they fail once you use https?

    Thank you in advance
Reply
  • 0 in reply to mle
    I did as you requested. However, this does not solve my problem. 

    Me new setup: 

    Astaro Proxy expects incoming port 8081 to proxy traffic. I can confirm this works. 

    when I surf to http://www.linux-answered.com/ using my own proxy, this works. 


    2012:05:08-15:45:36 snake-jailbird httpproxy[7657]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.13.37.247" dstip="109.131.67.12" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="29681" request="0x108751c0" url="http://www.linux-answered.com/" exceptions="" error="" content-type="text/html"
    2012:05:08-15:45:36 snake-jailbird httpproxy[7657]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.13.37.247" dstip="109.131.67.12" user="" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x10837328" url="http://www.linux-answered.com/wp-includes/css/admin-bar.css?ver=20111209" exceptions="" error=""
    2



    However, when I use the https protocol and I try to surf to https://www.linux-answered.com, I'm getting a time out. 


    2012:05:08-15:43:29 snake-jailbird httpproxy[7657]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.13.37.247" dstip="109.131.67.12" user="" statuscode="500" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="175" request="0x10922cd0" url="https://www.linux-answered.com/" exceptions="" error="Connection timed out" 
    2012:05:08-15:44:13 snake-jailbird httpproxy[7657]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="10.13.37.247" dstip="109.131.67.12" user="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2594" request="0x109a5cb0" url="https://www.linux-answered.com/" exceptions="" error="Connection to server timed out" 



    Any clue why? And why things work over the http protocol, but they fail once you use https?

    Thank you in advance
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?