You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2006/06/24 17:28:13 UTC

Sa-update and proxy servers

I think I noticed small change in sa-update for 3.13.

It is now using port 8090 for outgoing connections. (or did it always?)

This happened to make it immediately fail on servers in the DMZ which
have a strict set of outgoing egress rules.

I now need to set a proxy server to do sa-updates through, but could not
find any information on settings for a proxy server.

I could either open up that port, use a proxy, or suggest a proxy
setting for sa-update.

Opening up the port means days if not weeks of change requests.
(and this might be the same in larger organizations, especially under
government security regs)
Steps include updating security policy, firewall rule policy then doing
a firewall rules change request.

Setting up a proxy globally would mean all requests from that host
(clamav updates, etc) would be forced to go through the proxy.

A replacement sa-update script to set a temporary proxy, and than
sa-update seems to work. (without forcing everything through a proxy
server)

Since sa-update is a perl script, and uses the LWP library, it honored
the http_proxy environment settings.

my $ua = LWP::UserAgent->new();
$ua->agent("sa-update/$VERSION");
$ua->timeout(60);      # a good long timeout; 10 is too short for Coral!
$ua->env_proxy;

Also, since it is a LWP library, I was wondering if there could not be a
rc or ini file associated with sa-update to use a specific proxy server
for it. (Similar to how clamav does it)

I also have intermittent failures, and it seems in some environments
maybe a larger timeout would help.

Proxy issues include:
Proxy url, proxy port, authentication (user/password), etc.

*remember, I don't want to force everything through a proxy server,
normal port 80 and port 443 traffic are normally allowed out many
corporate DMZ's and lans.  Increasingly, SOC, HIPAA, GLBA, ISO audits
are making security departments re evaluate firewall egress rules. Best
practices says 'block everything and only allow that which is required
by security use policy, and that only with a defined business case'.

Added cmd options:
 -x --proxy
 -U --proxy-user
 -P --proxy-password
 -t --connect-timeout.

Cmdline overrides http_proxy* environment variables.
I recognize -U and -P could be security vulnerabilities and recommend a
protected .rc file.


Extensive testing has not been performed (My proxy server doesn't
require authentication, and doesn't' fail if I give it phony
authenticating).
LWP proxy string is created as "http://user:password@proxy:port"
With user/password and port optional
--proxy can be specified at http://proxy or proxy or http://proxy:port
or proxy:port

I updated help a little (for -h) but not the individual items.

Patch attached. (works here(tm))

-- 
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts: http://www.secnap.com/news

Re: Sa-update and proxy servers

Posted by Radoslaw Zielinski <ra...@gmail.com>.

Michael Scheidell <sc...@secnap.net> [24-06-2006 17:28]:
[...]
> I now need to set a proxy server to do sa-updates through, but could not
> find any information on settings for a proxy server.

  echo 'alias sa-update="http_proxy=http://login:pass@proxy:port/ ' \
       'sa-update"' >> ~/.profile

?

-- 
Radosław Zieliński <ra...@pld-linux.org>

Re: Sa-update and proxy servers

Posted by "Warren Togami Jr." <wt...@gmail.com>.

On 2/17/2011 11:44 PM, Daniel Lemke wrote:
>
>
> Michael Scheidell wrote:
>>
>> [...]
>> I now need to set a proxy server to do sa-updates through, but could not
>> find any information on settings for a proxy server.
>>
>> [...]
>> Added cmd options:
>>   -x --proxy
>>   -U --proxy-user
>>   -P --proxy-password
>>   -t --connect-timeout.
>>
>>   [...]
>>
>
> Hi,
>
> just found this old thread regarding the proxy capabilities of sa-update. I
> wonder why Michael's patch hasn't been included to the official source.
>
> We've got a customer that wants to use sa-update through a proxy but using a
> custom patch to provide such a feature is kind of weird. Would it be
> possible to make the patch official? At least it'd be great if one could
> specify username and password in addition to the proxy url by using
> environment variables for LWP::Agent.
>
> Any comments on this?
>
> Daniel

Was this ever filed as a bug with the suggested patch attached?  Nothing 
gets in the code without a bug filed.

Warren

Re: Sa-update and proxy servers

Posted by Daniel Lemke <le...@jam-software.com>.

Michael Scheidell wrote:
> 
> [...]
> I now need to set a proxy server to do sa-updates through, but could not
> find any information on settings for a proxy server.
> 
> [...]
> Added cmd options:
>  -x --proxy
>  -U --proxy-user
>  -P --proxy-password
>  -t --connect-timeout.
> 
>  [...]
> 

Hi, 

just found this old thread regarding the proxy capabilities of sa-update. I
wonder why Michael's patch hasn't been included to the official source.

We've got a customer that wants to use sa-update through a proxy but using a
custom patch to provide such a feature is kind of weird. Would it be
possible to make the patch official? At least it'd be great if one could
specify username and password in addition to the proxy url by using
environment variables for LWP::Agent.

Any comments on this?

Daniel
-- 
View this message in context: http://old.nabble.com/Sa-update-and-proxy-servers-tp5026430p30957142.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.