You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Kamil <ho...@wp.pl> on 2020/04/09 14:18:17 UTC
Cycle Prohibited issue
Hi, I have ATS configured to act as a reverse proxy for AWS S3 bucket. That works fine if I call it inside the docker container running it or when I am calling localhost localhost in the web browser on my computer. However I am getting Cycle Prohibited error when I am trying to open it in my local network using the private IP of my laptop. I am trying to find anything regarding that in the docs, but there is not too much. How can I make it working outside of my localhost? brgds,
Re: Odp: Re: Cycle Prohibited issue
Posted by Kamil <ho...@wp.pl>.
It doesn't make any difference even if change it to: map ats-s3-proxy ats-s3-proxy bucket_name.s3.eu-west-1.amazonaws.com bucket_name.s3.eu-west-1.amazonaws.com @plugin=s3_auth.so @pparam=--config @pparam=s3_auth_v4.config where ats-s3-proxy points to 100.123.128.4 (k8s) in /etc/hosts Dnia 14 kwietnia 2020 19:16 juergenp [core] <juergenp@core.at> napisał(a): Hello, localhost ?? you should
provide an existing hostname. localhost points always to 127.0.0.1. this is a loopback interface. furthermore a slash is missing at the end of all the urls. map localhost replace_it_with_a_real_hostname / bucket_name.s3.eu-west-1.amazonaws.com bucket_name.s3.eu-west-1.amazonaws.com /
@plugin=s3_auth.so @pparam=--config @pparam=s3_auth_v4.config reverse_map bucket_name.s3.eu-west-1.amazonaws.com bucket_name.s3.eu-west-1.amazonaws.com / localhost replace_it_with_a_Real_hostname kr Juergen
Re: Odp: Re: Cycle Prohibited issue
Posted by "juergenp [core]" <ju...@core.at>.
if you want to proxy only, you should remove the reverse_map line from the
remap.conf
reverse_map is used for a reverse-proxy.
On Tue, 14 Apr 2020 20:35:43 +0200 Kamil wrote:
>Yes, localhost. The plan is to use ATS as proxy for S3 bucket.
>So it is running as Docker container/k8s Pod where the other Pods/apps are calling it like: http://ats:80/object
>It is not available from the internet. So far it is working only when called from inside the docker/k8s pod but not from outside the docker/k8s pod.
>regards,
>Kamil
>
>Dnia 14 kwietnia 2020 19:16 juergenp [core] <ju...@core.at> napisał(a):
>>Hello,
>>
>>localhost ?? you shouldprovide an existing hostname. localhost points always to 127.0.0.1.
>>this is a loopback interface.
>>
>>
>>
>>furthermore a slash is missing at the end of all the urls.
>>
>>map <a href="http://localhost/" rel="noopener" target="_blank" nh-safe-redirect="" data-saferedirecturl="https://zasobygwp.pl/redirect?sig=fbea0d4e33e9c918b535ecc0b0103b0970597ddc35913fb5ff7229cf5f049956&url=aHR0cDovL2xvY2FsaG9zdC8=&platform=desktop&brand=wp">http://replace_it_with_a_real_hostname</a>/ <a href="http://bucket_name.s3.eu-west-1.amazonaws.com/" rel="noopener" target="_blank" nh-safe-redirect="" data-saferedirecturl="https://zasobygwp.pl/redirect?sig=7bc653da2a8965d9242e666c50263d29b6631b6dd221ab86996210706a695eef&url=aHR0cDovL2J1Y2tldF9uYW1lLnMzLmV1LXdlc3QtMS5hbWF6b25hd3MuY29tLw==&platform=desktop&brand=wp">http://bucket_name.s3.eu-west-1.amazonaws.com</a>/@plugin=s3_auth.so @pparam=--config @pparam=s3_auth_v4.config
>>reverse_map <a href="http://bucket_name.s3.eu-west-1.amazonaws.com/" rel="noopener" target="_blank" nh-safe-redirect="" data-saferedirecturl="https://zasobygwp.pl/redirect?sig=7bc653da2a8965d9242e666c50263d29b6631b6dd221ab86996210706a695eef&url=aHR0cDovL2J1Y2tldF9uYW1lLnMzLmV1LXdlc3QtMS5hbWF6b25hd3MuY29tLw==&platform=desktop&brand=wp">http://bucket_name.s3.eu-west-1.amazonaws.com</a>/ <a href="http://localhost/" rel="noopener" target="_blank" nh-safe-redirect="" data-saferedirecturl="https://zasobygwp.pl/redirect?sig=fbea0d4e33e9c918b535ecc0b0103b0970597ddc35913fb5ff7229cf5f049956&url=aHR0cDovL2xvY2FsaG9zdC8=&platform=desktop&brand=wp">http://replace_it_with_a_Real_hostname/</a>
>>
>>kr
>>Juergen
>>
**
Best Regards
Jürgen Paulhart
E-Mail / SIP / XMPP : juergenp@core.at
VoIP / Mobil: +43 676 30 59 244
*** Information Technologies & Hosted Unified Communications ***
<** Diese Nachricht is signiert. Der Inhalt wurde während des Transfers
nicht verändert **>
<*** .. and if you don't know, now you know, ... ***>
Re: Odp: Re: Cycle Prohibited issue
Posted by "juergenp [core]" <ju...@core.at>.
yes, the hostname must be known by the called dns server of your docker
installation.
you must use a fqdn no matter if private or not.... you can use an internal
dns for that or you can change the resolving mechanism.
using the hosts file is not enough.
dont forget to restart the service afterwards.
On Tue, 14 Apr 2020 20:48:41 +0200 Kamil wrote:
>Hi Alan,
>If I change CONFIG proxy.config.url_remap.remap_required INT to 1 then I am getting: "Not found on Accelerator" error on any client calling it.
>regards,
>
>Dnia 14 kwietnia 2020 19:41 Alan Carroll <so...@verizonmedia.com> napisał(a):
>>You have this
>>"CONFIG proxy.config.url_remap.remap_required INT 0"
>>This means requests go through even if there is no matching remap rule. Therefore a request to 127.0.0.1:80 <http://127.0.0.1:80> will go through, and connect back to ATS, thereby creating a loop. If ATS is running on a host with address 172.16.0.1 and a request for that address arrives, exactly the same thing will happen. This may be what using your private IP address is doing.
>>
>>Because the remap rule is for port 80, requests to other ports on localhost or 127.0.0.0/8 <http://127.0.0.0/8> will also loop, e.g. HTTPS requests (port 443).
>>
**
Best Regards
Jürgen Paulhart
E-Mail / SIP / XMPP : juergenp@core.at
VoIP / Mobil: +43 676 30 59 244
*** Information Technologies & Hosted Unified Communications ***
<** Diese Nachricht is signiert. Der Inhalt wurde während des Transfers
nicht verändert **>
<*** .. and if you don't know, now you know, ... ***>
Re: Odp: Re: Cycle Prohibited issue
Posted by Kamil <ho...@wp.pl>.
Yes, that solved the problem. Thanks to everyone involved.
Dnia 14 kwietnia 2020 23:48 juergenp [core] <juergenp@core.at> napisał(a):
As Alan mentioned: the clients need to resolve
the mapped hostname, i run into such a problem and fixed it with creating a dns-entry (fqdn) wich resolves for all
clients. if the clients are on the internet, a public zone must be used. if the clients are known
and not random, then you can use also modify the hosts-file on each client for that manually. on the
intranet, you can use your internal DNS for that. exposing internal addresses to the internet is not a good idea,
like defining internal addresses on a public dns-zone. kr Juergen
On Tue, 14 Apr 2020 16:54:18 -0500
Alan Carroll wrote: Then your clients are wrong and should be fixed. That is,
they are trying to access something other than your S3 bucket via your ATS instance. Based on your description, every
request that arrives should have the first line as GET ats-s3-proxy ats-s3-proxy HTTTP/1.1 or
GET / HTTP/1.1 in both cases with the field Host: ats-s3-proxy
If not, why are they connecting to your ATS instance? If so, then the remap rule will prevent the 404
Not Found On Accelerator. On Tue, Apr 14, 2020 at 1:48
PM Kamil < wp.pl horizn@wp.pl > wrote:
Hi Alan, If I change CONFIG proxy.config.url_remap.remap_r INT to 1 then I am getting:
"Not found on Accelerator" error on any client calling it. regards, Dnia 14
kwietnia 2020 19:41 Alan Carroll < verizonmedia.com solidwallofcode@verizonmedia.c > napisał(a):
You have this " CONFIG
proxy.config.url_remap. INT 0"
This means requests go through even if there is no
matching remap rule. Therefore a request to 127.0.0.1:80 127.0.0.1:80
will go through, and connect back to ATS, thereby creating a loop. If ATS is running on a host with address
172.16.0.1 and a request for that address arrives, exactly the same thing will happen. This may be what using your
private IP address is doing.
Because the remap rule is for port 80, requests to other ports
on localhost or 127.0.0.0 127.0.0.0/8 will also loop, e.g. HTTPS
requests (port 443).
** Best Regards
Jürgen Paulhart E-Mail / SIP / XMPP : juergenp@core.at VoIP / Mobil: +43
676 30 59 244 *** Information Technologies & Hosted Unified Communications ***
<** Diese Nachricht is signiert. Der Inhalt wurde während des Transfers nicht verändert **> <*** ..
and if you don't know, now you know, ... ***>
Re: Odp: Re: Cycle Prohibited issue
Posted by "juergenp [core]" <ju...@core.at>.
As Alan mentioned:
the clients need to resolve the mapped hostname, i run into such a problem
and fixed it with creating a dns-entry (fqdn) wich resolves for all clients.
if the clients are on the internet, a public zone must be used.
if the clients are known and not random, then you can use also modify the
hosts-file on each client for that manually.
on the intranet, you can use your internal DNS for that.
exposing internal addresses to the internet is not a good idea, like
defining internal addresses on a public dns-zone.
kr
Juergen
On Tue, 14 Apr 2020 16:54:18 -0500 Alan Carroll wrote:
>
>Then your clients are wrong and should be fixed. That is, they are trying to access something other than your S3 bucket via your ATS instance. Based on your description, every request that arrives should have the first line as
>
>GET http://ats-s3-proxy/ HTTTP/1.1
>
>or
>
>GET / HTTP/1.1
>
>in both cases with the field
>
>Host: ats-s3-proxy
>
>If not, why are they connecting to your ATS instance? If so, then the remap rule will prevent the 404 Not Found On Accelerator.
>
>On Tue, Apr 14, 2020 at 1:48 PM Kamil <ho...@wp.pl> wrote:
>>Hi Alan,
>>If I change CONFIG proxy.config.url_remap.remap_required INT to 1 then I am getting: "Not found on Accelerator" error on any client calling it.
>>regards,
>>
>>
>>Dnia 14 kwietnia 2020 19:41 Alan Carroll <so...@verizonmedia.com> napisał(a):
>>>You have this
>>>"CONFIG proxy.config.url_remap.remap_required INT 0"
>>>This means requests go through even if there is no matching remap rule. Therefore a request to 127.0.0.1:80 <http://127.0.0.1:80> will go through, and connect back to ATS, thereby creating a loop. If ATS is running on a host with address 172.16.0.1 and a request for that address arrives, exactly the same thing will happen. This may be what using your private IP address is doing.
>>>
>>>Because the remap rule is for port 80, requests to other ports on localhost or 127.0.0.0/8 <http://127.0.0.0/8> will also loop, e.g. HTTPS requests (port 443).
>>>
**
Best Regards
Jürgen Paulhart
E-Mail / SIP / XMPP : juergenp@core.at
VoIP / Mobil: +43 676 30 59 244
*** Information Technologies & Hosted Unified Communications ***
<** Diese Nachricht is signiert. Der Inhalt wurde während des Transfers
nicht verändert **>
<*** .. and if you don't know, now you know, ... ***>
Re: Odp: Re: Cycle Prohibited issue
Posted by Alan Carroll <so...@verizonmedia.com>.
Then your clients are wrong and should be fixed. That is, they are trying
to access something other than your S3 bucket via your ATS instance. Based
on your description, every request that arrives should have the first line
as
GET http://ats-s3-proxy/ HTTTP/1.1
or
GET / HTTP/1.1
in both cases with the field
Host: ats-s3-proxy
If not, why are they connecting to your ATS instance? If so, then the remap
rule will prevent the 404 Not Found On Accelerator.
On Tue, Apr 14, 2020 at 1:48 PM Kamil <ho...@wp.pl> wrote:
> Hi Alan,
> If I change CONFIG proxy.config.url_remap.remap_required INT to 1 then I
> am getting: "Not found on Accelerator" error on any client calling it.
> regards,
>
> Dnia 14 kwietnia 2020 19:41 Alan Carroll <so...@verizonmedia.com>
> napisał(a):
>
> You have this
> "CONFIG proxy.config.url_remap.remap_required INT 0"
> This means requests go through even if there is no matching remap rule.
> Therefore a request to 127.0.0.1:80 will go through, and connect back to
> ATS, thereby creating a loop. If ATS is running on a host with address
> 172.16.0.1 and a request for that address arrives, exactly the same thing
> will happen. This may be what using your private IP address is doing.
>
> Because the remap rule is for port 80, requests to other ports on
> localhost or 127.0.0.0/8 will also loop, e.g. HTTPS requests (port 443).
>
>
>
Re: Odp: Re: Cycle Prohibited issue
Posted by Kamil <ho...@wp.pl>.
Hi Alan, If I change CONFIG proxy.config.url_remap.remap_r INT to 1 then I am getting: "Not found on Accelerator" error on any client calling it. regards, Dnia 14 kwietnia 2020 19:41 Alan Carroll <solidwallofcode@verizonmedia. napisał(a): You have this " CONFIG proxy.config.url_remap.remap_r INT 0" This means requests go through even if there is no matching remap rule. Therefore a request to 127.0.0.1:80 127.0.0.1:80 will go through, and connect back to ATS, thereby creating a loop. If ATS is running on a host with address 172.16.0.1 and a request for that address arrives, exactly the same thing will happen. This may be what using your private IP address is doing. Because the remap rule is for port 80, requests to other ports on localhost or 127.0.0.0 127.0.0.0/8 will also loop, e.g. HTTPS requests (port 443).
Re: Odp: Re: Cycle Prohibited issue
Posted by Alan Carroll <so...@verizonmedia.com>.
You have this
"CONFIG proxy.config.url_remap.remap_required INT 0"
This means requests go through even if there is no matching remap rule.
Therefore a request to 127.0.0.1:80 will go through, and connect back to
ATS, thereby creating a loop. If ATS is running on a host with address
172.16.0.1 and a request for that address arrives, exactly the same thing
will happen. This may be what using your private IP address is doing.
Because the remap rule is for port 80, requests to other ports on localhost
or 127.0.0.0/8 will also loop, e.g. HTTPS requests (port 443).
On Tue, Apr 14, 2020 at 1:35 PM Kamil <ho...@wp.pl> wrote:
> Yes, localhost. The plan is to use ATS as proxy for S3 bucket.
> So it is running as Docker container/k8s Pod where the other Pods/apps are
> calling it like: http://ats:80/object
> It is not available from the internet. So far it is working only when
> called from inside the docker/k8s pod but not from outside the docker/k8s
> pod.
> regards,
> Kamil
>
> Dnia 14 kwietnia 2020 19:16 juergenp [core] <ju...@core.at> napisał(a):
>
> Hello,
>
>
>
> localhost ?? you should provide an existing hostname. localhost points
> always to 127.0.0.1.
>
> this is a loopback interface.
>
>
>
>
>
>
>
> furthermore a slash is missing at the end of all the urls.
>
>
>
> map http://replace_it_with_a_real_hostname <http://localhost/>/
> http://bucket_name.s3.eu-west-1.amazonaws.com/ @plugin=s3_auth.so
> @pparam=--config @pparam=s3_auth_v4.config
>
> reverse_map http://bucket_name.s3.eu-west-1.amazonaws.com/
> http://replace_it_with_a_Real_hostname/ <http://localhost/>
>
>
>
> kr
>
> Juergen
>
>
>
Re: Odp: Re: Cycle Prohibited issue
Posted by Kamil <ho...@wp.pl>.
Yes, localhost. The plan is to use ATS as proxy for S3 bucket. So it is running as Docker container/k8s Pod where the other Pods/apps are calling it like: ats:80 ats:80 It is not available from the internet. So far it is working only when called from inside the docker/k8s pod but not from outside the docker/k8s pod. regards, Kamil Dnia 14 kwietnia 2020 19:16 juergenp [core] <juergenp@core.at> napisał(a): Hello, localhost ?? you should
provide an existing hostname. localhost points always to 127.0.0.1. this is a loopback interface. furthermore a slash is missing at the end of all the urls. map localhost replace_it_with_a_real_hostname / bucket_name.s3.eu-west-1.amazonaws.com bucket_name.s3.eu-west-1.amazonaws.com /
@plugin=s3_auth.so @pparam=--config @pparam=s3_auth_v4.config reverse_map bucket_name.s3.eu-west-1.amazonaws.com bucket_name.s3.eu-west-1.amazonaws.com / localhost replace_it_with_a_Real_hostname kr Juergen
Re: Odp: Re: Cycle Prohibited issue
Posted by "juergenp [core]" <ju...@core.at>.
Hello,
localhost ?? you shouldprovide an existing hostname. localhost points
always to 127.0.0.1.
this is a loopback interface.
furthermore a slash is missing at the end of all the urls.
map http://replace_it_with_a_real_hostname <http://localhost/> /
http://bucket_name.s3.eu-west-1.amazonaws.com
<http://bucket_name.s3.eu-west-1.amazonaws.com/> / @plugin=s3_auth.so
@pparam=--config @pparam=s3_auth_v4.config
reverse_map http://bucket_name.s3.eu-west-1.amazonaws.com
<http://bucket_name.s3.eu-west-1.amazonaws.com/> /
http://replace_it_with_a_Real_hostname/ <http://localhost/>
kr
Juergen
On Tue, 14 Apr 2020 19:12:29 +0200 Kamil wrote:
>So how can I make it working? I have enabled debugging but it doesn't producetraffic.out file. My configs:
>records.config: https://pastebin.com/YAzD14j3
>remap.config:
> map <a href="http://localhost:80"rel="noopener" target="_blank">http://localhost:80</a> <ahref="http://bucket_name.s3.eu-west-1.amazonaws.com" rel="noopener"target="_blank">http://bucket_name.s3.eu-west-1.amazonaws.com</a> @plugin=s3_auth.so @pparam=--config @pparam=s3_auth_v4.config
> reverse_map <ahref="http://bucket_name.s3.eu-west-1.amazonaws.com" rel="noopener"target="_blank">http://bucket_name.s3.eu-west-1.amazonaws.com</a> <a href="http://localhost:80"rel="noopener" target="_blank">http://localhost:80</a>
> (I have also tried without reverse_map)
>region_map.config:
> s3.amazonaws.com : eu-west-1
> s3.dualstack.eu-west-1.amazonaws.com : eu-west-1
> s3.eu-west-1.amazonaws.com : eu-west-1
> : eu-west-1
>s3_auth_v4.config
> access_key=x
> secret_key=x
> version=4
> v4-region-map=region_map.config
>
>Dnia 9 kwietnia 2020 20:12 Alan Carroll <so...@verizonmedia.com> napisał(a):
>>
>>"Cycle prohibited" generally means that ATS has been configured to connect to itself and upon detecting this,prevents the infinite loop. This is detected by watching the "Via" header and seeing if it has the same via data as thecurrent ATS (which, if true, means there is a cycle). If I had to debug it, I would enable debug messages with the"http" tag. That generates a lot of data, including where ATS is trying to connect when it goes upstream. I would lookat that to make sure it's going where it is supposed to and not to itself.
>>
>>
>>On Thu, Apr 9, 2020 at 9:18 AM Kamil<https://mailto:horizn@wp.plhorizn@wp.pl <ht...@wp.pl> > wrote:
>>>Hi,
>>>I have ATS configured to act as a reverse proxy for AWS S3 bucket. That works fine if I call it inside thedocker container running it or when I am calling http://localhost in the web browser on mycomputer. However I am getting Cycle Prohibited error when I am trying to open it in my local network using the privateIP of my laptop.
>>>I am trying to find anything regarding that in the docs, but there is not too much. How can Imake it working outside of my localhost?
>>>brgds,
>>
**
Best Regards
Jürgen Paulhart
E-Mail / SIP / XMPP :juergenp@core.at
VoIP / Mobil: +43 676 30 59 244
*** Information Technologies & HostedUnified Communications ***
<** Diese Nachricht is signiert. Der Inhalt wurde während desTransfers nicht
verändert **>
<*** .. and if you don't know, now you know, ... ***>
Odp: Re: Cycle Prohibited issue
Posted by Kamil <ho...@wp.pl>.
So how can I make it working? I have enabled debugging but it doesn't produce traffic.out file. My configs: records.config: pastebin.com pastebin.com remap.config: map localhost:80 localhost:80 bucket_name.s3.eu-west-1.amazonaws.com bucket_name.s3.eu-west-1.amazonaws.com @plugin=s3_auth.so
@pparam=--config @pparam=s3_auth_v4.config reverse_map bucket_name.s3.eu-west-1.amazonaws.com bucket_name.s3.eu-west-1.amazonaws.com localhost:80 localhost:80 (I have also tried without reverse_map) region_map.config: s3.amazonaws.com : eu-west-1 s3.dualstack.eu-west-1.amazona : eu-west-1 s3.eu-west-1.amazonaws.com : eu-west-1 : eu-west-1 s3_auth_v4.config access_key=x secret_key=x version=4 v4-region-map=region_map.confi Dnia 9 kwietnia 2020 20:12 Alan Carroll <solidwallofcode@verizonmedia. napisał(a): "Cycle prohibited" generally means that ATS has been configured to connect to itself and upon detecting this, prevents the infinite loop. This is detected by watching the "Via" header and seeing if it has the same via data as the current ATS (which, if true, means there is a cycle). If I had to debug it, I would enable debug messages with the "http" tag. That generates a lot of data, including where ATS is trying to connect when it goes upstream. I would look at that to make sure it's going where it is supposed to and not to itself. On Thu, Apr 9, 2020 at 9:18 AM Kamil < horizn@wp.pl > wrote: Hi, I have ATS configured to act as a reverse proxy for AWS S3 bucket. That works fine if I call it inside the docker container running it or when I am calling localhost localhost in the web browser on my computer. However I am getting Cycle Prohibited error when I am trying to open it in my local network using the private IP of my laptop. I am trying to find anything regarding that in the docs, but there is not too much. How can I make it working outside of my localhost? brgds,
Re: Cycle Prohibited issue
Posted by Alan Carroll <so...@verizonmedia.com>.
"Cycle prohibited" generally means that ATS has been configured to connect
to itself and upon detecting this, prevents the infinite loop. This is
detected by watching the "Via" header and seeing if it has the same via
data as the current ATS (which, if true, means there is a cycle). If I had
to debug it, I would enable debug messages with the "http" tag. That
generates a lot of data, including where ATS is trying to connect when it
goes upstream. I would look at that to make sure it's going where it is
supposed to and not to itself.
On Thu, Apr 9, 2020 at 9:18 AM Kamil <ho...@wp.pl> wrote:
> Hi,
> I have ATS configured to act as a reverse proxy for AWS S3 bucket. That
> works fine if I call it inside the docker container running it or when I am
> calling http://localhost in the web browser on my computer. However I am
> getting Cycle Prohibited error when I am trying to open it in my local
> network using the private IP of my laptop.
> I am trying to find anything regarding that in the docs, but there is not
> too much. How can I make it working outside of my localhost?
> brgds,
>