You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Balažic <da...@comtrade.com> on 2015/07/31 23:07:14 UTC
[users@httpd] Forward proxy for non-443 port fails
Hi!
I have set up apache2-2.2.10-2.24.5 on SLES 11 SP1 as a forward proxy.
(see conf file below)
Then I set it as a proxy in Firefox on another PC and did some test.
HTTP access works fine to all tested sites (local and public internet) on different ports (80, 7001 etc...)
HTTPS works to port 433 ( https://www.google.com and so) but it fails for all other (tested) ports.
For example:
http://some.public.internet.site.org:8443
https://some-intranet-server:8081
The error reported by Firefox is a boilerplate error page:
The proxy server is refusing connections
Firefox is configured to use a proxy server that is refusing connections.
Check the proxy settings to make sure that they are correct.
Contact your network administrator to make sure the proxy server is working.
I sniffed the traffic between firefox and apache in this case and it is:
>From Firefox to proxy:
CONNECT some.public.internet.site.org:8443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: some.public.internet.site.org:8443
>From proxy to Firefox:
HTTP/1.1 403 Forbidden
Date: Fri, 31 Jul 2015 20:54:19 GMT
Server: Apache/2.2.10 (Linux/SUSE)
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Access forbidden!</title>
<link rev="made" href="mailto:my_personal_address@example.org" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
</head>
<body>
<h1>Access forbidden!</h1>
<p>
You don't have permission to access the requested object.
It is either read-protected or not readable by the server.
</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:my_personal_address@example.org">webmaster</a>.
</p>
<h2>Error 403</h2>
<address>
<a href="/">some.public.internet.site.org</a><br />
<span>
Fri Jul 31 22:54:19 2015<br />
Apache/2.2.10 (Linux/SUSE)</span>
</address>
</body>
</html>
It is an error page generated by apache (it has my email address I set in the config)
Here is the debug log for:
- failed SSL connection to port 8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(68): proxy: CONNECT: canonicalising URL some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] proxy_util.c(1345): [client 10.49.9.212] proxy: *: found forward proxy worker for some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy.c(756): Running scheme some.public.internet.site.org handler (attempt 0)
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(104): proxy: CONNECT: serving URL some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(120): proxy: CONNECT: connecting some.public.internet.site.org:8443 to some.public.internet.site.org:8443
[Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(137): proxy: CONNECT: connecting to remote proxy some.public.internet.site.org on port 8443
- failed SSL connection to port 8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(68): proxy: CONNECT: canonicalising URL some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] proxy_util.c(1498): [client 10.49.9.212] proxy: *: found forward proxy worker for some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy.c(988): Running scheme some-intranet-server handler (attempt 0)
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(104): proxy: CONNECT: serving URL some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(121): proxy: CONNECT: connecting some-intranet-server:8081 to some-intranet-server:8081
[Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(144): proxy: CONNECT: connecting to remote proxy some-intranet-server on port 8081
- successful SSL connection to port 443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(68): proxy: CONNECT: canonicalising URL another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] proxy_util.c(1345): [client 10.49.9.212] proxy: *: found forward proxy worker for another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy.c(756): Running scheme another.public.internet.site.org handler (attempt 0)
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(104): proxy: CONNECT: serving URL another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(120): proxy: CONNECT: connecting another.public.internet.site.org:443 to another.public.internet.site.org:443
[Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(137): proxy: CONNECT: connecting to remote proxy another.public.internet.site.org on port 443
The proxy's response for a successful connection is:
CONNECT another.public.internet.site.org:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: another.public.internet.site.org:443
HTTP/1.0 200 Connection Established
Proxy-agent: Apache/2.2.10 (Linux/SUSE)
(then Firefox sets up an SSL channel to the remote server)
Config:
Loaded modules (besides the default) : proxy proxy_http headers proxy_connect
Listen 8080
ServerAdmin my_personal_address@example.org
<VirtualHost _default_:8080>
ProxyRequests On
SSLProxyEngine On # this does not make a difference
ErrorLog /var/log/apache2/debug.log
LogLevel debug
<Proxy *>
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.3.55 # the PC running Firefox
</Proxy>
</VirtualHost>
Is there something obvious I am missing?
Both the firefox PC and the PC running apache2 have unrestricted access to all tested websites. The sites work from Firefox when no proxy is set. They are also accessible from the PC running apache.
Kind regards,
David Balažic
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] RE: Forward proxy for non-443 port fails
Posted by David Balažic <da...@comtrade.com>.
Well the debug log is not really helpful, I looked into the source code of mod_proxy_connect to realise all ports besides 443 and 563 are blocked for CONNECT.
I added a AllowCONNECT 443 8443 to the config and now it works.
David Balažic
> -----Original Message-----
> From: David Balažic [mailto:david.balazic@comtrade.com]
> Sent: 31. July 2015 23:07
> To: users@httpd.apache.org
> Subject: [users@httpd] Forward proxy for non-443 port fails
> Importance: Low
>
> Hi!
>
> I have set up apache2-2.2.10-2.24.5 on SLES 11 SP1 as a forward proxy.
> (see conf file below)
>
> Then I set it as a proxy in Firefox on another PC and did some test.
>
> HTTP access works fine to all tested sites (local and public internet) on
> different ports (80, 7001 etc...)
> HTTPS works to port 433 ( https://www.google.com and so) but it fails for all
> other (tested) ports.
>
> For example:
>
> http://some.public.internet.site.org:8443
> https://some-intranet-server:8081
>
> The error reported by Firefox is a boilerplate error page:
>
> The proxy server is refusing connections
> Firefox is configured to use a proxy server that is refusing connections.
> Check the proxy settings to make sure that they are correct.
> Contact your network administrator to make sure the proxy server is
> working.
>
> I sniffed the traffic between firefox and apache in this case and it is:
>
> From Firefox to proxy:
> CONNECT some.public.internet.site.org:8443 HTTP/1.1
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101
> Firefox/39.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host: some.public.internet.site.org:8443
>
> From proxy to Firefox:
> HTTP/1.1 403 Forbidden
> Date: Fri, 31 Jul 2015 20:54:19 GMT
> Server: Apache/2.2.10 (Linux/SUSE)
> Vary: accept-language,accept-charset
> Accept-Ranges: bytes
> Keep-Alive: timeout=15, max=100
> Connection: Keep-Alive
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=iso-8859-1
> Content-Language: en
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
> <head>
> <title>Access forbidden!</title>
> <link rev="made" href="mailto:my_personal_address@example.org" />
> <style type="text/css"><!--/*--><![CDATA[/*><!--*/
> body { color: #000000; background-color: #FFFFFF; }
> a:link { color: #0000CC; }
> p, address {margin-left: 3em;}
> span {font-size: smaller;}
> /*]]>*/--></style>
> </head>
>
> <body>
> <h1>Access forbidden!</h1>
> <p>
> You don't have permission to access the requested object.
> It is either read-protected or not readable by the server.
> </p>
> <p>
> If you think this is a server error, please contact
> the <a href="mailto:my_personal_address@example.org">webmaster</a>.
> </p>
>
> <h2>Error 403</h2>
> <address>
> <a href="/">some.public.internet.site.org</a><br />
> <span>
> Fri Jul 31 22:54:19 2015<br />
> Apache/2.2.10 (Linux/SUSE)</span>
> </address>
> </body>
> </html>
>
>
> It is an error page generated by apache (it has my email address I set in the
> config)
>
> Here is the debug log for:
> - failed SSL connection to port 8443
>
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(68): proxy:
> CONNECT: canonicalising URL some.public.internet.site.org:8443
> [Fri Jul 31 21:40:57 2015] [debug] proxy_util.c(1345): [client 10.49.9.212]
> proxy: *: found forward proxy worker for some.public.internet.site.org:8443
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy.c(756): Running scheme
> some.public.internet.site.org handler (attempt 0)
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(104): proxy:
> CONNECT: serving URL some.public.internet.site.org:8443
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(120): proxy:
> CONNECT: connecting some.public.internet.site.org:8443 to
> some.public.internet.site.org:8443
> [Fri Jul 31 21:40:57 2015] [debug] mod_proxy_connect.c(137): proxy:
> CONNECT: connecting to remote proxy some.public.internet.site.org on port
> 8443
>
> - failed SSL connection to port 8081
>
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(68): proxy:
> CONNECT: canonicalising URL some-intranet-server:8081
> [Fri Jul 31 22:41:28 2015] [debug] proxy_util.c(1498): [client 10.49.9.212]
> proxy: *: found forward proxy worker for some-intranet-server:8081
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy.c(988): Running scheme some-
> intranet-server handler (attempt 0)
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(104): proxy:
> CONNECT: serving URL some-intranet-server:8081
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(121): proxy:
> CONNECT: connecting some-intranet-server:8081 to some-intranet-
> server:8081
> [Fri Jul 31 22:41:28 2015] [debug] mod_proxy_connect.c(144): proxy:
> CONNECT: connecting to remote proxy some-intranet-server on port 8081
>
> - successful SSL connection to port 443
>
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(68): proxy:
> CONNECT: canonicalising URL another.public.internet.site.org:443
> [Fri Jul 31 21:40:50 2015] [debug] proxy_util.c(1345): [client 10.49.9.212]
> proxy: *: found forward proxy worker for
> another.public.internet.site.org:443
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy.c(756): Running scheme
> another.public.internet.site.org handler (attempt 0)
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(104): proxy:
> CONNECT: serving URL another.public.internet.site.org:443
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(120): proxy:
> CONNECT: connecting another.public.internet.site.org:443 to
> another.public.internet.site.org:443
> [Fri Jul 31 21:40:50 2015] [debug] mod_proxy_connect.c(137): proxy:
> CONNECT: connecting to remote proxy another.public.internet.site.org on
> port 443
>
> The proxy's response for a successful connection is:
>
> CONNECT another.public.internet.site.org:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101
> Firefox/39.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host: another.public.internet.site.org:443
>
> HTTP/1.0 200 Connection Established
> Proxy-agent: Apache/2.2.10 (Linux/SUSE)
>
> (then Firefox sets up an SSL channel to the remote server)
>
>
> Config:
>
> Loaded modules (besides the default) : proxy proxy_http headers
> proxy_connect
>
> Listen 8080
> ServerAdmin my_personal_address@example.org
>
> <VirtualHost _default_:8080>
>
> ProxyRequests On
> SSLProxyEngine On # this does not make a difference
>
> ErrorLog /var/log/apache2/debug.log
> LogLevel debug
>
> <Proxy *>
> Order deny,allow
> Deny from all
> Allow from 127.0.0.1 192.168.3.55 # the PC running Firefox
> </Proxy>
> </VirtualHost>
>
>
> Is there something obvious I am missing?
>
> Both the firefox PC and the PC running apache2 have unrestricted access to
> all tested websites. The sites work from Firefox when no proxy is set. They
> are also accessible from the PC running apache.
>
> Kind regards,
> David Balažic
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org