Discussion:
Help for forward proxy configuration
salil GK
2017-03-08 09:10:07 UTC
Permalink
Hello

We were trying to set up a forward proxy. I have my remap entry as below.
regex_map http://(.{3,1023})/ http://$1/
@plugin=ts_httpallow_remap_plugin.so
@pparam=/etc/trafficserver/etc/httpallowlist.txt @pparam=forwardproxy

<<


Httpallow_remap_plugin is used for filtering the origin server.

If I access an external http site using this server a proxy, every thing
works.
regex_map https://(.{3,1023})/ https://$1/
@plugin=ts_httpallow_remap_plugin.so
@pparam=/etc/trafficserver/etc/httpallowlist.txt @pparam=forwardproxy

<<


When I access an https site using this server as my proxy server, it
doesn’t work. Also the control doesn’t reach httpallow_*remap*_plugin also.
It always shows access denied.


What could be the problem ?


Thanks in advance

~S
salil GK
2017-03-08 10:48:21 UTC
Permalink
Basically while analysing the traffic, what I observed is when I access
http site the header http header coming as

^MHTTPMSG:^M|GET http://10.106.251.95/ HTTP/1.1^MHost:
10.106.251.95^MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
rv:51.0) Gecko/20100101 Firefox/51.0^MAccept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^MAccept-Language:
en-US,en;q=0.5^MAccept-Encoding: gzip^MCookie:<CONCEALED>^MConnection:
keep-alive^MUpgrade-Insecure-Requests: 1^M^M|^M


where as for https access the http header comes as

^MHTTPMSG:^M|CONNECT 10.106.251.95:443 HTTP/1.1^MUser-Agent: Mozilla/5.0
(Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101
Firefox/51.0^MProxy-Connection: keep-alive^MConnection: keep-alive^MHost:
10.106.251.95:443^M^M|^M
and servers return

Msg="HTTP/1.1 403 Access Denied"
back to browser

How do I configure ATS to pass https request to the origin server ?

Thanks in advance
~S
Post by salil GK
Hello
We were trying to set up a forward proxy. I have my remap entry as below.
regex_map http://(.{3,1023})/ http://$1/
@plugin=ts_httpallow_remap_plugin.so @pparam=/etc/trafficserver/etc/httpallowlist.txt
@pparam=forwardproxy
<<
Httpallow_remap_plugin is used for filtering the origin server.
If I access an external http site using this server a proxy, every thing
works.
regex_map https://(.{3,1023})/ https://$1/
@plugin=ts_httpallow_remap_plugin.so @pparam=/etc/trafficserver/etc/httpallowlist.txt
@pparam=forwardproxy
<<
When I access an https site using this server as my proxy server, it
doesn’t work. Also the control doesn’t reach httpallow_*remap*_plugin
also. It always shows access denied.
What could be the problem ?
Thanks in advance
~S
James Peach
2017-03-08 17:04:33 UTC
Permalink
Basically while analysing the traffic, what I observed is when I access http site the header http header coming as
^MHTTPMSG:^M|GET http://10.106.251.95/ HTTP/1.1^MHost: 10.106.251.95^MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0^MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^MAccept-Language: en-US,en;q=0.5^MAccept-Encoding: gzip^MCookie:<CONCEALED>^MConnection: keep-alive^MUpgrade-Insecure-Requests: 1^M^M|^M
where as for https access the http header comes as
^MHTTPMSG:^M|CONNECT 10.106.251.95:443 HTTP/1.1^MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0^MProxy-Connection: keep-alive^MConnection: keep-alive^MHost: 10.106.251.95:443^M^M|^M
and servers return
Msg="HTTP/1.1 403 Access Denied"
back to browser
How do I configure ATS to pass https request to the origin server ?
This is a user agent behavior. When user agents make a HTTPS request through a proxy they will use the CONNECT method to establish an end-to-end secure tunnel to the origin.
Thanks in advance
~S
Hello
We were trying to set up a forward proxy. I have my remap entry as below.
<<
Httpallow_remap_plugin is used for filtering the origin server.
If I access an external http site using this server a proxy, every thing works.
<<
When I access an https site using this server as my proxy server, it doesn’t work. Also the control doesn’t reach httpallow_remap_plugin also. It always shows access denied.
What could be the problem ?
Thanks in advance
~S
salil GK
2017-03-08 23:14:35 UTC
Permalink
Thanks James for pitching in .

So the point is I want to get a https request delivered to the origin
server through my proxy. Now it is being dropped I guess . How do I get it
done ?

Thanks in advance
~S
Post by salil GK
Post by salil GK
Basically while analysing the traffic, what I observed is when I access
http site the header http header coming as
10.106.251.95^MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
rv:51.0) Gecko/20100101 Firefox/51.0^MAccept: text/html,application/xhtml+
keep-alive^MUpgrade-Insecure-Requests: 1^M^M|^M
Post by salil GK
where as for https access the http header comes as
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101
10.106.251.95:443^M^M|^M
Post by salil GK
and servers return
Msg="HTTP/1.1 403 Access Denied"
back to browser
How do I configure ATS to pass https request to the origin server ?
This is a user agent behavior. When user agents make a HTTPS request
through a proxy they will use the CONNECT method to establish an end-to-end
secure tunnel to the origin.
Post by salil GK
Thanks in advance
~S
Hello
We were trying to set up a forward proxy. I have my remap entry as below.
regex_map http://(.{3,1023})/ http://$1/
@plugin=ts_httpallow_remap_plugin.so @pparam=/etc/trafficserver/etc/httpallowlist.txt
@pparam=forwardproxy
Post by salil GK
<<
Httpallow_remap_plugin is used for filtering the origin server.
If I access an external http site using this server a proxy, every thing
works.
Post by salil GK
regex_map https://(.{3,1023})/ https://$1/
@plugin=ts_httpallow_remap_plugin.so @pparam=/etc/trafficserver/etc/httpallowlist.txt
@pparam=forwardproxy
Post by salil GK
<<
When I access an https site using this server as my proxy server, it
doesn’t work. Also the control doesn’t reach httpallow_remap_plugin also.
It always shows access denied.
Post by salil GK
What could be the problem ?
Thanks in advance
~S
salil GK
2017-03-13 02:50:43 UTC
Permalink
Any help on this would be really great .

I have my setup like the follows.

Client machine -> ATS 1 as forward proxy -> ATS 2 as a forward proxy ->
Origin server

I am doing proxy chaining . ATS 2 is configured as parent proxy. and there
is a ssh tunnel between ATS1 and ATS2.

When I send a http request from my client every thing works perfect and I
client gets the requested content.

But when I send *https* request from my client, ATS1 sends back 403 Access
denied.

I guess we need to make some settings for ATS to forward CONNECT method.

Can I get some help on configuring ATS for allowing *https* request to be
forwarded .

If I need to upload the origin server certificate in ATS, that is also
possible.

I don't need to make this setup as an open proxy. Only designated origin
server will be supported.

Thanks in advance
~S
Post by salil GK
Thanks James for pitching in .
So the point is I want to get a https request delivered to the origin
server through my proxy. Now it is being dropped I guess . How do I get it
done ?
Thanks in advance
~S
Post by salil GK
Post by salil GK
Basically while analysing the traffic, what I observed is when I access
http site the header http header coming as
10.106.251.95^MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
rv:51.0) Gecko/20100101 Firefox/51.0^MAccept: text/html,application/xhtml+xm
keep-alive^MUpgrade-Insecure-Requests: 1^M^M|^M
Post by salil GK
where as for https access the http header comes as
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101
keep-alive^MHost: 10.106.251.95:443^M^M|^M
Post by salil GK
and servers return
Msg="HTTP/1.1 403 Access Denied"
back to browser
How do I configure ATS to pass https request to the origin server ?
This is a user agent behavior. When user agents make a HTTPS request
through a proxy they will use the CONNECT method to establish an end-to-end
secure tunnel to the origin.
Post by salil GK
Thanks in advance
~S
Hello
We were trying to set up a forward proxy. I have my remap entry as
below.
Post by salil GK
regex_map http://(.{3,1023})/ http://$1/
@plugin=ts_httpallow_remap_plugin.so @pparam=/etc/trafficserver/etc/httpallowlist.txt
@pparam=forwardproxy
Post by salil GK
<<
Httpallow_remap_plugin is used for filtering the origin server.
If I access an external http site using this server a proxy, every
thing works.
Post by salil GK
regex_map https://(.{3,1023})/ https://$1/
@plugin=ts_httpallow_remap_plugin.so @pparam=/etc/trafficserver/etc/httpallowlist.txt
@pparam=forwardproxy
Post by salil GK
<<
When I access an https site using this server as my proxy server, it
doesn’t work. Also the control doesn’t reach httpallow_remap_plugin also.
It always shows access denied.
Post by salil GK
What could be the problem ?
Thanks in advance
~S
James Peach
2017-03-13 03:51:14 UTC
Permalink
Post by salil GK
Any help on this would be really great .
I have my setup like the follows.
Client machine -> ATS 1 as forward proxy -> ATS 2 as a forward proxy -> Origin server
I am doing proxy chaining . ATS 2 is configured as parent proxy. and there is a ssh tunnel between ATS1 and ATS2.
When I send a http request from my client every thing works perfect and I client gets the requested content.
But when I send https request from my client, ATS1 sends back 403 Access denied.
I guess we need to make some settings for ATS to forward CONNECT method.
CONNECT is enabled by default.

You need fo figure out who is giving the 403 response. Check ATS access logs, and packet trace from each hop if you have to. Knowing where the 403 comes from will help you figure out what your next step is.
Post by salil GK
Can I get some help on configuring ATS for allowing https request to be forwarded .
If I need to upload the origin server certificate in ATS, that is also possible.
I don't need to make this setup as an open proxy. Only designated origin server will be supported.
Thanks in advance
~S
Thanks James for pitching in .
So the point is I want to get a https request delivered to the origin server through my proxy. Now it is being dropped I guess . How do I get it done ?
Thanks in advance
~S
Basically while analysing the traffic, what I observed is when I access http site the header http header coming as
^MHTTPMSG:^M|GET http://10.106.251.95/ HTTP/1.1^MHost: 10.106.251.95^MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0^MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^MAccept-Language: en-US,en;q=0.5^MAccept-Encoding: gzip^MCookie:<CONCEALED>^MConnection: keep-alive^MUpgrade-Insecure-Requests: 1^M^M|^M
where as for https access the http header comes as
^MHTTPMSG:^M|CONNECT 10.106.251.95:443 HTTP/1.1^MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101 Firefox/51.0^MProxy-Connection: keep-alive^MConnection: keep-alive^MHost: 10.106.251.95:443^M^M|^M
and servers return
Msg="HTTP/1.1 403 Access Denied"
back to browser
How do I configure ATS to pass https request to the origin server ?
This is a user agent behavior. When user agents make a HTTPS request through a proxy they will use the CONNECT method to establish an end-to-end secure tunnel to the origin.
Thanks in advance
~S
Hello
We were trying to set up a forward proxy. I have my remap entry as below.
<<
Httpallow_remap_plugin is used for filtering the origin server.
If I access an external http site using this server a proxy, every thing works.
<<
When I access an https site using this server as my proxy server, it doesn’t work. Also the control doesn’t reach httpallow_remap_plugin also. It always shows access denied.
What could be the problem ?
Thanks in advance
~S
salil GK
2017-03-14 16:33:03 UTC
Permalink
I think I found the issue with my setup -
There were two issues - proxy.config.http.connect_ports was set to NULL. I
have set that to 443

Next issue was ip_allow.config file didn't have CONNECT method allowed.
After setting that to ALL methods, things started working.

Thanks
~S
Post by salil GK
Post by salil GK
Any help on this would be really great .
I have my setup like the follows.
Client machine -> ATS 1 as forward proxy -> ATS 2 as a forward proxy
-> Origin server
Post by salil GK
I am doing proxy chaining . ATS 2 is configured as parent proxy. and
there is a ssh tunnel between ATS1 and ATS2.
Post by salil GK
When I send a http request from my client every thing works perfect and
I client gets the requested content.
Post by salil GK
But when I send https request from my client, ATS1 sends back 403 Access
denied.
Post by salil GK
I guess we need to make some settings for ATS to forward CONNECT method.
CONNECT is enabled by default.
You need fo figure out who is giving the 403 response. Check ATS access
logs, and packet trace from each hop if you have to. Knowing where the 403
comes from will help you figure out what your next step is.
Post by salil GK
Can I get some help on configuring ATS for allowing https request to be
forwarded .
Post by salil GK
If I need to upload the origin server certificate in ATS, that is also
possible.
Post by salil GK
I don't need to make this setup as an open proxy. Only designated origin
server will be supported.
Post by salil GK
Thanks in advance
~S
Thanks James for pitching in .
So the point is I want to get a https request delivered to the origin
server through my proxy. Now it is being dropped I guess . How do I get it
done ?
Post by salil GK
Thanks in advance
~S
Post by salil GK
Basically while analysing the traffic, what I observed is when I
access http site the header http header coming as
10.106.251.95^MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10;
rv:51.0) Gecko/20100101 Firefox/51.0^MAccept: text/html,application/xhtml+
keep-alive^MUpgrade-Insecure-Requests: 1^M^M|^M
Post by salil GK
Post by salil GK
where as for https access the http header comes as
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:51.0) Gecko/20100101
10.106.251.95:443^M^M|^M
Post by salil GK
Post by salil GK
and servers return
Msg="HTTP/1.1 403 Access Denied"
back to browser
How do I configure ATS to pass https request to the origin server ?
This is a user agent behavior. When user agents make a HTTPS request
through a proxy they will use the CONNECT method to establish an end-to-end
secure tunnel to the origin.
Post by salil GK
Post by salil GK
Thanks in advance
~S
Hello
We were trying to set up a forward proxy. I have my remap entry as
below.
Post by salil GK
Post by salil GK
regex_map http://(.{3,1023})/ http://$1/
@plugin=ts_httpallow_remap_plugin.so @pparam=/etc/trafficserver/etc/httpallowlist.txt
@pparam=forwardproxy
Post by salil GK
Post by salil GK
<<
Httpallow_remap_plugin is used for filtering the origin server.
If I access an external http site using this server a proxy, every
thing works.
Post by salil GK
Post by salil GK
regex_map https://(.{3,1023})/ https://$1/
@plugin=ts_httpallow_remap_plugin.so @pparam=/etc/trafficserver/etc/httpallowlist.txt
@pparam=forwardproxy
Post by salil GK
Post by salil GK
<<
When I access an https site using this server as my proxy server, it
doesn’t work. Also the control doesn’t reach httpallow_remap_plugin also.
It always shows access denied.
Post by salil GK
Post by salil GK
What could be the problem ?
Thanks in advance
~S
Continue reading on narkive:
Loading...