Re: [Fwknop-discuss] An HTTP SPA through an http proxy
Brought to you by:
mbr
From: Michael R. <mb...@ci...> - 2009-08-03 05:53:48
|
On Aug 01, 2009, Jonathan Bennett wrote: > > Mike, thanks for getting back to me so quickly. >>> > I know that the --HTTP option in fwknop encapsulates a SPA in an >>> > HTTP request. At the moment, however, I can't come up with a good way to >>> > get that request to go through the proxy. >>> >> >> I suspect that the fwknop client is not able to create a "sufficiently >> valid" HTTP request according to what the proxy requires. For example, >> fwknop does not ensure that the SPA packet data starts with "/", and it >> also does not append, say, ".html" at the end > Actually, the main problem is that the proxy is not intercepting all > http requests. To get a http request to the internet, we have to > explicitly send that request to the proxy. This packet has to include > the FQDN in the request. In essence, we have to use wget to send > "Get HTTP://mydomain.com/BigLongFwknopKey" to the proxy. > My server sees "GET /BigLongFwknopKey HTTP/1.1" 404 461 "-" "Wget/1.10.2" > > I've compared the httpd logs from a valid SPA with the log entry of our > SPA going through the proxy. The two differences that I see is the > leading "/" and the "Wget/1.10.2" rather that "fwknop" at the end of the > packet.My suspicion is that the leading "/" is throwing off the SPA > detection. The leading slash was something the fwknopd server could not properly handle until now with this -pre release: http://www.cipherdyne.org/fwknop/download/fwknop-1.9.12-pre8.tar.gz I've also fixed an ordering bug in how the fwknop client builds HTTP headers. Can you give this version a try to see if it fixes the problem? If so, I will also address this in the fwknop-c client. >> (although hopefully the >> proxy doesn't actually require the later since lots of web traffic >> doesn't necessarily conform to this). > It does *not* require a ".html". It *does* require the FQDN > "http://mydomain.com" Ok, this should be fine in 1.9.12-pre8 as long as you use '-D host.domain.com' on the fwknop command line >> Also, if you are using GnuPG, >> then the resulting SPA packet data is most likely about 1,000 bytes long, >> so this may look suspicious to the proxy. Do you know what rules the >> proxy enforces? >> >> > It seems to allow any http request that has the full domain name. No UDP > of any sort can get through, though. There is also NTLM Authentication > required. Wget's proxy username-password options do work. >> You can monitor the requests the make it to your home webserver, >> correct? Can you try the following to see if the SPA data makes it >> through the proxy?: >> >> - Use the fwknop client to build an SPA packet, and use the "-v" option >> so that the SPA packet data will be printed on stdout. >> - Take the SPA packet data and use wget on the command line to manually >> build an HTTP request with this data. However, add "/" to the >> beginning of the data, and append ".html" to the end. >> - You can try this with both Rijndael and GnuPG, but I would try with >> Rijndael first (just don't use any --gpg options). >> >> > A "wget http://example.com/FwknopKey" does not get through. > With the proxy setting configured correctly in wget, that line does get > through, but doesn't trigger the port to open. In my situation, the > ".html" is not needed, but it wouldn't be a problem to be there. > > >> Please note that -v works with the new fwknop-c client too. >> >> If the above results in any of your SPA packets getting through the >> proxy as a valid HTTP request, then I will add support for this to the >> fwknop client (and the server will require a small modification too). >> >> > I'm going to suggest that you add support for a "--proxy" option for the > HTTP requests. It should send the request to the proxy address and port. > Having authentication for a proxy that needs it would be nice, but if > fwknopd would ignore that leading "/", we could use wget. My goal is to make it such that the fwknop client can build HTTP requests properly through proxies. I'm not sure what a --proxy option would do though beyond what '-D host.domain.com --Server-port 80' would do. And, it looks like wget just has --proxy-user and --proxy-password, so perhaps adding these two options would be sufficient for the fwknop client? >> Oh, one more thing, the fwknop-1.9.12-pre6 release did include one small >> change to build HTTP requests with SPA data such that the request uses >> the pre-DNS resolution hostname instead of the IP (if you provided a >> hostname with -D on the fwknop command line). This change was made to >> allow webservers to see the hostname so they can apply things like >> virtual hosting configs, etc. >> >> > This is perfect, as some proxies balk at a request for an ip. They want > the domain name. (the one we are fighting, especially) Yes, hopefully the 1.9.12-pre8 release will get things working. Thanks, --Mike >> Thanks, >> >> --Mike > > I really appreciate the help, > Jonathan Bennett > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Fwknop-discuss mailing list > Fwk...@li... > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss |