[Apt-proxy-users] apt-proxy: timeout with firewall

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Package: apt-proxy
Version: 1.9.28
Tags: patch

Thanks Olivier for your message and patch.  Filing a bug report to make sur=
e=20
this doesn't get forgotten, thanks

Chris

=2D---------  Forwarded Message  ----------

Subject: [Apt-proxy-users] Problem with apt-proxy, http backend and a new=20
firewall
Date: Tuesday 19 Apr 2005 17:05
=46rom: Olivier Bornet <Oli...@pu...>
To: apt...@li...

Hello all,

since Monday, we have a new firewall at work. And since Monday, we have
problems with apt-proxy. And it seems the problem is related to this new
firewall.

We have apt-proxy version 1.9.28 from debian testing distribution. All
http backend has stopped working, and "apt-get update" stops with a
timeout.

To isolate the problem, I have try to do (aptproxy is our apt-proxy):

wget http://aptproxy:9999/debian/dists/testing/Release

and it results of a timeout after about 1 minute:
HTTP request sent, awaiting response... 504 Gateway Time-out
17:56:08 ERROR 504: Gateway Time-out.

Here is the trace from the apt-proxy log file:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [debug] Headers: User-Agent:
 Wget/1.9.1, Host: aptproxy:9999, Accept: */*, Connection: Keep-Alive
 2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [debug] Request: GET
 /debian/dists/testing/Release 2005/04/19 17:43 CEST
 [Channel,3,192.33.221.75] [Fetcher.activate] (debian)
 servers:1/debian/dists/testing/Release 2005/04/19 17:43 CEST
 [Channel,3,192.33.221.75] [file_ok] check_cached:
 /var/cache/apt-proxy/debian/dists/testing/Release 2005/04/19 17:43 CEST
 [Channel,3,192.33.221.75] [fetch_real] Consulting server about
 /var/cache/apt-proxy/debian/dists/testing/Release 2005/04/19 17:43 CEST
 [Channel,3,192.33.221.75] [Fetcher.activate] (debian)
 servers:1/debian/dists/testing/Release 2005/04/19 17:43 CEST
 [Channel,3,192.33.221.75] Starting factory
 <apt_proxy.apt_proxy.ClientFactory instance at 0x40a1722c> 2005/04/19 17:43
 CEST [Uninitialized] [http_client]
 GET:/ftp/mirror/debian/dists/testing/Release 2005/04/19 17:43 CEST
 [Uninitialized] [http_client] host:mirror.switch.ch 2005/04/19 17:44 CEST
 [FetcherHttp,client] [http_client] handleStatus 504 - Gateway Timeout
 2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] Response code: 504 -
 None 2005/04/19 17:44 CEST [FetcherHttp,client] [debug] Received:
 Content-Type text/html 2005/04/19 17:44 CEST [FetcherHttp,client] [debug]
 Received: Content-Length 342 2005/04/19 17:44 CEST [FetcherHttp,client]
 [debug] Received: Cache-Control no-cache 2005/04/19 17:44 CEST
 [FetcherHttp,client] [debug] Received: Pragma no-cache 2005/04/19 17:44 CE=
ST
 [FetcherHttp,client] [Fetcher] Finished receiving data, status:504
 saveData:1 2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] Last reque=
st
 removed 2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] telling the
 transport to loseConnection 2005/04/19 17:44 CEST [FetcherHttp,client]
 [http-client] XXX clientConnectionLost 2005/04/19 17:44 CEST
 [FetcherHttp,client] Stopping factory <apt_proxy.apt_proxy.ClientFactory
 instance at 0x40a1722c> 2005/04/19 17:44 CEST [Channel,3,192.33.221.75]
 [debug] Client connection closed 2005/04/19 17:44 CEST
 [Channel,3,192.33.221.75] Top 10:
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         84 Exception
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         32 DBError
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         28 DBError
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         24 StandardError
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         23 ClientFactory
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         22 FetcherHttp
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         22 Protocol
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         20 SelectReactor
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         17 Warning
2005/04/19 17:44 CEST [Channel,3,192.33.221.75]         17 ValueError
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D

Using netstat on aptproxy, I can see the connection to the real debian serv=
er
is established, so all seems to be OK.

The firewall is configured to accept everything from the inside network
to the outside.

The backend is:

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
[debian]
;; The main Debian archive
backends =3D
        http://mirror.switch.ch/ftp/mirror/debian
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D

What is strange, is that we can do a wget on the real file from
aptproxy computer!!! This mean:
wget http://mirror.switch.ch/ftp/mirror/debian/dists/testing/Release
is working as expected...

The ftp backends are working OK. We have just problems with the http
backends.

We also have try to use a tunnel over ssh to bypass the firewall, and in
this condition, apt-proxy is working OK.

What can I test/do to find the problem ?

Thanks in advance for your help.

=2D---------  Forwarded Message  ----------

Subject: Re: [Apt-proxy-users] Problem with apt-proxy, http backend and a n=
ew=20
firewall
Date: Wednesday 20 Apr 2005 11:28
=46rom: Olivier Bornet <Oli...@pu...>
To: apt...@li...

Hello,

On Tue, Apr 19, 2005 at 06:05:20PM +0200, Olivier Bornet wrote:
> since Monday, we have a new firewall at work. And since Monday, we have
> problems with apt-proxy. And it seems the problem is related to this new
> firewall.

I have found a work-around for my problem by patching apt_proxy.py. I
don't know if this is a valid correction or not, but with this
correction, all seems to be OK.

The patch add the hostname and port to the sendCommand(), even if we
don't go trough a proxy...

Anyway, this seem to be a problem with our "new" firewall. It seems to
block simple session like:

    telnet the-outside-web-server 80
    GET /

You need to do at least:

    telnet the-outside-web-server 80
    GET / HTTP/1.0
    Host: the-outside-web-server

You can also make:

    telnet the-outside-web-server 80
    GET http://the-outside-web-server/

Don't know if this filtering by the firewall is some kind of
"security rule", or if this is not a correct HTTP protocol to say only
"GET /".

Thanks to look at the attached patch, and let me know if this is a
correct patch or not.

Good day.

        Olivier
=2D-
Olivier Bornet                |    fran=E7ais : http://puck.ch/f
Swiss Ice Hockey Results      |    english  : http://puck.ch/e
http://puck.ch/               |    deutsch  : http://puck.ch/g
Oli...@pu...        |    italiano : http://puck.ch/i
Get my PGP-key at http://puck.ch/pgp or at http://pgp.mit.edu/

=2D------------------------------------------------------