This discussion is archived
1 2 Previous Next 16 Replies Latest reply: Nov 2, 2009 1:52 PM by 807573 RSS

Proxy Returns 403 Forbidden For All Requests

807573 Oracle ACE
Currently Being Moderated
Greetings,

I'm new to the Java Web Proxy 4.0.11 and am trying to configure it as a reverse proxy in front of another web server. I followed the example in the admin guide to configure it, but the proxy returns a "403 Forbidden" for all requests. Below is my obj.conf. I suspect that it is falling through the NameTrans in the default object and hitting the Service fn=deny-service. I tried commenting this out, and when I do this, I receive a "405 Method Not Allowed".

Init fn="flex-init" access="$accesslog" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \"%Req->reqpb.clf-request%\" %Req->srvhdrs.clf-status% %Req->vars.p2c-cl% %Req->vars.remote-status% %Req->vars.r2p-cl% %Req->headers.content-length% %Req->vars.p2r-cl% %Req->vars.c2p-hl% %Req->vars.p2c-hl% %Req->vars.p2r-hl% %Req->vars.r2p-hl% %Req->vars.xfer-time%"
Init fn="init-proxy" timeout="300" timeout-2="15"

<Object name="default">
AuthTrans fn="match-browser" browser=".*MSIE.*" ssl-unclean-shutdown="true"
NameTrans fn="reverse-map" from="http://deve-bcclearning.tanagerinc.com" to="http://proxydeve-bcclearning.tanagerinc.com:8080" rewrite-location="true" rewrite-content-location="true"
NameTrans fn="map" from="http://proxydeve-bcclearning.tanagerinc.com:8080" to="http://deve-bcclearning.tanagerinc.com" rewrite-host="true"
PathCheck fn="url-check"
PathCheck fn="check-acl" acl="default"
ObjectType fn="block-ip"
#Service fn="deny-service"
AddLog fn="flex-log" name="access"
</Object>

<Object name="file">
PathCheck fn="unix-uri-clean"
PathCheck fn="find-index" index-names="index.html"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service fn="send-file"
</Object>

<Object ppath="ftp://.*">
ObjectType fn="cache-enable" query-maxlen="10" log-report="off"
ObjectType fn="cache-setting" lm-factor="0.10" max-uncheck="7200"
Service fn="proxy-retrieve"
</Object>

<Object ppath="http://.*">
PathCheck fn="url-filter" bong-file="/opt/sun/proxyserver40/verboten.html"
PathCheck fn="check-acl" acl="http://.*"
ObjectType fn="cache-enable" query-maxlen="10" log-report="off"
ObjectType fn="cache-setting" lm-factor="0.10" max-uncheck="7200"
Service fn="proxy-retrieve" method="*"
</Object>

<Object ppath="https://.*">
Service fn="proxy-retrieve"
</Object>

<Object ppath="gopher://.*">
ObjectType fn="cache-enable" query-maxlen="10" log-report="off"
ObjectType fn="cache-setting" lm-factor="0.10" max-uncheck="7200"
Service fn="proxy-retrieve"
</Object>

<Object ppath="connect://.*:443">
Service fn="connect" method="CONNECT"
</Object>

<Object ppath="connect://.*:563">
Service fn="connect" method="CONNECT"
</Object>


Thanks,

Chris
  • 1. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    When the browser makes a request to the reverse proxy it thinks it is talking to a web server and the item requested is not fully qualified as in:
    GET /abc/def.html HTTP/1.0

    You'll need to create a mapping like:
    NameTrans fn="map" from="/" to="http://deve-bcclearning.tanagerinc.com/" rewrite-host="true"

    The deny-service is for all the items that the proxy is not configured to retrieve.
    Note that some of the objects that are at the bottom of the obj.conf are used in the forward proxy mode and are not needed for reverse proxy mode (if you are looking to tighten up the security).
  • 2. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    Thanks very much, this worked just as you said.

    But now I need to redirect http to https via the reverse proxy. I created a port 80 listener and tried to do this via a redirect URL, but couldn't get it to work. It seems like the redirect that you posted earlier takes precedence over any other that I add. If I do nothing, then someone can easily change the https to http in a url and the proxy will happily pass it on to the web server.

    Since my intention is to host the certificate on the reverse proxy, I need to be able to perform this redirect. Is the solution to create a second proxy server (on the same physical hardware) with a port 80 listener and perform the redirect there via a redirect NameTrans?
  • 3. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    Hi,

    May you try setting up the reverse-proxy mappings to https? Would be interesting...

    NameTrans fn="reverse-map" from="http://deve-bcclearning.tanagerinc.com" to="https://proxydeve-bcclearning.tanagerinc.com:8080


    InfoSeeker
  • 4. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    I did give that a try, but unfortunately it didn't work. I think what I would need it to do is process multiple NameTrans statements, because first I need it to redirect a request for "/" on port 80 to "/" on 443, then I need that same request reverse proxied through to the real web server, which is only listening on port 80.

    I've updated my config from the one above, below is the relevant portion.

    I have one proxy server that handles the secure connections, and reverse proxies to the real web server:

    <Object name="default">
    AuthTrans fn="match-browser" browser=".*MSIE.*" ssl-unclean-shutdown="true"
    NameTrans fn="reverse-map" from="http://deve-bcclearning.tanagerinc.com" to="https://deve-bcclearning.tanagerinc.com" rewrite-location="true" rewrite-content-location="true"
    NameTrans fn="map" from="https://deve-bcclearning.tanagerinc.com:443" to="http://deve-bcclearning.tanagerinc.com" rewrite-host="true"
    NameTrans fn="map" from="/" to="http://deve-bcclearning.tanagerinc.com" rewrite-host="true"
    PathCheck fn="url-check"
    PathCheck fn="check-acl" acl="default"
    ObjectType fn="block-ip"
    Service fn="deny-service"
    AddLog fn="flex-log" name="access"
    </Object>

    I have a second proxy that handles unsecure connections, and redirects them to the secure proxy:

    <Object name="default">
    AuthTrans fn="match-browser" browser=".*MSIE.*" ssl-unclean-shutdown="true"
    NameTrans fn="redirect" from="/" url="https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp"
    PathCheck fn="url-check"
    ObjectType fn="block-ip"
    Service fn="deny-service"
    AddLog fn="flex-log" name="access"
    </Object>

    This seems rather inelegant, but I can't seem to figure out how to get a single proxy server to handle the redirect from port 80 to 443 before performing the reverse proxy. I could handle the redirects at the web server, but that seems to defeat the purpose of putting a proxy in front of the webserver.

    Any opinions on how to do this better are welcome!
  • 5. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    If I understand what you are trying to do: you would like to have the reverse proxy accept SSL traffic and pass it to an non-SSL webserver, and you would also like to have a non-SSL endpoint on the proxy server to redirect traffic to the SSL reverse proxy. Correct?

    You should be able to do this with a single instance of the proxy by having it listen on two sockets, one with no security for the non-SSL endpoint and one with security for the SSL endpoint. Then in the obj.conf you can try the following setup. I think some of the mappings and protocol/hostname combinations in your post don't make sense so I altered some of the hostnames below. I also added trailing /'s to keep the partial URL's clearly delimited.

    <Object name="default">
    AuthTrans fn="match-browser" browser=".MSIE." ssl-unclean-shutdown="true"
    <Client security="off">
    NameTrans fn="redirect" from="/" url="https://proxy_deve-bcclearning.tanagerinc.com/plateau/user/login.jsp"
    </Client>
    NameTrans fn="reverse-map" from="http://web_deve-bcclearning.tanagerinc.com/" to="https://proxy_deve-bcclearning.tanagerinc.com/" rewrite-location="true" rewrite-content-location="true"
    NameTrans fn="map" from="/" to="http://web_deve-bcclearning.tanagerinc.com/" rewrite-host="true"
    PathCheck fn="url-check"
    PathCheck fn="check-acl" acl="default"
    ObjectType fn="block-ip"
    Service fn="deny-service"
    AddLog fn="flex-log" name="access"
    </Object>

    As I understand it, the proxy can act as either a forward proxy or a reverse proxy or both simultaneously. The fn="map" entries operate on the browser-to-proxy request and translate it into what the proxy-to-webserver request needs to be. The fn="reverse-map" is triggered when the webserver-to-proxy response is a 3xx redirect and they translate the HTTP Location and Content-Location headers coming back from the webserver into the URL on the browser-to-proxy side. Be aware that the body of the HTML returned through the reverse proxy could contain absolute URLs for images, links, javascript, stylesheets, etc. which will cause requests to try to go around the reverse proxy. I believe the proxy has a rewrite capability to edit the HTML on-the-fly, but I have never used it and expect that things could get tricky. Another approach is to try to mandate that the content only contain relative URL's. I also removed the fn="map" entry where the from= part contains a protocol, host and port since it would only be needed when using the proxy as a forward proxy (at least with HTTP 1.0 and 1.1). As I mentioned before some of the Object entries could be removed to tighten security since they would also only be needed in the forward proxy mode. You will need to keep the ppath=http://.* one since the webserver URL is http://.
  • 6. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    Thanks so much for your help, this configuration gets me 99% of the way there. I've modified it slightly so that I don't have to have a seperate names for the proxy and web server:

    <<Object name="default">
    AuthTrans fn="match-browser" browser=".*MSIE.*" ssl-unclean-shutdown="true"
    <Client security="off">
    NameTrans fn="redirect" from="/" url="https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp"
    </Client>
    NameTrans fn="reverse-map" from="http://deve-bcclearning.tanagerinc.com/" to="https://deve-bcclearning.tanagerinc.com/" rewrite-location="true" rewrite-content-location="true"
    NameTrans fn="map" from="/" to="http://deve-bcclearning.tanagerinc.com/" rewrite-host="true"
    PathCheck fn="url-check"
    PathCheck fn="check-acl" acl="default"
    ObjectType fn="block-ip"
    Service fn="deny-service"
    AddLog fn="flex-log" name="access"
    </Object>


    This works fine when you open your browser to http://deve-bcclearning.tanagerinc.com, it redirects properly to https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp

    But, when you open your browser directly to https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp, you receive 404 - The requested URL / was not found on this server.

    I would have thought that a request for "/" via https would have been handled by the NameTrans map above, but it seems to be passing right through that, and I don't understand why. Can anyone shed some light on this for me?

    Thanks,

    Chris
  • 7. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    Are you saying that the proxy is running on deve-bcclearning.tanagerinc.com listening on both port 80 (non-secure) and 443 (secure)? Where is the target web server running?
  • 8. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    Correct, the proxy is listening on both 443 (secure) and 80 (non-secure), but the web server that it reverse proxys to is only listening on 80 (non-secure). My objective is to host the certificate for the website on the proxy, while the webserver listens only on 80 (non secure). I have the certificate installed on the proxy, which works fine.

    The target web server is running on a separate Solaris server from the proxy. Since this is a development environment, there is no firewall between the proxy server and the web server.
  • 9. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    The reason for my question is that the config you posted seems to have everything on the same server with the proxy and web server both trying to use port 80. I had altered the server names in my earlier response to make the distinction a little clearer.

    When the browser connects non-securely to the proxy, the client tag will be used and and requests under the doc root of / (all requests) will be redirected to the login.jsp page. When the browser connects securely to the proxy the NameTrans fn="map" will be used and requests under / will be connected to the to= location. The reverse-map will be used if the response from the web server is a redirect (like 302) and will try to edit the HTTP Location: header looking for the from= string (most likely the beginning of the webserver url) and replacing it with the to= value (should be the beginning of the proxy url).
  • 10. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    My apologies, I left out an important detail. The clients resolve the name deve-bcclearning.tanagerinc.com to the IP of the proxy. The proxy (via its local hosts file) resolves the name deve-bcclearning.tanagerinc.com to the IP of the web server that the proxy sits in front of. This is the reason that I have both listeners on the proxy, since in this configuration it needs to respond on both port 80 and port 443.

    The configuration that I'm using works fine except when a client tries to access https://deve-bcclearning.tanagerinc.com. What that request is made, the client receives a 404 - "the URL / is not found on the server".

    I think the problem is that when the client requests "/" via port 443, they need to be redirected to https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp. When they request anything else, (as long as it is https), they need to be mapped through to the web server.

    The only way I can come up with to handle that situation is to have a Rewrite rule on my webserver that rewrites the request for "/" to https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp. I've tried this, and it works fine. But it seems to me that this would be best handled at the proxy. I just can't seem to find a way to make it work.
  • 11. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    What is the current (or previous) behavior of the web server when requests for pages come in and the login.jsp page hasn't been visited first? What about urls deeper into the weeb site beyond the / doc root? It looks like there is the concept of authenticated vs. not authenticated already since there is a login.jsp.
  • 12. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    In the webserver (which is Apache) we have:

    RewriteEngine on
    RewriteRule ^/$ https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp

    So that a request for "/" gets redirected to the login page.

    If a user hasn't already logged in and tries to access a URL, they are redirected back to the login page. This is done by the app, not the web server. The app keeps track of whether the user has authenticated or not, and redirects them back if they haven't.
  • 13. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    So the web server didn't redirect requests for / to the login page before the proxy was added, but the proxy should do this? You could try adding a second client tag section just like the previous one with <Client uri="/> instead. The resulting config would make requests for any path under http redirect to the login page, while only requests for / under https would get redirected.

    As I mentioned earlier, the returned pages could contain absolute urls for things. The reverse map only takes care of the redirect responses. But if the page contains absolute urls for images, etc. which would probably be http and refer to the web server name, then the effect of hard redirect for http requests to the login page would be a problem. Since you are trying to make the proxy look just like the web server from the browser's perspective by manipulating the dns names and host file of the proxy, then you might be able to avoid this by changing the redirect in the security="off" case to use url-prefix="https://deve-bcclearning.tanagerinc.com/". This would cause more roundtrips if the content has absolute urls, but at least they might keep working if they exist.
  • 14. Re: Proxy Returns 403 Forbidden For All Requests
    807573 Oracle ACE
    Currently Being Moderated
    I'm new to web proxies and am not sure if it is best practice to try and have the web proxy perform any redirects necessary or whether to allow the web server to perform them. It seems to me that it would be faster if the proxy did any redirects necessary, looking at things from a pure performance standpoint.

    I did try adding a second redirect in the client tag. Unfortunately, this didn't work because the from directive specifies a prefix, and a prefix of "/" is translated as "any request" rather than a request for "/", which is what I need. If I direct every request to the login page, then the site obviously won't work correctly. Since the redirect function doesn't allow for regular expressions in the from directive, it can't be made to do what I want.

    After looking through the config file reference, I thought that using the home-page function would work, but It is geared more for translating a request for "/" to a physical path. I tried having it translate "/" to /plateau/user/login.jsp, but I think the proxy looks for this on its own file system, rather than proxying it to the real web server, so the proxy denies the request, saying that the client doesn't have access to the resource.

    I can't think of another way to have the proxy do this redirect, so my only choice in this case is to have it done at the web server.

    Please let me know if you have any further thoughts here. Thanks for your help and patience.
1 2 Previous Next