Package: apt-proxy Version: 1.9.28 Tags: patch Thanks Olivier for your message and patch. Filing a bug report to make sure this doesn't get forgotten, thanks
Chris ---------- Forwarded Message ---------- Subject: [Apt-proxy-users] Problem with apt-proxy, http backend and a new firewall Date: Tuesday 19 Apr 2005 17:05 From: Olivier Bornet <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Hello all, since Monday, we have a new firewall at work. And since Monday, we have problems with apt-proxy. And it seems the problem is related to this new firewall. We have apt-proxy version 1.9.28 from debian testing distribution. All http backend has stopped working, and "apt-get update" stops with a timeout. To isolate the problem, I have try to do (aptproxy is our apt-proxy): wget http://aptproxy:9999/debian/dists/testing/Release and it results of a timeout after about 1 minute: HTTP request sent, awaiting response... 504 Gateway Time-out 17:56:08 ERROR 504: Gateway Time-out. Here is the trace from the apt-proxy log file: ========================================================== 2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [debug] Headers: User-Agent: Wget/1.9.1, Host: aptproxy:9999, Accept: */*, Connection: Keep-Alive 2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [debug] Request: GET /debian/dists/testing/Release 2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [Fetcher.activate] (debian) servers:1/debian/dists/testing/Release 2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [file_ok] check_cached: /var/cache/apt-proxy/debian/dists/testing/Release 2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [fetch_real] Consulting server about /var/cache/apt-proxy/debian/dists/testing/Release 2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [Fetcher.activate] (debian) servers:1/debian/dists/testing/Release 2005/04/19 17:43 CEST [Channel,3,192.33.221.75] Starting factory <apt_proxy.apt_proxy.ClientFactory instance at 0x40a1722c> 2005/04/19 17:43 CEST [Uninitialized] [http_client] GET:/ftp/mirror/debian/dists/testing/Release 2005/04/19 17:43 CEST [Uninitialized] [http_client] host:mirror.switch.ch 2005/04/19 17:44 CEST [FetcherHttp,client] [http_client] handleStatus 504 - Gateway Timeout 2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] Response code: 504 - None 2005/04/19 17:44 CEST [FetcherHttp,client] [debug] Received: Content-Type text/html 2005/04/19 17:44 CEST [FetcherHttp,client] [debug] Received: Content-Length 342 2005/04/19 17:44 CEST [FetcherHttp,client] [debug] Received: Cache-Control no-cache 2005/04/19 17:44 CEST [FetcherHttp,client] [debug] Received: Pragma no-cache 2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] Finished receiving data, status:504 saveData:1 2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] Last request removed 2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] telling the transport to loseConnection 2005/04/19 17:44 CEST [FetcherHttp,client] [http-client] XXX clientConnectionLost 2005/04/19 17:44 CEST [FetcherHttp,client] Stopping factory <apt_proxy.apt_proxy.ClientFactory instance at 0x40a1722c> 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] [debug] Client connection closed 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] Top 10: 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 84 Exception 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 32 DBError 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 28 DBError 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 24 StandardError 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 23 ClientFactory 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 22 FetcherHttp 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 22 Protocol 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 20 SelectReactor 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 17 Warning 2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 17 ValueError ========================================================== Using netstat on aptproxy, I can see the connection to the real debian server is established, so all seems to be OK. The firewall is configured to accept everything from the inside network to the outside. The backend is: ========================================================== [debian] ;; The main Debian archive backends = http://mirror.switch.ch/ftp/mirror/debian ========================================================== What is strange, is that we can do a wget on the real file from aptproxy computer!!! This mean: wget http://mirror.switch.ch/ftp/mirror/debian/dists/testing/Release is working as expected... The ftp backends are working OK. We have just problems with the http backends. We also have try to use a tunnel over ssh to bypass the firewall, and in this condition, apt-proxy is working OK. What can I test/do to find the problem ? Thanks in advance for your help. ---------- Forwarded Message ---------- Subject: Re: [Apt-proxy-users] Problem with apt-proxy, http backend and a new firewall Date: Wednesday 20 Apr 2005 11:28 From: Olivier Bornet <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Hello, On Tue, Apr 19, 2005 at 06:05:20PM +0200, Olivier Bornet wrote: > since Monday, we have a new firewall at work. And since Monday, we have > problems with apt-proxy. And it seems the problem is related to this new > firewall. I have found a work-around for my problem by patching apt_proxy.py. I don't know if this is a valid correction or not, but with this correction, all seems to be OK. The patch add the hostname and port to the sendCommand(), even if we don't go trough a proxy... Anyway, this seem to be a problem with our "new" firewall. It seems to block simple session like: telnet the-outside-web-server 80 GET / You need to do at least: telnet the-outside-web-server 80 GET / HTTP/1.0 Host: the-outside-web-server You can also make: telnet the-outside-web-server 80 GET http://the-outside-web-server/ Don't know if this filtering by the firewall is some kind of "security rule", or if this is not a correct HTTP protocol to say only "GET /". Thanks to look at the attached patch, and let me know if this is a correct patch or not. Good day. Olivier -- Olivier Bornet | français : http://puck.ch/f Swiss Ice Hockey Results | english : http://puck.ch/e http://puck.ch/ | deutsch : http://puck.ch/g [EMAIL PROTECTED] | italiano : http://puck.ch/i Get my PGP-key at http://puck.ch/pgp or at http://pgp.mit.edu/ -------------------------------------------------------
--- /usr/lib/python2.3/site-packages/apt_proxy/apt_proxy.py 2005-03-03 17:19:37.000000000 +0100 +++ apt_proxy_bol/apt_proxy.py 2005-04-20 10:55:43.000000000 +0200 @@ -576,8 +576,11 @@ ClientFactory(self), request.backend.timeout) def connectionMade(self): if not self.proxy_host: - self.sendCommand(self.request.method, self.request.backendServer.path - + "/" + self.request.backend_uri) + self.sendCommand(self.request.method, + "http://%s:%d%s/%s" % (self.request.backendServer.host, + self.request.backendServer.port, + self.request.backendServer.path, + self.request.backend_uri)) else: self.sendCommand(self.request.method, "http://" + self.request.backendServer.host + ":" + str(self.request.backendServer.port)