Package: apt-proxy
Version: 1.9.28
Tags: patch
Thanks Olivier for your message and patch. Filing a bug report to make sure
this doesn't get forgotten, thanks
Chris
---------- Forwarded Message ----------
Subject: [Apt-proxy-users] Problem with apt-proxy, http backend and a new
firewall
Date: Tuesday 19 Apr 2005 17:05
From: Olivier Bornet <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Hello all,
since Monday, we have a new firewall at work. And since Monday, we have
problems with apt-proxy. And it seems the problem is related to this new
firewall.
We have apt-proxy version 1.9.28 from debian testing distribution. All
http backend has stopped working, and "apt-get update" stops with a
timeout.
To isolate the problem, I have try to do (aptproxy is our apt-proxy):
wget http://aptproxy:9999/debian/dists/testing/Release
and it results of a timeout after about 1 minute:
HTTP request sent, awaiting response... 504 Gateway Time-out
17:56:08 ERROR 504: Gateway Time-out.
Here is the trace from the apt-proxy log file:
==========================================================
2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [debug] Headers: User-Agent:
Wget/1.9.1, Host: aptproxy:9999, Accept: */*, Connection: Keep-Alive
2005/04/19 17:43 CEST [Channel,3,192.33.221.75] [debug] Request: GET
/debian/dists/testing/Release 2005/04/19 17:43 CEST
[Channel,3,192.33.221.75] [Fetcher.activate] (debian)
servers:1/debian/dists/testing/Release 2005/04/19 17:43 CEST
[Channel,3,192.33.221.75] [file_ok] check_cached:
/var/cache/apt-proxy/debian/dists/testing/Release 2005/04/19 17:43 CEST
[Channel,3,192.33.221.75] [fetch_real] Consulting server about
/var/cache/apt-proxy/debian/dists/testing/Release 2005/04/19 17:43 CEST
[Channel,3,192.33.221.75] [Fetcher.activate] (debian)
servers:1/debian/dists/testing/Release 2005/04/19 17:43 CEST
[Channel,3,192.33.221.75] Starting factory
<apt_proxy.apt_proxy.ClientFactory instance at 0x40a1722c> 2005/04/19 17:43
CEST [Uninitialized] [http_client]
GET:/ftp/mirror/debian/dists/testing/Release 2005/04/19 17:43 CEST
[Uninitialized] [http_client] host:mirror.switch.ch 2005/04/19 17:44 CEST
[FetcherHttp,client] [http_client] handleStatus 504 - Gateway Timeout
2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] Response code: 504 -
None 2005/04/19 17:44 CEST [FetcherHttp,client] [debug] Received:
Content-Type text/html 2005/04/19 17:44 CEST [FetcherHttp,client] [debug]
Received: Content-Length 342 2005/04/19 17:44 CEST [FetcherHttp,client]
[debug] Received: Cache-Control no-cache 2005/04/19 17:44 CEST
[FetcherHttp,client] [debug] Received: Pragma no-cache 2005/04/19 17:44 CEST
[FetcherHttp,client] [Fetcher] Finished receiving data, status:504
saveData:1 2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] Last request
removed 2005/04/19 17:44 CEST [FetcherHttp,client] [Fetcher] telling the
transport to loseConnection 2005/04/19 17:44 CEST [FetcherHttp,client]
[http-client] XXX clientConnectionLost 2005/04/19 17:44 CEST
[FetcherHttp,client] Stopping factory <apt_proxy.apt_proxy.ClientFactory
instance at 0x40a1722c> 2005/04/19 17:44 CEST [Channel,3,192.33.221.75]
[debug] Client connection closed 2005/04/19 17:44 CEST
[Channel,3,192.33.221.75] Top 10:
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 84 Exception
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 32 DBError
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 28 DBError
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 24 StandardError
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 23 ClientFactory
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 22 FetcherHttp
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 22 Protocol
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 20 SelectReactor
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 17 Warning
2005/04/19 17:44 CEST [Channel,3,192.33.221.75] 17 ValueError
==========================================================
Using netstat on aptproxy, I can see the connection to the real debian server
is established, so all seems to be OK.
The firewall is configured to accept everything from the inside network
to the outside.
The backend is:
==========================================================
[debian]
;; The main Debian archive
backends =
http://mirror.switch.ch/ftp/mirror/debian
==========================================================
What is strange, is that we can do a wget on the real file from
aptproxy computer!!! This mean:
wget http://mirror.switch.ch/ftp/mirror/debian/dists/testing/Release
is working as expected...
The ftp backends are working OK. We have just problems with the http
backends.
We also have try to use a tunnel over ssh to bypass the firewall, and in
this condition, apt-proxy is working OK.
What can I test/do to find the problem ?
Thanks in advance for your help.
---------- Forwarded Message ----------
Subject: Re: [Apt-proxy-users] Problem with apt-proxy, http backend and a new
firewall
Date: Wednesday 20 Apr 2005 11:28
From: Olivier Bornet <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Hello,
On Tue, Apr 19, 2005 at 06:05:20PM +0200, Olivier Bornet wrote:
> since Monday, we have a new firewall at work. And since Monday, we have
> problems with apt-proxy. And it seems the problem is related to this new
> firewall.
I have found a work-around for my problem by patching apt_proxy.py. I
don't know if this is a valid correction or not, but with this
correction, all seems to be OK.
The patch add the hostname and port to the sendCommand(), even if we
don't go trough a proxy...
Anyway, this seem to be a problem with our "new" firewall. It seems to
block simple session like:
telnet the-outside-web-server 80
GET /
You need to do at least:
telnet the-outside-web-server 80
GET / HTTP/1.0
Host: the-outside-web-server
You can also make:
telnet the-outside-web-server 80
GET http://the-outside-web-server/
Don't know if this filtering by the firewall is some kind of
"security rule", or if this is not a correct HTTP protocol to say only
"GET /".
Thanks to look at the attached patch, and let me know if this is a
correct patch or not.
Good day.
Olivier
--
Olivier Bornet | français : http://puck.ch/f
Swiss Ice Hockey Results | english : http://puck.ch/e
http://puck.ch/ | deutsch : http://puck.ch/g
[EMAIL PROTECTED] | italiano : http://puck.ch/i
Get my PGP-key at http://puck.ch/pgp or at http://pgp.mit.edu/
-------------------------------------------------------
--- /usr/lib/python2.3/site-packages/apt_proxy/apt_proxy.py 2005-03-03
17:19:37.000000000 +0100
+++ apt_proxy_bol/apt_proxy.py 2005-04-20 10:55:43.000000000 +0200
@@ -576,8 +576,11 @@
ClientFactory(self), request.backend.timeout)
def connectionMade(self):
if not self.proxy_host:
- self.sendCommand(self.request.method,
self.request.backendServer.path
- + "/" + self.request.backend_uri)
+ self.sendCommand(self.request.method,
+ "http://%s:%d%s/%s"; %
(self.request.backendServer.host,
+
self.request.backendServer.port,
+
self.request.backendServer.path,
+ self.request.backend_uri))
else:
self.sendCommand(self.request.method, "http://";
+ self.request.backendServer.host + ":" +
str(self.request.backendServer.port)
