0

I’m having trouble connecting a forward proxy with the reverse proxy, both supported by tinyproxy (version 1.8.3). I don’t know if it is a problem with the configuration.

I’m testing these proxies with 4 virtual machines running Debian GNU/Linux 8.9 (jessie). These machines represent a client, a forward proxy, reverse proxy and the server. I’m setting up the communication between the forward and the reverse proxy.

The server is running Apache server, that returns the default HTML page saying “It works”.

The desired behavior is for the client to communicate with the server through the forward proxy that upstreams to the reverse proxy which interacts with the server: Client (10.0.2.33) -> forward proxy (10.0.2.35) -> reverse proxy (10.0.2.36) -> server (10.0.2.34)

To test the system I use this curl command in the client machine:

curl -v --proxy http://10.0.2.35:8888 http://10.0.2.34:80/

Forward proxy configuration file:

## tinyproxy.conf -- tinyproxy daemon configuration file

User nobody
Group nogroup

Port 8888
Listen 10.0.2.35
BindSame yes
Timeout 600

DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
#Syslog On
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"

#Upstream 10.0.2.36:8888 "10.0.2.0/24"
Upstream 10.0.2.36:8888

MaxClients 100
MinSpareServers 2
MaxSpareServers 5
StartServers 2
MaxRequestsPerChild 0

Allow 127.0.0.1
Allow 10.0.2.0/24

ViaProxyName "tinyproxy1"

ConnectPort 8888
ConnectPort 80

# The following two ports are used by SSL.
ConnectPort 443
ConnectPort 563

Reverse proxy configuration file:

## tinyproxy.conf -- tinyproxy daemon configuration file

User nobody
Group nogroup

Port 8888
Listen 10.0.2.36

BindSame yes
Timeout 600

StatFile "/usr/share/tinyproxy/stats.html"
Logfile "/var/log/tinyproxy/tinyproxy.log"
#Syslog On
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"

no upstream "10.0.2.34:80"
#no upstream "."

MaxClients 5
MinSpareServers 2
MaxSpareServers 5
StartServers 2

MaxRequestsPerChild 0

Allow 127.0.0.1
Allow 10.0.2.0/24
Allow 10.0.2.35

ViaProxyName "tinyproxy2"

ConnectPort 8888
ConnectPort 80

# The following two ports are used by SSL.
ConnectPort 443
ConnectPort 563

ReversePath "/" "http://10.0.2.34:80/"
ReversePath "/wired/" "http://www.wired.com/"

ReverseOnly Yes
ReverseMagic Yes
ReverseBaseURL "http://10.0.2.34:80/"

These are the TCP flow stream captured by Wireshark:

Flow [client <-> forward proxy]

GET http://10.0.2.34:80/ HTTP/1.1
User-Agent: curl/7.38.0
Host: 10.0.2.34
Accept: */*
Proxy-Connection: Keep-Alive

HTTP/1.0 400 Bad Request
Via: 1.1 tinyproxy1 (tinyproxy/1.8.3)
Server: tinyproxy/1.8.3
Content-Type: text/html

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head><title>400 Bad Request</title></head>
<body>
<h1>Bad Request</h1>
<p>Request has an invalid URL</p>
<hr />
<p><em>Generated by tinyproxy version 1.8.3.</em></p>
</body>
</html>

Flow [forward proxy <-> reverse proxy]

GET http://10.0.2.34:80/ HTTP/1.0
Host: 10.0.2.34
Connection: close
Via: 1.1 tinyproxy1 (tinyproxy/1.8.3)
User-Agent: curl/7.38.0
Accept: */*

HTTP/1.0 400 Bad Request
Server: tinyproxy/1.8.3
Content-Type: text/html
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head><title>400 Bad Request</title></head>
<body>
<h1>Bad Request</h1>
<p>Request has an invalid URL</p>
<hr />
<p><em>Generated by tinyproxy version 1.8.3.</em></p>
</body>
</html>

These are the outputs for the tinyproxy log file:

Forward proxy

CONNECT   Dec 10 22:05:08 [2788]: Connect (file descriptor 6): 10.0.2.33 [10.0.2.33] at [10.0.2.35]
CONNECT   Dec 10 22:05:08 [2788]: Request (file descriptor 6): GET http://10.0.2.34:80/ HTTP/1.1
INFO      Dec 10 22:05:08 [2788]: Found upstream proxy 10.0.2.36:8888 for 10.0.2.34
CONNECT   Dec 10 22:05:08 [2788]: Established connection to upstream proxy "10.0.2.36" using file descriptor 7.
INFO      Dec 10 22:05:08 [2788]: Closed connection between local client (fd:6) and remote client (fd:7)

Reverse proxy

CONNECT   Dec 10 22:05:08 [4487]: Connect (file descriptor 6): 10.0.2.35 [10.0.2.35] at [10.0.2.36]
CONNECT   Dec 10 22:05:08 [4487]: Request (file descriptor 6): GET http://10.0.2.34:80/ HTTP/1.0
ERROR     Dec 10 22:05:08 [4487]: Bad request
INFO      Dec 10 22:05:08 [4487]: no entity

Currently, I can access the server page within the reverse proxy machine, “curl”ing http://10.0.2.34:80/ and http://10.0.2.36:8888/ because of my reverse proxy configuration (ReversePath). Next image shows the Wireshark capture in the reverse proxy machine.

Image from reverse proxy access to server captures

With all this configuration all I'm getting in the client's machine is 400 bad request error message from the reverse proxy.

isabel
  • 1
  • 1
  • 3
  • The origin is returning the bad request. Start there. – womble Dec 11 '17 at 01:27
  • Thanks @womble I already tried to see the problem with Bad Request, and couldn't figure it out anyways. Despite that, I will try to look again from a fresh point of view. – isabel Dec 11 '17 at 19:28
  • Well, looking at your proxy when your app is the one causing the problem is a little like looking for your keys near the streetlight, when you dropped them somewhere else, just because "the light is better over here". – womble Dec 12 '17 at 00:22
  • @womble The original request is not bad, but it appears to be misinterpreted. Do you have any suggestions on how to setup just the reverse proxy? – Miguel Pardal Dec 12 '17 at 13:14

1 Answers1

0

This issue was solved. The way to test this is not by requesting the page directly to the server, but to the reverse proxy machine. Plus the Forward proxy should not upstream the traffic to the Reverse proxy.

Th reverse proxy cannot understand the request sent to the host/server, if the forward proxy upstreams the traffic because they work differently.

The right configuration for the forward proxy has to exclude the line:

upstream 10.0.2.36:8888

Because the reverse proxy has the following rule:

ReversePath “/” “http://10.0.2.34:80/”

When requesting the server resource (the page "It works" from Apache), the reverse proxy (10.0.2.36) will request for the server (10.0.2.34) once we request “http://10.0.2.36:8888/

We should run curl to the reverse proxy with:

curl -v --proxy http://10.0.2.35:8888 http://10.0.2.36:8888/

Then we can see that the configuration works, with the following output:

root@debian:/home/debian# curl -v --proxy http://10.0.2.35:8888 http://10.0.2.36:8888
* Rebuilt URL to: http://10.0.2.36:8888/
* Hostname was NOT found in DNS cache
*   Trying 10.0.2.35...
* Connected to 10.0.2.35 (10.0.2.35) port 8888 (#0)
> GET http://10.0.2.36:8888/ HTTP/1.1
> User-Agent: curl/7.38.0
> Host: 10.0.2.36:8888
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Via: 1.0 tinyproxy2 (tinyproxy/1.8.3), 1.1 tinyproxy1 (tinyproxy/1.8.3)
< Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
< Date: Tue, 12 Dec 2017 23:01:37 GMT
< Content-Type: text/html
< ETag: "2d-432a5e4a73a80"
< Set-Cookie: yummy_magical_cookie=/; path=/
* Server Apache/2.4.29 (Unix) is not blacklisted
< Server: Apache/2.4.29 (Unix)
< Content-Length: 45
< Accept-Ranges: bytes
< 
<html><body><h1>It works!</h1></body></html>
* Connection #0 to host 10.0.2.35 left intact
isabel
  • 1
  • 1
  • 3