From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Question regarding upstream proxy validation in ids-functions.pl
Date: Sat, 18 May 2019 15:14:00 +0000 [thread overview]
Message-ID: <7433eaad-7c6d-dfd2-84c8-2409d71b4b3b@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2333 bytes --]
Hello Stefan,
while upgrading to Core Update 131, I stumbled across the
"downloadruleset()" function in ids-functions.pl . It seems
to contain a validation for read proxy information which is
faulty and will not return any information.
By removing the validation as shown in the diff below, the
CGI works correct behind an upstream proxy:
diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index deb287bb7..5530da11e 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -174,28 +174,18 @@ sub downloadruleset {
# Check if an upstream proxy is configured.
if ($proxysettings{'UPSTREAM_PROXY'}) {
- my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
my $proxy_url;
- # Check if we got a peer.
- if ($peer) {
- $proxy_url = "http://";
+ $proxy_url = "http://";
- # Check if the proxy requires authentication.
- if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
- $proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
- }
-
- # Add proxy server address and port.
- $proxy_url .= "$peer\:$peerport";
- } else {
- # Log error message and break.
- &_log_to_syslog("Could not proper configure the proxy server access.");
-
- # Return "1" - false.
- return 1;
+ # Check if the proxy requires authentication.
+ if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
+ $proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
}
+ # Add proxy server address and port.
+ $proxy_url .= $proxysettings{'UPSTREAM_PROXY'};
+
# Setup proxy settings.
$downloader->proxy(['http', 'https'], $proxy_url);
}
Since I guess the validation was intentional, could you please
explain to me what it was supposed to do? I am not sure if I got
the regex right...
Either was, the CGI is currently not working behind an upstream
proxy. To be honest, I accidentally have not tested this (firewall
talked directly to the internet :-/ ), sorry.
Thanks, and best regards,
Peter Müller
--
The road to Hades is easy to travel.
-- Bion of Borysthenes
next reply other threads:[~2019-05-18 15:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-18 15:14 Peter Müller [this message]
2019-05-20 17:27 ` Stefan Schantl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7433eaad-7c6d-dfd2-84c8-2409d71b4b3b@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox