Hello Stefan,
while upgrading to Core Update 131, I stumbled across the "downloadruleset()" function in ids-functions.pl . It seems to contain a validation for read proxy information which is faulty and will not return any information.
By removing the validation as shown in the diff below, the CGI works correct behind an upstream proxy:
diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index deb287bb7..5530da11e 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -174,28 +174,18 @@ sub downloadruleset {
# Check if an upstream proxy is configured. if ($proxysettings{'UPSTREAM_PROXY'}) { - my ($peer, $peerport) = (/^(?:[a-zA-Z ]+://)?(?:[A-Za-z0-9_.-]*?(?::[A-Za-z0-9_.-]*?)?@)?([a-zA-Z0-9._-]*?)(?::([0-9]{1,5}))?(?:/.*?)?$/); my $proxy_url;
- # Check if we got a peer. - if ($peer) { - $proxy_url = "http://"; + $proxy_url = "http://";
- # Check if the proxy requires authentication. - if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) { - $proxy_url .= "$proxysettings{'UPSTREAM_USER'}:$proxysettings{'UPSTREAM_PASSWORD'}@"; - } - - # Add proxy server address and port. - $proxy_url .= "$peer:$peerport"; - } else { - # Log error message and break. - &_log_to_syslog("Could not proper configure the proxy server access."); - - # Return "1" - false. - return 1; + # Check if the proxy requires authentication. + if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) { + $proxy_url .= "$proxysettings{'UPSTREAM_USER'}:$proxysettings{'UPSTREAM_PASSWORD'}@"; }
+ # Add proxy server address and port. + $proxy_url .= $proxysettings{'UPSTREAM_PROXY'}; + # Setup proxy settings. $downloader->proxy(['http', 'https'], $proxy_url); }
Since I guess the validation was intentional, could you please explain to me what it was supposed to do? I am not sure if I got the regex right...
Either was, the CGI is currently not working behind an upstream proxy. To be honest, I accidentally have not tested this (firewall talked directly to the internet :-/ ), sorry.
Thanks, and best regards, Peter Müller