| View previous topic :: View next topic |
| Author |
Message |
jefframage
-
Joined: 27 Jan 2007
Posts: 3
|
 Posted: Sat Jan 27, 2007 7:40 am Post subject: STunnel not working after upgrade to X1 2.4 |
 |
|
I had been using STunnel to proxy http traffic on port 81 to port 444 using Abyss 2.3.3.2 without a problem.
I recently upgraded to 2.4 and find that when I go to https://www.mysite.ca:444/photo I am prompted for a username and password as expected, then I get "This page cannot be displayed".
If I click refresh I get the content but the URL has been changed to http://www.mysite.ca:444/photo.
Everything works fine if I use http://www.mysite.ca:81/photo from inside the network; but I don't have that port opened up on the router for obvious reasons.
I think this is related to the new URL rewrite feature, but I'm not sure.
Any ideas? |
|
| Back to top |
  |
 |
jefframage
-
Joined: 27 Jan 2007
Posts: 3
|
| Posted: Sat Jan 27, 2007 8:38 pm Post subject: Further information |
|
|
The STunnel error looks like this: SSL_accept: 1407609C: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
I looked this up, and it seems to indicate that the STunnel application is receiving an http request rather than an https request.
I removed the URL Rewrite section, and adjusted the version number at the bottom of the abyss.conf file.
I performed a "downgrade" to the previous release (2.3.2) by running the install of the previous release and everything is working fine.
I would like to find out how to make STunnel work /w 2.4; anybody have any ideas? |
|
| Back to top |
|
|
cmxflash
-
Joined: 11 Dec 2004
Posts: 872
|
| Posted: Sat Jan 27, 2007 9:28 pm Post subject: |
|
|
Works great here with 2.4.
Here's my configuration file for STunnel:
| Code: | ; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = test.pem
;key = stunnel.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log
; Use it for client mode
;client = yes
; Service-level configuration
[https]
accept = 443
connect = 80
TIMEOUTclose = 0
; vim:ft=dosini
|
I'm running the latest version of STunnel. |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Mon Jan 29, 2007 1:43 am Post subject: Re: Further information |
|
|
| jefframage wrote: | | I removed the URL Rewrite section, and adjusted the version number at the bottom of the abyss.conf file. |
You'll have to isolate the problem. But as you have said above, you have a URL rewriting which may be the cause of the wrong redirections. How was it configured (URL rewriting)?
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
 |
|
jefframage
-
Joined: 27 Jan 2007
Posts: 3
|
| Posted: Wed Jan 31, 2007 6:25 pm Post subject: Re: Further information |
|
|
I had made no changes to the URL Rewrite area of the config. I opened the area in the console to look at the options, but didn't set anything.
When I subsequently deleted the area from the conf file there were no settings present, just the section headers.
| Quote: | | You'll have to isolate the problem. But as you have said above, you have a URL rewriting which may be the cause of the wrong redirections. How was it configured (URL rewriting)? |
|
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Wed Jan 31, 2007 7:12 pm Post subject: Re: Further information |
|
|
jefframage,
We suggest that you use 2.3.2 until we find the cause of that behavior. Please contact support@aprelium.com and send them your abyss.conf file as well as the name of the script you are using.
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
john81
-
Joined: 02 Feb 2007
Posts: 3
|
| Posted: Fri Feb 02, 2007 9:31 pm Post subject: |
|
|
i am having the same issue i believe
using 2.4 and latest version of sTunnel
when i access my site at http://site.com:81/dir
it will load the index file inside dir folder
if i go to https://site.com/dir
i get a 403 error...
here is my access log
| Code: |
65.xx.xx.181 - user [02/Feb/2007:15:27:09 -0500] "GET /directory HTTP/1.1" 301 415 ""
65.xx.xx.181 - useruser [02/Feb/2007:15:27:09 -0500] "GET /directory/ HTTP/1.1" 200 21 ""
127.0.0.1 - user [02/Feb/2007:15:28:00 -0500] "GET /directory HTTP/1.1" 301 415 ""
|
it appears none of my custom error pages work either :(
where does one download a copy of the 2.3 version?
[/code] |
|
| Back to top |
|
|
edimatrix
-
Joined: 23 Sep 2004
Posts: 34
Location: Sydenham, Greater London, UK
|
| Posted: Sat Feb 03, 2007 12:36 pm Post subject: |
|
|
I was intrigued by this thread. I have used Stunnel successfully for many things, but had never tried https. Using the same stunnel.conf entries as cmxflash, I forwarded port 443 in my router, temporarily turned off the firewall on the Abyss PC, and then tried to connect to the homepage using https instead of http. It failed, but there was no entry in the Abyss log. The relevant section in the stunnel log was
| Code: | 2007.02.03 11:24:24 LOG7[3356:1264]: https accepted FD=1824 from 10.0.0.3:1719
2007.02.03 11:24:24 LOG7[3356:1264]: Creating a new thread
2007.02.03 11:24:24 LOG7[3356:1264]: New thread created
2007.02.03 11:24:24 LOG7[3356:2144]: https started
2007.02.03 11:24:24 LOG7[3356:2144]: FD 1824 in non-blocking mode
2007.02.03 11:24:24 LOG7[3356:2144]: TCP_NODELAY option set on local socket
2007.02.03 11:24:24 LOG5[3356:2144]: https accepted connection from 10.0.0.3:1719
2007.02.03 11:24:24 LOG7[3356:2144]: FD 1800 in non-blocking mode
2007.02.03 11:24:24 LOG7[3356:2144]: https connecting 127.0.0.1:80
2007.02.03 11:24:24 LOG7[3356:2144]: connect_wait: waiting 10 seconds
2007.02.03 11:24:24 LOG7[3356:2144]: connect_wait: connected
2007.02.03 11:24:24 LOG5[3356:2144]: https connected remote server from 127.0.0.1:1720
2007.02.03 11:24:24 LOG7[3356:2144]: Remote FD=1800 initialized
2007.02.03 11:24:24 LOG7[3356:2144]: TCP_NODELAY option set on remote socket
2007.02.03 11:24:24 LOG7[3356:2144]: SSL state (connect): before/connect initialization
2007.02.03 11:24:24 LOG7[3356:2144]: SSL state (connect): SSLv3 write client hello A
2007.02.03 11:24:34 LOG3[3356:2144]: SSL_connect: Peer suddenly disconnected
2007.02.03 11:24:34 LOG5[3356:2144]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.02.03 11:24:34 LOG7[3356:2144]: https finished (0 left)
|
Beyond my level of competence to interpret what happened!
Regards
Chris |
|
| Back to top |
 |
|
john81
-
Joined: 02 Feb 2007
Posts: 3
|
| Posted: Sat Feb 03, 2007 11:37 pm Post subject: |
|
|
OK, as for my problem, i think i have most of it fixed, and know exactly what the issue is...
when going to
http://www.mysite.com/downloads
abyss automatically corrects, and add's the trailing slash...
http://www.mysite.com/downloads/
this is good
UNFORTUNATELY, what is not good is the following...
using STunnel, if the address of
https://www.mysite.com/downloads
is access, abyss corrects the missing trailing slash, but changes it back to http://, not https://
so if user pulls up https://www.mysite.com/downloads
it will go to
http://www.mysite.com/downloads/
i've added no special functions to get abyss to do this, so i dont know where to change it.. i saw there is a section for url re-writing that MAY help, but i have no idea where to start..
hope this makes sense... |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
| Posted: Sun Feb 04, 2007 10:26 am Post subject: |
|
|
john81,
When you use STunnel, Abyss Web Server does not know about that (and cannot even know about it).
In versions <=2.3.2, Abyss Web Server was correcting the URL and sending back a "Location" header with a non-absolute URL (/downloads). So the browser would add the https://www.mysite.com automatically since it knows the full "real" URL.
In version 2.4, the correction was "fixed" to be conforming the HTTP specification and now the URL that is sent back to the browser is a full URL (http://www.mysite.com/downloads). Note that Abyss Web Server adds the http and probably the port number that it listens to and not https and the SSL port number (which are not known to it since STunnel acts transparently).
So to make a long story short, we recommend using 2.3.2 until we provide a switch in the configuration to enable users to choose the behavior they like with URL corrections (or until the native SSL version is released).
_________________
Support Team
Aprelium - http://www.aprelium.com |
|
| Back to top |
|
|
john81
-
Joined: 02 Feb 2007
Posts: 3
|
| Posted: Sun Feb 04, 2007 6:19 pm Post subject: |
|
|
| aprelium wrote: | | So to make a long story short, we recommend using 2.3.2 until we provide a switch in the configuration to enable users to choose the behavior they like with URL corrections (or until the native SSL version is released). |
Thank you very much!
do you have a section on your site where someone could download the older version? |
|
| Back to top |
|
|
aprelium
-
Joined: 22 Mar 2002
Posts: 6800
|
|
| Back to top |
|
|
|
