search

jeroennijhof / openufp

Open URL Filtering Proxy is an URL Filtering Server for N2H2 or Websense compatible devices.
GNU General Public License v3.0
5 stars 4 forks source link

Strange behavior with high URL request volume #3

Closed liveaverage closed 9 years ago

liveaverage commented 9 years ago

Not sure if this has been noticed or reported, but I've been seeing some strange behavior (e.g. block pages for other users' URL requests being presented to users who were not even browsing the site for which a block page was delivered). It doesn't seem to matter what protocol is used, n2h2 or websense (using tcp 1 or tcp 4 on the ASA) ... I'm using the squidGuard backend and it receives the URL request from the ASA just fine, parses it, and even provides the correct allow/deny response, but it seems like some sort of identifier/serial is getting mixed up when openUFP responds to the ASA. Have you seen this behavior? Maybe the request or response structures have changed?

Thanks for any help, and I'd be happy to provide some packet captures if it helps,

JR

liveaverage commented 9 years ago

Some additional debug output from openufp:

Apr 12 14:15:06 proxpre02 openufp[9501]: Websense debug request output: size 12544, vers_maj 256, vers_min 33024, vers_pat 0, serial 1318499337, code 256, desc 0, srcip -133229396, dstip -1578874440, urlsize 0, url Apr 12 14:15:06 proxpre02 openufp[9501]: Websense v1 packet received; converting to v4 Apr 12 14:15:06 proxpre02 openufp[9501]: received url request - Original URL: http://greygoose.com/ Apr 12 14:15:06 proxpre02 openufp[9501]: cache: hash not in cache. Apr 12 14:15:06 proxpre02 openufp[9501]: squidguard input: username missing, defaulting to IP notation Apr 12 14:15:06 proxpre02 openufp[9501]: squidguard: url check using ip and user: ip: 172.20.15.248 user: - for url http://greygoose.com/ Apr 12 14:15:06 proxpre02 openufp[9501]: squidguard: url blocked. parsed_red: http://filter.redirectpage.com/block.php?ip=172.20.15.248&src=u_domain_isa_http&dst=alcohol&url=http://greygoose.com/ -- sg_redirectURL: http://filter.redirectpage..com/block.php?ip=172.20.15.248&src=u_domain_isa_http&dst=alcohol&url=http://greygoose.com/ Apr 12 14:15:06 proxpre02 openufp[9501]: url denied: srcip 172.20.15.248, srcusr -, dstip 184.73.228.161, url http://greygoose.com/

liveaverage commented 9 years ago

Something was up with the handling of responses from squidGuard -> openUFP. Not precisely sure what the issue was, but I could clearly see squidGuard providing REDIRECT replies while openUFP was providing URL Accepted responses back to the Cisco ASA. I completely reworked the handling of squidGuard and fd's to use popen(), which reduced much of the squidguard.c code and fixed the issue -- haven't been able to replicate the problem since:

https://github.com/liveaverage/openufp/blob/master/squidguard.c

I'll submit a pull request if you'd like merge the changes from this fork, but completely up to you.

jeroennijhof commented 9 years ago

I wasn't really proud on that specific peace of code so your rewrite is more then welcome! Please submit a pull request, your code seems more then fine to me!