Running through apache mod_proxy

[svengo]

I tried to access the onion box running on http://localhost:8080 through an apache mod_proxy. Apache configuration:

ProxyPass "/theonionbox" "http://localhost:8080"
ProxyPassReverse "/theonionbox" "http://localhost:8080"

The onion box should become available at https://remoteserver/theonionbox. The html front page is loaded but the server can't find the login.css and login.js files. It seems that the path is not relative to the current directory:

GET https://umbar.svengo.net/theonionbox [HTTP/1.1 200 OK 405ms]
GET https://umbar.svengo.net/9f32fbfa81db4926af7005588e1c9fc1/login.css [HTTP/1.1 404 Not Found 121ms]
GET https://umbar.svengo.net/9f32fbfa81db4926af7005588e1c9fc1/login.js [HTTP/1.1 404 Not Found 519ms]

I don't know how to configure apache to alter the paths. Is it possible to solve the problem in theonionbox? I don't want to open the tcp port of onionbox for everyone due to security concerns.

Thanks!

[ralphwetzel]

Hi! I have an initial assumption yet cannot verify what's going on without your support: I've just commited to the v3 branch two adaptations for the files theonionbox.py & tob_logging.py to provide additional DEBUG information. Could you please grab those (each times the latest version in v3), drop them into your theonionboxdirectory (overwriting the old ones) and run the Box in DEBUG mode: python theonionbox.py --debug. This should generate some messages like:

[INFO]  21:27:54.764 4da7|8f61@127.0.0.1 is knocking for Login; 'basic' procedure provided.
[DEBUG] 21:27:55.404 theonionbox.py[770|get_login]: 4da7|8f61@127.0.0.1 requests 'login.css'
[DEBUG] 21:27:55.404 theonionbox.py[771|get_login]: 4da7|8f61: addr = 127.0.0.1 / route = ['127.0.0.1']
[DEBUG] 21:27:55.703 theonionbox.py[770|get_login]: 4da7|8f61@127.0.0.1 requests 'login.js'
[DEBUG] 21:27:55.703 theonionbox.py[771|get_login]: 4da7|8f61: addr = 127.0.0.1 / route = ['127.0.0.1']
[DEBUG] 21:27:58.572 theonionbox.py[770|get_login]: 4da7|8f61@127.0.0.1 requests 'login.html'
[DEBUG] 21:27:58.572 theonionbox.py[771|get_login]: 4da7|8f61: addr = 127.0.0.1 / route = ['127.0.0.1']
[DEBUG] 21:27:58.941 theonionbox.py[770|get_login]: 4da7|8f61@127.0.0.1 requests 'login.html'
[DEBUG] 21:27:58.941 theonionbox.py[771|get_login]: 4da7|8f61: addr = 127.0.0.1 / route = ['127.0.0.1']
[INFO]  21:28:00.203 4da7|8f61@127.0.0.1 received session token '5263|bfca'; immediate response expected.
        21:28:00.846 5263|bfca@127.0.0.1: Session established.

The interesting part starts with the knocking for login line ... and should end with Session established (yet that will not happen currently in your case).

My assumption is, that we'll see a different IP address when requesting login.html vs the two other files due to the proxy. Could you please cut & paste the relevant portion of your logs here for examination? Thanks in advance!

[svengo]

Hi Ralph! Thank you for the fast response. Here is the debug output:

[INFO]  15:55:45.375 03c8|e0bf@95.223.158.55 is knocking for Login; 'basic' procedure provided.
[DEBUG] 15:55:45.398 127.0.0.1: "GET / HTTP/1.1" 200 7945
[INFO]  15:55:48.187 bf77|47a6@95.223.158.55 is knocking for Login; 'basic' procedure provided.
[DEBUG] 15:55:48.199 127.0.0.1: "GET / HTTP/1.1" 200 7945
[INFO]  15:56:18.957 bf77|47a6@95.223.158.55: Login request expired.
[INFO]  15:56:18.957 03c8|e0bf@95.223.158.55: Login request expired.

95.223.158.55 is my local IP-address and also the content of the X-Forwarded-For header:

sven@umbar:~$ netcat -l 8080
GET / HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Referer: https://umbar.svengo.net/theonionbox
Cache-Control: max-age=0
X-Forwarded-For: 95.223.158.55
X-Forwarded-Host: umbar.svengo.net
X-Forwarded-Server: umbar.svengo.net
Connection: Keep-Alive

[ralphwetzel]

Hi Sven!

Thank you for the logs & especially the header. I'm yet a bit worried why the extra debug information I added yesterday is not shown in the logs. Could you please verify that you downloaded this version of theonionbox.py and this of tob_logging.py ... and are operating the box with those (in DEBUG mode)?

Ralph

[svengo]

Hi Ralph! Sorry, Here is the output from the new version:

[INFO]  21:41:12.419 2031|d4ae@95.223.158.55 is knocking for Login; 'basic' procedure provided.
[DEBUG] 21:41:12.452 theonionbox.py[1239|log_message]: 127.0.0.1: "GET / HTTP/1.1" 200 7945
[INFO]  21:41:16.534 8ba2|0c3d@95.223.158.55 is knocking for Login; 'basic' procedure provided.
[DEBUG] 21:41:16.557 theonionbox.py[1239|log_message]: 127.0.0.1: "GET / HTTP/1.1" 200 7945
[INFO]  21:41:45.019 2031|d4ae@95.223.158.55: Login request expired.
[INFO]  21:41:50.022 8ba2|0c3d@95.223.158.55: Login request expired.

[ralphwetzel]

Hi Sven!

It took me some while to understand the issue. It is due to the virtual path structure that is used by the Box. I yet think there might be a clever way to solve it:

I've added the new parameter proxy_path to the configuration file. When it's defined, this path is used as base for the path generation. You just have to ensure that you strip it again with your proxy configuration.

An example (that should exactly match your case): By default login.css is expected in the path /<session_id>/login.css. Based on your proxy configuration this should become /theonionbox/<session_id>/login.css.

You therefore set a custom proxy_path in your configuration file theonionbox.cfg:

# If you intend to operate the Box behind a proxy you can here define a
# base path to allow appropriate filtering. Please assure that this is
# an absolute filepath beginning with a leading slash, no trailing slash: '/foo'
proxy_path = /theonionbox

With this setting all path definitions will be rebased from /foo/bar to /theonionbox/foo/bar. Your proxy strips - when processing the request - the additional path element and forwards the rest to the Box: https://umbar.svengo.net/theonionbox/<session_id>/login.css -> http://localhost:8080/<session_id>/login.css.

This should make it.

I've created a release v2.1.2RC1 marked 'unstable'. You could do me the favour and test the prodecure with this release.

Thanks for your support.

Ralph

[svengo]

Hi Ralph,

I'm sorry but it doesn't work, the page is still scrumbled :-(

theonionbox@umbar:~/theonionbox-2.1.2RC1/theonionbox$ head -n 3 theonionbox.py
#!/usr/bin/python

__version__ = '2.1.2RC1'
theonionbox@umbar:~/theonionbox-2.1.2RC1/theonionbox$ grep proxy_path theonionbox.cfg
proxy_path = /theonionbox
theonionbox@umbar:~/theonionbox-2.1.2RC1/theonionbox$ python theonionbox.py --debug

        13:04:37.920 The Onion Box v2.1.2RC1: WebInterface for Tor Relays
        13:04:37.920 Running on a Linux Host.
        13:04:37.920 Debug Mode activated from command line.
        13:04:37.986 Operating with configuration from 'theonionbox.cfg'
        13:04:38.094 Failed to load LongTerm Data from file 'theonionbox.ltd'. Exception raised says '[Errno 2] No such file or directory: 'theonionbox.ltd''!
[INFO]  13:04:38.258 Trying to refresh ONIONOO data.
[INFO]  13:04:38.258 No Fingerprint to query.
[INFO]  13:04:38.258 Next scheduled retry to refresh ONIONOO @ 2016-03-26 15:24:43
        13:04:38.305 Trying to connect to Tor Relay on 127.0.0.1:9051.
        13:04:38.318 Connected...
[INFO]  13:04:38.329 Server Time aligned against Time from 'pool.ntp.org'; adjusted delta: +0.00 seconds
[DEBUG] 13:04:38.329 tob_logging.py[218|__init__]: LoggingManager: self_id = 8253df17-410b-4b48-8c05-bc4775ddfbf8.
[DEBUG] 13:04:38.330 tob_logging.py[274|switch]: Switching 8253df17-410b-4b48-8c05-bc4775ddfbf8 | INFO | False
[DEBUG] 13:04:38.330 tob_logging.py[274|switch]: Switching 8253df17-410b-4b48-8c05-bc4775ddfbf8 | BOX | True
[DEBUG] 13:04:38.330 tob_logging.py[274|switch]: Switching 8253df17-410b-4b48-8c05-bc4775ddfbf8 | NOTICE | True
[DEBUG] 13:04:38.330 tob_logging.py[304|switch]: Adding event_listener for Tor's runlevel 'NOTICE': <functools.partial object at 0x7f763f7d0d08>
[DEBUG] 13:04:38.331 tob_logging.py[274|switch]: Switching 8253df17-410b-4b48-8c05-bc4775ddfbf8 | WARNING | True
[DEBUG] 13:04:38.331 tob_logging.py[304|switch]: Adding event_listener for Tor's runlevel 'WARN': <functools.partial object at 0x7f763f7d0d60>
[DEBUG] 13:04:38.331 tob_logging.py[274|switch]: Switching 8253df17-410b-4b48-8c05-bc4775ddfbf8 | ERROR | True
[DEBUG] 13:04:38.331 tob_logging.py[304|switch]: Adding event_listener for Tor's runlevel 'ERR': <functools.partial object at 0x7f763f7d0db8>
[DEBUG] 13:04:38.332 tob_logging.py[274|switch]: Switching 8253df17-410b-4b48-8c05-bc4775ddfbf8 | DEBUG | False
        13:04:38.332 Operating with the default WebServer!
[WARN]  13:04:38.332 A single IE request can stall this server and thus the BOX!
        13:04:38.334 Ready to listen on http://localhost:8080/
[INFO]  13:04:38.334 Bottle v0.12.9 server starting up (using BoxWSGIRefServer(handler_class=<class __main__.box_FixedDebugHandler at 0x7f763f7f0a78>))...
[INFO]  13:04:38.334 Listening on http://localhost:8080/
[INFO]  13:04:38.335 Hit Ctrl-C to quit.
[INFO]  13:04:42.807 a795|6b36@95.223.158.55 is knocking for Login; 'basic' procedure provided.
[DEBUG] 13:04:42.842 theonionbox.py[1254|log_message]: 127.0.0.1: "GET / HTTP/1.1" 200 7982
[INFO]  13:04:45.335 f896|8113@95.223.158.55 is knocking for Login; 'basic' procedure provided.
[DEBUG] 13:04:45.351 theonionbox.py[1254|log_message]: 127.0.0.1: "GET / HTTP/1.1" 200 7982
        13:04:50.402 Shutdown Server done!!

[ralphwetzel]

Hi Sven!

Do you still get the same 404 notifications that you posted in your first message?

R.

[svengo]

Hi Ralph,

yes, the same:

GET https://umbar.svengo.net/theonionbox/ [HTTP/1.1 200 OK 147ms]
GET https://umbar.svengo.net/fc2ca27564d14c8c86ee834be11bfe52/login.css [HTTP/1.1 404 Not Found 24ms]
GET https://umbar.svengo.net/fc2ca27564d14c8c86ee834be11bfe52/login.js [HTTP/1.1 404 Not Found 121ms]

I switched apache to debug mode, maybe the apache log contains interesting informations (ssl and auth messages skipped):

[Sat Mar 26 17:13:38.158919 2016] [proxy:debug] [pid 31147] mod_proxy.c(1104): [client 95.223.158.55:53154] AH01143: Running scheme http handler (attempt 0), referer: https://umbar.svengo.net/theonionbox/
[Sat Mar 26 17:13:38.158938 2016] [proxy:debug] [pid 31147] proxy_util.c(2020): AH00942: HTTP: has acquired connection for (localhost)
[Sat Mar 26 17:13:38.158949 2016] [proxy:debug] [pid 31147] proxy_util.c(2072): [client 95.223.158.55:53154] AH00944: connecting http://localhost:8080/ to localhost:8080, referer: https://umbar.svengo.net/theonionbox/
[Sat Mar 26 17:13:38.159201 2016] [proxy:debug] [pid 31147] proxy_util.c(2206): [client 95.223.158.55:53154] AH00947: connected / to localhost:8080, referer: https://umbar.svengo.net/theonionbox/
[Sat Mar 26 17:13:38.159408 2016] [proxy:debug] [pid 31147] proxy_util.c(2610): AH00962: HTTP: connection complete to 127.0.0.1:8080 (localhost)
[Sat Mar 26 17:13:38.178828 2016] [proxy:debug] [pid 31147] proxy_util.c(2035): AH00943: http: has released connection for (localhost)
[Sat Mar 26 17:13:38.256197 2016] [core:info] [pid 31147] [client 95.223.158.55:53154] AH00128: File does not exist: /srv/www/umbar.svengo.net/2f2f48b704324a3d8d0d8d48d735679b/login.css, referer: https://umbar.svengo.net/theonionbox/
[Sat Mar 26 17:13:38.356350 2016] [core:info] [pid 31148] [client 95.223.158.55:53159] AH00128: File does not exist: /srv/www/umbar.svengo.net/2f2f48b704324a3d8d0d8d48d735679b/login.js, referer: https://umbar.svengo.net/theonionbox/
[Sat Mar 26 17:13:38.734462 2016] [proxy:debug] [pid 31180] proxy_util.c(1694): AH00925: initializing worker http://localhost:8080 shared
[Sat Mar 26 17:13:38.734541 2016] [proxy:debug] [pid 31180] proxy_util.c(1734): AH00927: initializing worker http://localhost:8080 local
[Sat Mar 26 17:13:38.734578 2016] [proxy:debug] [pid 31180] proxy_util.c(1785): AH00931: initialized single connection worker in child 31180 for (localhost)
[Sat Mar 26 17:13:43.257133 2016] [ssl:debug] [pid 31147] ssl_engine_io.c(1003): [client 95.223.158.55:53154] AH02001: Connection closed to child 0 with standard shutdown (server umbar.svengo.net:443)
[Sat Mar 26 17:13:43.359178 2016] [ssl:debug] [pid 31148] ssl_engine_io.c(1003): [client 95.223.158.55:53159] AH02001: Connection closed to child 1 with standard shutdown (server umbar.svengo.net:443)

[ralphwetzel]

Hi Sven,

I finally recreated your setup on my system and was able to do the necessary modifications to the code. Release v2.1.2RC2 (still 'unstable') should work as expected. You just have to define the appropriate proxy_path in the configuration file.

Could you please verify?

Thanks, Ralph

[svengo]

Hi Ralph!

Thank you, everything works as expected. Great Work! :-)

Kind regards, Sven

[ralphwetzel]

:thumbsup:

Made the new release v2.1.2 out of this as well as a HowTo in the Wiki. Thanks for your support!

Ralph