search

tinyproxy / tinyproxy

tinyproxy - a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems
GNU General Public License v2.0
4.67k stars 645 forks source link

When using an load balancer on AWS (ALB), port is forwarded to tinyproxy which use it to the destination #488

Open MrJibus opened 1 year ago

MrJibus commented 1 year ago

Tinyproxy version

1.11.1-r2

Question

Goal : I want to use tiny proxy behind an AWS Application Load Balancer (https)

Note : I am using tiny proxy in docker.

Setup :

Issue :

Example :

INFO Mar 28 19:19:50.285 [1]: process_request: trans Host GET http://ipecho.net:3633/plain for 5 INFO Mar 28 19:19:50.285 [1]: No upstream proxy for ipecho.net INFO Mar 28 19:19:50.285 [1]: opensock: opening connection to ipecho.net:3633 INFO Mar 28 19:19:50.285 [1]: opensock: getaddrinfo returned for ipecho.net:3633 ERROR Mar 28 19:22:01.030 [1]: opensock: Could not establish a connection to ipecho.net:3633

Connecting directly to the EC2 using http 3633 port works fine :

CONNECT Mar 28 19:33:08.722 [1]: Request (file descriptor 5): GET http://ipecho.net/plain HTTP/1.1 INFO Mar 28 19:33:08.722 [1]: No upstream proxy for ipecho.net INFO Mar 28 19:33:08.722 [1]: opensock: opening connection to ipecho.net:80 INFO Mar 28 19:33:08.722 [1]: opensock: getaddrinfo returned for ipecho.net:80 CONNECT Mar 28 19:33:08.731 [1]: Established connection to host "ipecho.net" using file descriptor 6. INFO Mar 28 19:33:08.852 [1]: Closed connection between local client (fd:5) and remote client (fd:6)

The ALB forward several headers : X-Forwarded-For X-Forwarded-Proto X-Forwarded-Port

I have the impression that X-Forwarded-Port is used but I can't understand why.

Question

How to not have the port forwarded from the Application Load Balancer ?

rofl0r commented 1 year ago

for some reason tinyproxy thinks (wrongly?) it is being used as a transparent proxy. can you try to build it from source with transparent proxying disabled ? ./configure --disable-transparent

MrJibus commented 1 year ago

Will try that, thank you !

rofl0r commented 1 year ago

please report your findings. i will reopen this until the issue is resolved.

MrJibus commented 1 year ago

Adding the ./configure --disable-transparent flag

The build went find, but when I test :

curl --proxy https://lbs-address:3633 http://ipecho.net/plain

CONNECT Mar 29 09:33:24.584 [20]: Connect (file descriptor 3): XXX.XX.XX.XXX CONNECT Mar 29 09:33:24.588 [20]: Request (file descriptor 3): GET /plain HTTP/1.1 INFO Mar 29 09:33:24.593 [20]: Unknown method (GET) or protocol (/plain)

Note : XXX.XX.XX.XXX is the ip of the load balancer

Response returned by the load balancer :

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">

<head>
<title>501 Not Implemented</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>

<body>

<h1>Not Implemented</h1>

<p>Unknown method or unsupported protocol.</p>

<hr />

<p><em>Generated by <a href="https://tinyproxy.github.io/">tinyproxy</a> version 1.11.0-rc1-70-git-ef60434.</em></p>

</body>

</html>
rofl0r commented 1 year ago

pls show your config (without commented out lines)

MrJibus commented 1 year ago 
User nobody
Group nobody

Port 8888
Timeout 600

DefaultErrorFile "@pkgdatadir@/default.html"
StatFile "@pkgdatadir@/stats.html"
StatHost "tinyproxy.stats"

LogLevel Info
MaxClients 100

Allow 127.0.0.1
Allow ::1
Allow 0.0.0.0/0

ViaProxyName "tinyproxy"
DisableViaHeader Yes
rofl0r commented 1 year ago

from reading the code in reqs.c it would appear that tinyproxy receives as target url "/plain" instead of "http://ipecho.net/plain" which causes this error. you can check this by running tcpdump and filtering for the tinyproxy dest ip & port. i suspect the cause of this is either a misconfiguration of the load balancer or the load balancer isn't even meant to be used in front of a http proxy (as opposed to a webserver).

MrJibus commented 1 year ago

I tried but there is nothing to use :

sudo tcpdump -i eth0 -vv | grep '3633'

tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
    ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [S], cksum 0xa47f (correct), seq 3608680223, win 26883, options [mss 8961,sackOK,TS val 739349726 ecr 0,nop,wscale 8], length 0
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [S.], cksum 0x8ec2 (incorrect -> 0xc34c), seq 4162385692, ack 3608680224, win 65160, options [mss 1460,sackOK,TS val 1733235301 ecr 739349726,nop,wscale 7], length 0
    ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0xf036 (correct), seq 1, ack 1, win 106, options [nop,nop,TS val 739349727 ecr 1733235301], length 0
    ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [P.], cksum 0x39d6 (correct), seq 1:258, ack 1, win 106, options [nop,nop,TS val 739349727 ecr 1733235301], length 257
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [.], cksum 0x8eba (incorrect -> 0xeda2), seq 1, ack 258, win 508, options [nop,nop,TS val 1733235302 ecr 739349727], length 0
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [P.], cksum 0x8f33 (incorrect -> 0x044b), seq 1:122, ack 258, win 508, options [nop,nop,TS val 1733235312 ecr 739349727], length 121
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [FP.], cksum 0x90da (incorrect -> 0x8fe1), seq 122:666, ack 258, win 508, options [nop,nop,TS val 1733235312 ecr 739349727], length 544
    ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0xeea6 (correct), seq 258, ack 122, win 106, options [nop,nop,TS val 739349738 ecr 1733235312], length 0
    ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0xec81 (correct), seq 258, ack 667, win 110, options [nop,nop,TS val 739349738 ecr 1733235312], length 0
    ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [F.], cksum 0xec80 (correct), seq 258, ack 667, win 110, options [nop,nop,TS val 739349738 ecr 1733235312], length 0
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [.], cksum 0xeaf1 (correct), seq 667, ack 259, win 508, options [nop,nop,TS val 1733235313 ecr 739349738], length 0
    static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [S], cksum 0xb012 (correct), seq 2409741590, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 187256278 ecr 0,sackOK,eol], length 0
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [S.], cksum 0x040c (incorrect -> 0x1acd), seq 3254146247, ack 2409741591, win 65160, options [mss 1460,sackOK,TS val 4231763125 ecr 187256278,nop,wscale 7], length 0
    static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0x4014 (correct), seq 1, ack 1, win 2058, options [nop,nop,TS val 187256282 ecr 4231763125], length 0
    static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [P.], cksum 0xa438 (correct), seq 1:127, ack 1, win 2058, options [nop,nop,TS val 187256282 ecr 4231763125], length 126
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [.], cksum 0x0404 (incorrect -> 0x459f), seq 1, ack 127, win 509, options [nop,nop,TS val 4231763129 ecr 187256282], length 0
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [P.], cksum 0x0415 (incorrect -> 0x853e), seq 1:18, ack 127, win 509, options [nop,nop,TS val 4231763259 ecr 187256282], length 17
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [FP.], cksum 0x051b (incorrect -> 0x3996), seq 18:297, ack 127, win 509, options [nop,nop,TS val 4231763259 ecr 187256282], length 279
    static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0x3e78 (correct), seq 127, ack 18, win 2058, options [nop,nop,TS val 187256417 ecr 4231763259], length 0
    static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0x3d64 (correct), seq 127, ack 298, win 2054, options [nop,nop,TS val 187256417 ecr 4231763259], length 0
    static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [F.], cksum 0x3d63 (correct), seq 127, ack 298, win 2054, options [nop,nop,TS val 187256417 ecr 4231763259], length 0
   ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [.], cksum 0x4367 (correct), seq 298, ack 128, win 509, options [nop,nop,TS val 4231763264 ecr 187256417], length 0
362 packets captured
364 packets received by filter
0 packets dropped by kernel

I also tried disabling some feature of the LB, still the same. I think I am just gonna use without LB.

rofl0r commented 1 year ago

to get understandable output from tcpdump, save it into a pcap file (-w file.pcap) and then transfer it to a machine with wireshark

Zinkal10 commented 2 months ago

You can use NLB instead of ALB. It will work with NLB configured on the TCP port.