Open MrJibus opened 1 year ago
for some reason tinyproxy thinks (wrongly?) it is being used as a transparent proxy.
can you try to build it from source with transparent proxying disabled ? ./configure --disable-transparent
Will try that, thank you !
please report your findings. i will reopen this until the issue is resolved.
Adding the ./configure --disable-transparent flag
The build went find, but when I test :
curl --proxy https://lbs-address:3633 http://ipecho.net/plain
CONNECT Mar 29 09:33:24.584 [20]: Connect (file descriptor 3): XXX.XX.XX.XXX CONNECT Mar 29 09:33:24.588 [20]: Request (file descriptor 3): GET /plain HTTP/1.1 INFO Mar 29 09:33:24.593 [20]: Unknown method (GET) or protocol (/plain)
Note : XXX.XX.XX.XXX is the ip of the load balancer
Response returned by the load balancer :
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>501 Not Implemented</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
<h1>Not Implemented</h1>
<p>Unknown method or unsupported protocol.</p>
<hr />
<p><em>Generated by <a href="https://tinyproxy.github.io/">tinyproxy</a> version 1.11.0-rc1-70-git-ef60434.</em></p>
</body>
</html>
pls show your config (without commented out lines)
User nobody
Group nobody
Port 8888
Timeout 600
DefaultErrorFile "@pkgdatadir@/default.html"
StatFile "@pkgdatadir@/stats.html"
StatHost "tinyproxy.stats"
LogLevel Info
MaxClients 100
Allow 127.0.0.1
Allow ::1
Allow 0.0.0.0/0
ViaProxyName "tinyproxy"
DisableViaHeader Yes
from reading the code in reqs.c it would appear that tinyproxy receives as target url "/plain" instead of "http://ipecho.net/plain" which causes this error. you can check this by running tcpdump and filtering for the tinyproxy dest ip & port. i suspect the cause of this is either a misconfiguration of the load balancer or the load balancer isn't even meant to be used in front of a http proxy (as opposed to a webserver).
I tried but there is nothing to use :
sudo tcpdump -i eth0 -vv | grep '3633'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [S], cksum 0xa47f (correct), seq 3608680223, win 26883, options [mss 8961,sackOK,TS val 739349726 ecr 0,nop,wscale 8], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [S.], cksum 0x8ec2 (incorrect -> 0xc34c), seq 4162385692, ack 3608680224, win 65160, options [mss 1460,sackOK,TS val 1733235301 ecr 739349726,nop,wscale 7], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0xf036 (correct), seq 1, ack 1, win 106, options [nop,nop,TS val 739349727 ecr 1733235301], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [P.], cksum 0x39d6 (correct), seq 1:258, ack 1, win 106, options [nop,nop,TS val 739349727 ecr 1733235301], length 257
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [.], cksum 0x8eba (incorrect -> 0xeda2), seq 1, ack 258, win 508, options [nop,nop,TS val 1733235302 ecr 739349727], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [P.], cksum 0x8f33 (incorrect -> 0x044b), seq 1:122, ack 258, win 508, options [nop,nop,TS val 1733235312 ecr 739349727], length 121
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [FP.], cksum 0x90da (incorrect -> 0x8fe1), seq 122:666, ack 258, win 508, options [nop,nop,TS val 1733235312 ecr 739349727], length 544
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0xeea6 (correct), seq 258, ack 122, win 106, options [nop,nop,TS val 739349738 ecr 1733235312], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0xec81 (correct), seq 258, ack 667, win 110, options [nop,nop,TS val 739349738 ecr 1733235312], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [F.], cksum 0xec80 (correct), seq 258, ack 667, win 110, options [nop,nop,TS val 739349738 ecr 1733235312], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.53570: Flags [.], cksum 0xeaf1 (correct), seq 667, ack 259, win 508, options [nop,nop,TS val 1733235313 ecr 739349738], length 0
static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [S], cksum 0xb012 (correct), seq 2409741590, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 187256278 ecr 0,sackOK,eol], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [S.], cksum 0x040c (incorrect -> 0x1acd), seq 3254146247, ack 2409741591, win 65160, options [mss 1460,sackOK,TS val 4231763125 ecr 187256278,nop,wscale 7], length 0
static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0x4014 (correct), seq 1, ack 1, win 2058, options [nop,nop,TS val 187256282 ecr 4231763125], length 0
static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [P.], cksum 0xa438 (correct), seq 1:127, ack 1, win 2058, options [nop,nop,TS val 187256282 ecr 4231763125], length 126
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [.], cksum 0x0404 (incorrect -> 0x459f), seq 1, ack 127, win 509, options [nop,nop,TS val 4231763129 ecr 187256282], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [P.], cksum 0x0415 (incorrect -> 0x853e), seq 1:18, ack 127, win 509, options [nop,nop,TS val 4231763259 ecr 187256282], length 17
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [FP.], cksum 0x051b (incorrect -> 0x3996), seq 18:297, ack 127, win 509, options [nop,nop,TS val 4231763259 ecr 187256282], length 279
static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0x3e78 (correct), seq 127, ack 18, win 2058, options [nop,nop,TS val 187256417 ecr 4231763259], length 0
static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [.], cksum 0x3d64 (correct), seq 127, ack 298, win 2054, options [nop,nop,TS val 187256417 ecr 4231763259], length 0
static-XXXXX.com.53027 >ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633: Flags [F.], cksum 0x3d63 (correct), seq 127, ack 298, win 2054, options [nop,nop,TS val 187256417 ecr 4231763259], length 0
ip-XXX-XX-XX-XXX.eu-west-3.compute.internal.3633 > static-XXXXX.com.53027: Flags [.], cksum 0x4367 (correct), seq 298, ack 128, win 509, options [nop,nop,TS val 4231763264 ecr 187256417], length 0
362 packets captured
364 packets received by filter
0 packets dropped by kernel
I also tried disabling some feature of the LB, still the same. I think I am just gonna use without LB.
to get understandable output from tcpdump, save it into a pcap file (-w file.pcap) and then transfer it to a machine with wireshark
You can use NLB instead of ALB. It will work with NLB configured on the TCP port.
Tinyproxy version
1.11.1-r2
Question
Goal : I want to use tiny proxy behind an AWS Application Load Balancer (https)
Note : I am using tiny proxy in docker.
Setup :
Issue :
Example :
INFO Mar 28 19:19:50.285 [1]: process_request: trans Host GET http://ipecho.net:3633/plain for 5 INFO Mar 28 19:19:50.285 [1]: No upstream proxy for ipecho.net INFO Mar 28 19:19:50.285 [1]: opensock: opening connection to ipecho.net:3633 INFO Mar 28 19:19:50.285 [1]: opensock: getaddrinfo returned for ipecho.net:3633 ERROR Mar 28 19:22:01.030 [1]: opensock: Could not establish a connection to ipecho.net:3633
Connecting directly to the EC2 using http 3633 port works fine :
CONNECT Mar 28 19:33:08.722 [1]: Request (file descriptor 5): GET http://ipecho.net/plain HTTP/1.1 INFO Mar 28 19:33:08.722 [1]: No upstream proxy for ipecho.net INFO Mar 28 19:33:08.722 [1]: opensock: opening connection to ipecho.net:80 INFO Mar 28 19:33:08.722 [1]: opensock: getaddrinfo returned for ipecho.net:80 CONNECT Mar 28 19:33:08.731 [1]: Established connection to host "ipecho.net" using file descriptor 6. INFO Mar 28 19:33:08.852 [1]: Closed connection between local client (fd:5) and remote client (fd:6)
The ALB forward several headers : X-Forwarded-For X-Forwarded-Proto X-Forwarded-Port
I have the impression that X-Forwarded-Port is used but I can't understand why.
Question
How to not have the port forwarded from the Application Load Balancer ?