-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client-side BEV_EVENT_ERROR #38
Comments
Can you enable the DEBUG_PROXY (and perhaps also DEBUG_OPTS) feature switch(es) in Mk/make.mk, build sslproxy again, and then start sslproxy with the Unit tests fail because it cannot find the |
Ok did that (Client is now at 10.26.0.3):
|
Now I have noticed that you are trying to use an autossl proxyspec with HTTP. In SSLproxy, the use case for autossl is STARTTLS with SMTP and POP3 servers. I have never used autossl with HTTP, and honestly I don't know much about it (if any HTTP server supports STARTTLS). So, if you change the Btw, the verbose logs you have provided do not report any reason for the Client-side BEV_EVENT_ERROR error, because I think the proto is autossl. If it is an ssl connection, sslproxy is supposed to report the SSL error. |
Ok I changed the Proto to
|
I notice the following in your first post:
Do you mean that the gateway for the Mint laptop is pfSense, and pfSense redirects the traffic from the laptop to sslproxy running on another machine, and you expect sslproxy to reach the Internet via pfSense? I don't know what you are trying to achieve, but your first setup seems correct. But I guess the issue with this second setup is about networking and/or pf rules on pfSense. Because, note that sslproxy reports |
Yes exactly and I don’t know why it should not work. I have seen companies that redirect your traffic through several proxies for different reasons until you are finally on the actual WAN so it is definitely possible.
I want to simply direct all traffic from all my devices through SSLProxy. I don’t really see what is so different between setup one that it works and setup two that it doesn’t…I mean if it would be some kind of problem with say the NAT redirect on the firewall, why would the SSLProxy error indicate that the connection from SSLProxy to the WAN Server did not succeed? I guess that would result in another kind of error if the client does not respond anymore (?)
But this would mean that the first setup would also not work, but it does. If I curl google.com from 10.2.0.0 via the SSLProxy at 10.24.0.28 the traffic from there would also need to go outside via Pfsense to google right? (The Pfsense manages all connections for 10/8) But this connection apparently works. From the Firewalls perspective in both cases it would see traffic from the SSLProxy Server to Googles IP right? Why would it allow that in setup one and deny it in the other?
I don’t see any Firewall denies but I could do a PCAP capture to look if data is even coming to this point |
I think the issue is really with networking and pf rules on pfSense. Because see the following log:
Sslproxy is telling us that it thinks that 10.24.0.28 is the target HTTP server, and is trying to connect to it. Which machine is this? Answer: the sslproxy itself. So, looking at the logs, I think here is what is going on: We see that sslproxy is trying to connect to its own IP address (recursion), but that IP address does not have an HTTP server listening on port 443, so the connection fails (which gives EOF on outbound connection... error). In other words, sslproxy is not trying to connect to the actual destination address. Why? Because, the destination address caused by the redirect pf rule on pfSense makes sslproxy to think that the destination is 10.24.0.28, i.e. the sslproxy itself. SSLproxy determines the destination address by querying the NAT engine on the system. So, in other words, due to the redirect pf rule on pfSense the actual destination address is lost when the packet reaches sslproxy. It would help if you could write a pf rule which does not change the actual destination address but still redirect to sslproxy, but I am not aware of such possibility (you would need to directly send it to the ethernet address of sslproxy at L2, as we do with mirror logging, but that's irrelevant to this issue). How traffic is supposed to be redirected to sslproxy is described in the 4th paragraph of the Mode of operation section in README. Btw, normally, I would run sslproxy on pfSense. But your first setup at least satisfies the redirection requirements mentioned in README. |
Ah okay that makes absolutely sense! I will look into the issue if it is possible to do a redirect without changing the dest ip, I hope that is possible |
Hello, I have the following setup that works:
10.2.0.0 (Ubuntu Host) <-> 10.24.0.28 (SSLProxy) <-> 10.24.0.1 PfSense FW <-> 192.168.178.1 FritzBox Router/Modem
(Outside physical Server) <-> actual WAN
(10.0.0.0/8 is one network where everyone reaches one another)
but the following setup does not work and produces
Client-side BEV_EVENT_ERROR
with no result on the client besides an error message in the browser ("No secure connection possible"):192.168.178.78 (Linux Mint Laptop) <-> 10.24.0.1 (PfSense FW [with NAT Rule triggering on source 192.168.178.78 and destination port 443 redirecting to SSLProxy Server]) <-> 10.24.0.28 (SSLProxy) <-> 10.24.0.1 PfSense FW <-> 192.168.178.1 FritzBox Router/Modem (Outside physical Server)
<-> actual WAN
I also did install my 'myCA.pem' public certificate on the laptop.
I know it is likely that the problem is within networking and not SSLProxy itself, but there are also errors produced running
make test
so I thought I make an issue here.Also I really don't know what I cloud have made wrong at which point so any suggestion what I should change would be really appreciated.
For bug reports, please supply:
sslproxy -V
uname -a
Linux pHellcat2 5.4.162-1-pve #1 SMP PVE 5.4.162-2 (Thu, 20 Jan 2022 16:38:53 +0100) x86_64 x86_64 x86_64 GNU/Linux
sslproxy
:sslproxy -X traffic.pcap -f ProxySpec.conf
make test
outputExample PCAP contains what is logged when a server inside the network (10.24.2.0) is using
curl https://www.google.com --insecure
. I tried capturing the other server trying to connect but it resulted in an empty PCAP written.traffic_example.pcap.zip
ProcySpec.conf:
The text was updated successfully, but these errors were encountered: