[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:	SEAL

Moderator:	GALVIA::SMITH

Created:	Mon Mar 21 1994
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	1989
Total number of notes:	8209

1379.0. "firewall services kit ?" by DEKVC::SUNJOOHA (SUN-JOO HA @DEK) Tue Sep 10 1996 10:43

T.R	Title	User	Personal Name	Date	Lines
1379.1	OSF_PROXY_V2_5.tar.Z	KYOSS1::MONTARE	Alex Montare	`Tue Sep 10 1996 12:13`	3
1379.2	how to access private directory on morse ftp site ?	DEKVC::SUNJOOHA	SUN-JOO HA @DEK	`Tue Sep 10 1996 22:02`	11
1379.3		QUICHE::PITT	Alph a ha is better than no VAX!	`Wed Sep 11 1996 07:59`	6
1379.4	register during training	PRMS00::COLE		`Wed Sep 11 1996 08:46`	3
1379.5		BIGUN::nessus.cao.dec.com::Mayne	Wake up, time to die	`Tue Jan 21 1997 21:15`	5
1379.6	look at node comosf.bro.dec.com	BACHUS::ROELANDTS	Wa d'es ma da ve ne stuut	`Wed Jan 22 1997 03:06`	11
1379.7		BIGUN::nessus.cao.dec.com::Mayne	Wake up, time to die	`Sun Feb 02 1997 23:13`	42
	For reference, there are some problems with this kit. I built it successfully, installed it, and tried it. Unfortunately... It wouldn't run. Running it with -v revealed that it couldn't open the files /usr/dfws/config/hosts.httpxd and /usr/dfws/config/httpusers.bin. A bit of poking around further revealed that this version has some kind of support for some OOB authentication which expected to see these files. The Makeconf file that comes in the kit says CFLAGS = -g -DOOBRULEFILE=\"/usr/dfws/config/hosts.httpxd\" -DOOBAUTHFILE=\"/usr /dfws/config/httpusers.bin\" -DANSI_LIKE -DFTPRELAY_SERVER=\"localhost\" -DFTPRE LAY_PORT=1555 Looking through the code, the existence of the OOBRULEFILE and OOBAUTHFILE symbols was what triggered off the code, so I removed them from the Makeconf file and started again. Unfortunately... There's a chunk of code in HTDaemon.c where the oob routines aren't correctly commented out using "#ifdef OOBRULEFILE", so I inserted the appropriate "#ifdef ... #endif" and started again. I built it successfully again, installed it, and tried it. Unfortunately... This proxy server has exactly the same problem with semicolons and equals signs that the AVFWU proxy has as mentioned in note 1650. ARGH! So now I'm about to plod through the code looking for the place where it interferes with a perfectly good URL. Don't wait up. PJDM
1379.8		BIGUN::nessus.cao.dec.com::Mayne	Wake up, time to die	`Mon Feb 03 1997 01:24`	26
	Prospective patch in HTParse.c (I'll test it fully tomorrow): # diff HTParse.c HTParse.c.orig 632c632 < 7,7,7,7,7,7,7,7,7,7,0,7,0,7,0,0, /* 3x 0123456789:;<=>? / --- > 7,7,7,7,7,7,7,7,7,7,0,0,0,0,0,0, / 3x 0123456789:;<=>? / This comes just below the comment that says: / Escape undesirable characters using % HTEscape() ------------------------------------- This function takes a pointer to a string in which some characters may be unacceptable unescaped. It returns a string which has these characters represented by a '%' character followed by two hex digits. In the tradition of being conservative in what you do and liberal in what you accept, we encode some characters which in fact are allowed in URLs unencoded -- so DON'T use the table below for ** parsing! ARGH again! PJDM
1379.9		BIGUN::nessus.cao.dec.com::Mayne	Wake up, time to die	`Sun Feb 16 1997 22:10`	12
	Yet again: ARGH! Unlike the old source code, this kit doesn't have any syslog code in it, so the log files are now written to a file rather than sent via syslog, which means mailgate doesn't get a copy of them, and they aren't handled with the other syslog cleanup stuff. Did someone remove this useful code as a joke? Double ARGH! PJDM
1379.10	that web proxy is the Annecy variant	ANNECY::CHATEL_M		`Mon Feb 17 1997 03:22`	34
	Sorry guys, I'm just waking up to this thread. The kit you guys are referring to is the "Annecy" variant of the CERN web proxy. Somebody apparently confused this with the original OSF_PROXY_V2.5 kit. The "Annecy" variant was built to offer out-of-band authentication service: - guy comes in to telnetxd and gets authenticated; he/she then types "weblogin" - the telnet proxy registers the username and IP address in a special file (with a timeout) - the web proxy uses this file and another access control file to grant access to URLs based on which user is apparently "logged on" to which IP address This whole setup depends on the "Annecy" telnetxd variant, which knows how to update the username/IP association file called "httpusers.bin", and on some fairly specific file placements (i.e. I usually run proxies non-privileged and chrooted, so you want telnetxd and httpd to share an area where they can both access the association file). Has been running on two customer sites for MONTHS... If you don't need this functionality, you probably want the ORIGINAL OSF_PROXY_V2.5 kit, which is simpler to install (especially since my modified version is not super documented to say the least). Hope this helps, Marc Chatel @ AEO P.S.: People complaining about problems or things they don't like in the kits I release in Annecy should remember that, so far, I have not had a lot of help...
1379.11		BIGUN::nessus.cao.dec.com::Mayne	Wake up, time to die	`Mon Feb 17 1997 16:58`	8
	I've got no problems with whatever you've put in your variant, but .6 made this kit available as an upgraded version of the original when it's obviously not. So, does the ORIGINAL OSF_PROXY_2.5 kit (wherever that may be) allow HTTPS and still have syslog logging in it? If so, can someone please make it available so I can do the work all over again (including fixing the escaped characters bug)? PJDM