Welcome! Log In Create A New Profile

Advanced

Eclipse 403 access denied

Posted by Norman Branitsky 
Norman Branitsky
Eclipse 403 access denied
May 11, 2018 07:40PM
After upgrading to the latest version of Eclipse and installing our custom Eclipse Plugin,
my developers are now being blocked by HAProxy.
Here's a sample of the problem:

May 11 15:03:37 localhost haproxy[13089]: 66.192.142.9:43041 [11/May/2018:15:03:37.932] main_ssl~ ssl_backend-etkdev/i-0912nnnnnnnn0e3b
0/0/1/24/25 200 436 - - --NN 52/52/0/0/0 0/0 "GET /entellitrak/private/api/workspaces/query/current HTTP/1.1"

May 11 15:03:38 localhost haproxy[13089]: 66.192.142.9:56417 [11/May/2018:15:03:38.117] main_ssl~ main_ssl/<NOSRV>
0/-1/-1/-1/0 403 188 - - PR-- 50/50/0/0/0 0/0 "POST /entellitrak/private/api/packages/query/workspace/txxxx.jxxxxx HTTP/1.1"

So, is the 403 because the backend server is unknown in the 2nd request?
Or is the backend server unknown because of the 403?

This is the beginning of the JSON payload in the POST statement:

ID: 24

Address: https://etkdev.wisits.org/entellitrak/private/api/packages/query/workspace/thomas.jackson

Http-Method: POST

Content-Type: application/json

Headers: {Authorization=[Basic dGhvbWFzLmphY2tzb246UGFzc3dvcmQxIQ==], Content-Type=[application/json], Accept=[application/json]}

Payload: ["package.fileServer.c0413431-1236-4825-90f1-5f5be131a237","package.rfWorkflowParameterJavascript.a227ee0b-6b59-4643-b1f8-1ff203948a24",

HAProxy version info:

[WIIRIS-LB-240]# /usr/local/sbin/haproxy -vv

HA-Proxy version 1.7.9 2017/08/18

Copyright 2000-2017 Willy Tarreau <[email protected]>



Build options :

TARGET = linux2628

CPU = generic

CC = gcc

CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv

OPTIONS = USE_SLZ=1 USE_OPENSSL=1 USE_PCRE=1



Default settings :

maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200



Encrypted password support via crypt(3): yes

Built with libslz for stateless compression.

Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")

Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013

Running on OpenSSL version : OpenSSL 1.0.2l 25 May 2017 (VERSIONS DIFFER!)
PiBa-NL
Re: Eclipse 403 access denied
May 11, 2018 08:00PM
Hi Norman,

Op 11-5-2018 om 19:36 schreef Norman Branitsky:
>
> After upgrading to the latest version of Eclipse and installing our
> custom Eclipse Plugin,
>
> my developers are now being blocked by HAProxy.
>
> Here’s a sample of the problem:
>
> May 11 15:03:37 localhost haproxy[13089]: 66.192.142.9:43041
> [11/May/2018:15:03:37.932] main_ssl~
> ssl_backend-etkdev/i-0912nnnnnnnn0e3b
> 0/0/1/24/25 200 436 - - --NN 52/52/0/0/0 0/0 "GET
> /entellitrak/private/api/workspaces/query/current HTTP/1.1"
>
> May 11 15:03:38 localhost haproxy[13089]: 66.192.142.9:56417
> [11/May/2018:15:03:38.117] main_ssl~ main_ssl/<NOSRV>
> 0/-1/-1/-1/0 403 188 - - PR-- 50/50/0/0/0 0/0 "POST
> /entellitrak/private/api/packages/query/workspace/txxxx.jxxxxx HTTP/1.1"
>

" PR The proxy blocked the client's HTTP request, either because of an
invalid HTTP syntax, in which case it returned an HTTP 400 error to
the client, or because a deny filter matched, in which case it
returned an HTTP 403 error."

> So, is the 403 because the backend server is unknown in the 2^nd request?
>
> Or is the backend server unknown because of the 403?
>
> This is the beginning of the JSON payload in the POST statement:
>
> ID: 24
>
> Address:
> https://etkdev.wisits.org/entellitrak/private/api/packages/query/workspace/thomas.jackson
>
> Http-Method: POST
>
> Content-Type: application/json
>
> Headers: {Authorization=[Basic dGhvbWFzLmphY2tzb246UGFzc3dvcmQxIQ==],
> Content-Type=[application/json], Accept=[application/json]}
>
Could it be the 'Host' header is missing.? Which is required by http/1.1.
And above authorization can be decoded.. be careful what internal/secure
information is posted..
>
> Payload:
> ["package.fileServer.c0413431-1236-4825-90f1-5f5be131a237","package.rfWorkflowParameterJavascript.a227ee0b-6b59-4643-b1f8-1ff203948a24",
>
> HAProxy version info:
>
> [WIIRIS-LB-240]# /usr/local/sbin/haproxy -vv
>
> HA-Proxy version 1.7.9 2017/08/18
>
> Copyright 2000-2017 Willy Tarreau <[email protected]>
>
> Build options :
>
>   TARGET  = linux2628
>
>   CPU     = generic
>
>   CC      = gcc
>
>   CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
> -fwrapv
>
>   OPTIONS = USE_SLZ=1 USE_OPENSSL=1 USE_PCRE=1
>
> Default settings :
>
>   maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
>
> Encrypted password support via crypt(3): yes
>
> Built with libslz for stateless compression.
>
> Compression algorithms supported : identity("identity"),
> deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
>
> Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
>
> Running on OpenSSL version : OpenSSL 1.0.2l  25 May 2017 (VERSIONS
> DIFFER!)
>
p.s. Running with different versions between build/running is a bad thing..

Regards,

PiBa-NL
Sorry, only registered users may post in this forum.

Click here to login