Weirdness with/without domain name

Discussions about the Application Boundaries Enforcer (ABE) module
bizaff
Posts: 5
Joined: Tue Jul 29, 2014 4:53 pm

Weirdness with/without domain name

Post by bizaff » Wed Jul 29, 2015 4:29 pm

I have two hosts, issues.example.com and docs.example.com. Normally I connect to these sites as shown to the left with https. When I'm connected through VPN, I can refer to them as just issues and docs. I sometimes get links to these in gmail, and they can show up as https://issues/ or https://issues.example.com

In the ABE system rulesets, I have:

Site LOCAL ^https://.*\example\.com
Accept from LOCAL
Accept from ^https://.*\example\.com
Accept from https://talkgadget.google.com
Accept from https://mail.google.com
Accept from https://www.google.com
Deny

The last three represent the various sites ABE reports as blocked. Often, I'll have two sites comma separated after the <<< , one representing the google redirect.

When I click on a link I received through gmail to https://issues.example.com/blahblahblah, I get the following ABE warning:

Request { GET https://issues.example.com/blahblahblah <<< https://issues.example.com/partofthepreviousURL, https://mail.google.com/_/scs/sometrackinglink} filtered by ABE: <LOCAL ^https://.*\.example\.com> Deny

If I change the last three lines from Accept to Anonymize, I have to login each time, but the links go through. I don't understand why.

Is my approach right? Is there something I'm not understanding about handling both inside/outside the VPN? Does LOCAL sometimes match these and sometimes not if I'm inside the VPN? Should I enumerate these sites individually before a LOCAL rule? Sometimes I get email linking to an internal only site that's not available outside the VPN.

I'm assuming I'm a bit lax by combining LOCAL with the example.com rule.

I'm on version 2.6.9.32.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

barbaz
Senior Member
Posts: 9145
Joined: Sat Aug 03, 2013 5:45 pm

Re: Weirdness with/without domain name

Post by barbaz » Wed Jul 29, 2015 5:19 pm

Yeah, you've made a bit of a mess of the ABE rules, I'd suggest you go to about:config and reset the noscript.ABE.ruleset.* prefs :P

Try this one, put it *above* the default SYSTEM rule:

Code: Select all

Site issues.example.com docs.example.com https://issues/* https://docs/*
Accept from issues.example.com docs.example.com https://issues/* https://docs/* https://talkgadget.google.com/* https://mail.google.com/* https://www.google.com/*
Deny


(hey, that Accept should be all one line, the forum is breaking it up instead of giving horizontal scrollbars. oh well)
*Always* check the changelogs BEFORE updating that important software!
-

bizaff
Posts: 5
Joined: Tue Jul 29, 2014 4:53 pm

Post by bizaff » Wed Jul 29, 2015 6:29 pm

That makes it go for those sites, but now I run into other links breaking. From https://docs.example.com there's a link to http://mysvnserver, which I can only see from the VPN. Any link from docs.example.com is now blocked because of the LOCAL rule. If I access https://docs from within the VPN, it works fine.

If I

Code: Select all

Site issues.example.com docs.example.com https://issues/* https://docs/* http://mysvnserver
Accept from issues.example.com docs.example.com https://issues/* https://docs/* http://mysvnserver https://talkgadget.google.com/* https://mail.google.com/* https://www.google.com/*
Deny
, that works.

I'm assuming this is most secure but this seems like a rabbit hole for each and every local site I have that people might email a link to. I have faith in my ability to not click on stupid things, and I'm willing to forego a bit of security to make this not suck, along the lines of my previous LOCAL "mess" :)

Any other ideas?

Is there any way to tell ABE to treat a site as if it's LOCAL? The sites in .example.com are fully under our control, just allowed to be forward facing.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

barbaz
Senior Member
Posts: 9145
Joined: Sat Aug 03, 2013 5:45 pm

Re:

Post by barbaz » Wed Jul 29, 2015 7:16 pm

bizaff wrote:I'm assuming this is most secure but this seems like a rabbit hole for each and every local site I have that people might email a link to. I have faith in my ability to not click on stupid things,

So what's the problem? Seems fine to me...

bizaff wrote:Any other ideas?

I don't have any, sorry.
Maybe someone else will?

bizaff wrote:Is there any way to tell ABE to treat a site as if it's LOCAL?

Theoretically, there's noscript.ABE.localExtras; but in practice (at least last time I checked) that is completely broken.
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Weirdness with/without domain name

Post by Thrawn » Thu Jul 30, 2015 12:14 am

I think that LOCAL needs to be included in the Accept line of the extra rule:

Code: Select all

Site issues.example.com docs.example.com https://issues/* https://docs/* http://mysvnserver
Accept from LOCAL issues.example.com docs.example.com https://issues/* https://docs/* http://mysvnserver https://talkgadget.google.com/* https://mail.google.com/* https://www.google.com/*
Deny
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0

Post Reply