[RESOLVED] ABE blocking redirection after following link

[Thrawn]

I'm trying to tell ABE to allow a link from our internal wiki (on a 161 143 address) to a service on localhost. However, although ABE permits the initial request, if the service then redirects (even to the same host & port), ABE will block the redirection.

My rule looks like:

Code: Select all

Site LOCAL
Accept from LOCAL ^http://161\.143\.x\.x/.*
Deny

What happens is that I'll get to our service, let's say on localhost port 8080, and then get...an ABE error that the spam filter won't let me post, even in code tags. Aaargh!

[Thrawn]

Code: Select all

Deny on {GET redirection target <<< original target of link, internal site hosting link - 6}

[al_9x]

"161.143" or "161.143.0.0/16"

[Thrawn]

"161.143" or "161.143.0.0/16"

Ah, yes, I should clarify. My real rule uses a full address, not '\.x\.x', but as it's a work address I'm not going to post it here.

Here's a closer approximation:

Code: Select all

Site LOCAL
Accept from LOCAL ^http://161\.143\.1\.1:1111/.*
Deny

[Tom T.]

... and then get...an ABE error that the spam filter won't let me post, even in code tags. Aaargh!

Try using asterisks to obscure anything that might look spammy:

Code: Select all

L**is Vui**on Ha*db*gs

or something.

If necessary, PM it to me, and I'll post it, although I realize that's a time lag.

Also, have you tried temp-deleting our favorite anti-NAT-pinning rule?

[Thrawn]

... and then get...an ABE error that the spam filter won't let me post, even in code tags. Aaargh!

Try using asterisks to obscure anything that might look spammy:

Code: Select all

L**is Vui**on Ha*db*gs

or something.

If necessary, PM it to me, and I'll post it, although I realize that's a time lag.

Will have a go at that when I'm next at work (taking a week off), or might try to reproduce at home.

Also, have you tried temp-deleting our favorite anti-NAT-pinning rule?

No; the ABE error definitely said that it was the SYSTEM rule that was firing.

It's weird: with the rule that I currently have in place, I can follow a link from remotesite:port to localhost:8080/url1, or from remotesite:port to localhost:8080/url2, but if I follow a link from remotesite:port to localhost:8080/url1, and the service on localhost then redirects me to localhost:8080/url2, ABE blocks the redirection. And the message looks like it's reporting a request origin of 'localhost:8080, remotesite:port'. A compound request origin?!

[Tom T.]

...It's weird: with the rule that I currently have in place, I can follow a link from remotesite:port to localhost:8080/url1, or from remotesite:port to localhost:8080/url2, but if I follow a link from remotesite:port to localhost:8080/url1, and the service on localhost then redirects me to localhost:8080/url2, ABE blocks the redirection. And the message looks like it's reporting a request origin of 'localhost:8080, remotesite:port'. A compound request origin?!

Perhaps ABE fears a nefarious attempt by a (nasty) remotesite to get to /url2 via /url1?

I've not encountered this situation before, so a couple of SWAGs:

1) al_9x was suggesting that you use the /16?

2) Because this includes a local-to-local redirect, perhaps your rule should be a SYSTEM rule, not USER, placed *above* the default SYSTEM rule - or have you already done that?

3) Compound origin? Perhaps try using that in the rule, something like

Code: Select all

Site LOCAL
Accept from localhost:8080 remotesite:port (or however the real data are connected in the error message - comma, slash, space, whatever)
Deny

[Thrawn]

Resolved in http://forums.informaction.com/viewtopi ... 23&t=10316