Can't get ABE to allow access to local LAN box

[Morac]

There's a link in a Google Docs document that links to a local LAN box. ABE is blocking this. No matter what rule I set up it refuses to work. The error console shows the following by default:

Code: Select all

[ABE] <LOCAL> Deny on {GET http://LANBOX:8080/path <<< https://docs.google.com/path..... - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

If I add one of the rules below, it shows the following. That seems to imply it's partially allowing, but then blocking for some reason.

Code: Select all

[ABE] <LOCAL> Deny on {GET http://LANBOX:8080/path <<<  http://LANBOX:8080/path, https://docs.google.com/path..... - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

I've tried the following rules, but none of them work:

Code: Select all

Site LOCAL
Accept from docs.google.com

Code: Select all

Site LOCAL
Accept from *.google.com

Code: Select all

Site LOCAL
Accept from https://docs.google.com/path...

Code: Select all

Site LANBOX
Accept from https://docs.google.com/path...

None of the above work. The only thing that works is the following, which is obviously not correct.

Code: Select all

Site LOCAL
Accept from ALL

I'm at a complete loss. Any ideas?

[Morac]

Okay I finally got it working. I had to specify to allow from the LANBOX as well. I have no idea why since that should be covered by allowed from LOCAL, so that seems like a bug.

Anywhere here's the rule that worked.

Code: Select all

site LOCAL
Accept from http://LANBOX:8080 https://docs.google.com/path...
Deny

[Thrawn]

LOCAL can be a bit quirky. Also, is there some kind of redirection involved? Eg when ABE fires, does the origin (the part after the <<<) include two sites separated by a comma? There are extra complications when that occurs, because ABE takes both sites into consideration, and usually you have to put them both on the same line.

Good to hear that you made it work.

Just checking - you're putting all of these rules in your SYSTEM ruleset, above the built-in rule?

You might also be able to write it as:

Code: Select all

Site http://LANBOX:8080
Accept from SELF docs.google.com

Site LOCAL
Accept from LOCAL
Deny

which avoids giving Google Docs access to everything local, it just gets the one location.

[sootsnoot]

I'm having a similar problem testing OpenID authentication through google from a web app running on my local XP PC. The application's web root is

Code: Select all

http://osh3.localhost/

With ABE disabled, all works fine. When I enable ABE with default rules, I see this in the Firefox error log (reformatted and edited for brevity):

Code: Select all

[ABE] <LOCAL> Deny on {GET http://osh3.localhost/user/openidsergeprocesssignup?openid.ns=http%3A%2F%2Fspecs.open ... etc    <<< https://accounts.google.com/o/openid2/auth?open id.ns=...etc, https://www.google.com/accounts/o8/ud?...etc, http://osh3.localhost/default/user/openidsignup, http://osh3.localhost/default/user/openidsignup - 6}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

I've tried changing the Accept in this SYSTEM rule to each of the following 4 variations to no avail:

Code: Select all

Accept from LOCAL ^https?://.*\.google\.com/.*
Accept from LOCAL .google\.com
Accept from SELF ^https?://.*\.google\.com/.*
Accept from SELF .google\.com

The only thing that has worked for me is making it:

Code: Select all

Accept from ALL

Eg when ABE fires, does the origin (the part after the <<<) include two sites separated by a comma? There are extra complications when that occurs, because ABE takes both sites into consideration, and usually you have to put them both on the same line.

So yes, there were actually three sites after the <<< (four items separated by commas but two of them were the same). On the "Accept from" I listed resources that I thought would get a match on all of those items, all on the same line. Any idea what I'm doing wrong? Is the final " - 6" just before the closing "}" a clue of some kind - what does it mean?

[Thrawn]

Well, for starters, if you're using the leading dot wildcard, then you're not using a regex, so you don't want the backslash. But you can also specify https-only using globs instead of regex.

Try this:

Code: Select all

Site osh3.localhost
Accept from https://*.google.com/* osh3.localhost

# Default rule
Site LOCAL
Accept from LOCAL
Deny

Sometimes using the hostname works better than using SELF...and in this situation with redirects, I'm not sure whether the order on the Accept line matters.

So yes, there were actually three sites after the <<< (four items separated by commas but two of them were the same). On the "Accept from" I listed resources that I thought would get a match on all of those items, all on the same line. Any idea what I'm doing wrong? Is the final " - 6" just before the closing "}" a clue of some kind - what does it mean?

I'm pretty sure it's not meaningful. All ABE messages have something like that. Could check the code to see what it actually is, of course, but I don't think it will help us here.