Page 1 of 1
[RESOLVED] ABE blocking redirection after following link
Posted: Fri Sep 28, 2012 4:14 am
by Thrawn
I'm trying to tell ABE to allow a link from our internal wiki (on a 161 143 address) to a service on localhost. However, although ABE permits the initial request, if the service then redirects (even to the same host & port), ABE will block the redirection.
My rule looks like:
Code: Select all
Site LOCAL
Accept from LOCAL ^http://161\.143\.x\.x/.*
Deny
What happens is that I'll get to our service, let's say on localhost port 8080, and then get...an ABE error that the spam filter won't let me post, even in code tags. Aaargh!
Re: ABE blocking redirection after following link
Posted: Fri Sep 28, 2012 4:16 am
by Thrawn
Code: Select all
Deny on {GET redirection target <<< original target of link, internal site hosting link - 6}
Re: ABE blocking redirection after following link
Posted: Fri Sep 28, 2012 4:45 am
by al_9x
"161.143" or "161.143.0.0/16"
Re: ABE blocking redirection after following link
Posted: Fri Sep 28, 2012 5:13 am
by Thrawn
al_9x wrote:"161.143" or "161.143.0.0/16"
Ah, yes, I should clarify. My real rule uses a full address, not '\.x\.x', but as it's a work address I'm not going to post it here.
Here's a closer approximation:
Code: Select all
Site LOCAL
Accept from LOCAL ^http://161\.143\.1\.1:1111/.*
Deny
Re: ABE blocking redirection after following link
Posted: Sat Sep 29, 2012 4:04 am
by Tom T.
Thrawn wrote:... and then get...an ABE error that the spam filter won't let me post, even in code tags. Aaargh!
Try using asterisks to obscure anything that might look spammy:
or something.
If necessary, PM it to me, and I'll post it, although I realize that's a time lag.
Also, have you tried temp-deleting our favorite anti-NAT-pinning rule?
Re: ABE blocking redirection after following link
Posted: Sat Sep 29, 2012 11:25 am
by Thrawn
Tom T. wrote:Thrawn wrote:... and then get...an ABE error that the spam filter won't let me post, even in code tags. Aaargh!
Try using asterisks to obscure anything that might look spammy:
or something.
If necessary, PM it to me, and I'll post it, although I realize that's a time lag.
Will have a go at that when I'm next at work (taking a week off), or might try to reproduce at home.
Also, have you tried temp-deleting our favorite anti-NAT-pinning rule?
No; the ABE error definitely said that it was the SYSTEM rule that was firing.
It's weird: with the rule that I currently have in place, I can follow a link from remotesite:port to localhost:8080/url1, or from remotesite:port to localhost:8080/url2, but if I follow a link from remotesite:port to localhost:8080/url1, and the service on localhost then redirects me to localhost:8080/url2, ABE blocks the redirection. And the message looks like it's reporting a request origin of 'localhost:8080, remotesite:port'. A compound request origin?!
Re: ABE blocking redirection after following link
Posted: Sat Sep 29, 2012 10:43 pm
by Tom T.
Thrawn wrote:...It's weird: with the rule that I currently have in place, I can follow a link from remotesite:port to localhost:8080/url1, or from remotesite:port to localhost:8080/url2, but if I follow a link from remotesite:port to localhost:8080/url1, and the service on localhost then redirects me to localhost:8080/url2, ABE blocks the redirection. And the message looks like it's reporting a request origin of 'localhost:8080, remotesite:port'. A compound request origin?!
Perhaps ABE fears a nefarious attempt by a (nasty) remotesite to get to /url2 via /url1?
I've not encountered this situation before, so a couple of SWAGs:
1) al_9x was suggesting that you use the /16?
2) Because this includes a local-to-local redirect, perhaps your rule should be a SYSTEM rule, not USER, placed *above* the default SYSTEM rule - or have you already done that?
3) Compound origin? Perhaps try using that in the rule, something like
Code: Select all
Site LOCAL
Accept from localhost:8080 remotesite:port (or however the real data are connected in the error message - comma, slash, space, whatever)
Deny
Re: ABE blocking redirection after following link
Posted: Wed Oct 10, 2012 12:14 pm
by Thrawn