Article delegate-en/2546 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A2545@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] filtering HTTP request message by CFI/CGI (Re: Still problems with POST and SSL-Tunnel)
13 Feb 2004 19:34:04 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

On 02/12/04(22:09) you p54eqbdyi-7pkjwodt46fr.ml@ml.delegate.org wrote
in <_A2545@delegate-en.ML_>
 |thank you for your quick reply. We try to brake up the ssl-connection from the
 |client (mostly MS IE 5.5) to the server. So we make a ssl-connection from IE to
 |client delegate, an a second one from master delegate to the server. On the
 |tunnel we want to scan files for viruses or block uploads based on file
 |contents, and addionally the sslway only accept correct certificates without any
 |exceptions not like IE does. As I said virus-scanning of downloaded files is
 |working this way. We used the -st option to start the connection with IE.

I've come to see what you are doing :).
You are using a pair of DeleGates as a HTTPS/SSL proxy (SSLtunnel) to peep
a bare HTTP message in a filter, with a configuration like this:

                 [certificate]
                    FCL=sslway  FTOSV=filter           FSV=sslway 
                         v          v                       v
   client ---------------+ DeleGate +------------- DeleGate +---------- server
           HTTPS/SSL                 HTTP                    HTTPS/SSL
           over CONNECT              over CONNECT         

But I'm curious why you know such a special usage of DeleGate ...

Anyway, the reason why the end of HTTP request message (both POST and GET)
is not recognized in CGI:filter is clear.  It is simply because rewriting
request message (without EOF at the end) by CFI/CGI has not been supported.
Since a HTTP proxy acting as a SSLtunnel does not recognize what it is
relaying, it cannot help CFI/CGI program by generating EOF.  So the end of
request message must be detected by CFI/CGI itself like the enclosed patch.

Also I recommend you to add the following line into your CFI script not to
invoke the filter program for non-POST methods in vain.

   Req-Method: POST

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://www.delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

*** ../dist/delegate8.9.1/filters/cfi.c	Sat Dec 27 22:04:24 2003
--- cfi.c	Sat Feb 14 03:46:22 2004
***************
*** 430,435 ****
--- 430,441 ----
  
  	filterFields(spec,head);
  
+ 	if( strncmp(statline,"POST ",5)==0 ){
+ 		FILE *sin = in;
+ 		in = TMPFILE("Request-Body");
+ 		HTTP_getBody(statline,head,sin,in);
+ 		fclose(sin);
+ 	}
  	if( getFieldValue2(head,"Content-Encoding",enc,sizeof(enc)) ){
  		FILE *sin = in;
  		in = Gunzip(enc,in);
***************
*** 496,504 ****
--- 502,523 ----
  		getFV(head,"X-Request-Original",oreq);
  		getFV(head,"X-Request",req);
  
+ 		if( strncmp(statline,"GET ",4)==0
+ 		 || strncmp(statline,"HEAD ",5)==0 )
+ 			in = TMPFILE("Empty-Request-Body\n");
+ 
  		system_CGI(conninfo,oreq,req,head,cgi,in,intmp);
  		fseek(intmp,0,0);
+ 		/*
  		fgets(statline,sizeof(statline),intmp);
+ 		*/
+ 		if( strncmp(statline,"HTTP/",5) == 0 ){ /* response */
+ 			fgets(statline,1024,intmp);
+ 		}else{
+ 			char stat[1024];
+ 			fgets(stat,sizeof(stat),intmp);
+ 			/* it should be the rewritten Request line ... */
+ 		}
  		head = xhead = RFC822_readHeader(intmp,0);
  		in = intmp;
  	}

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V