[prev in list] [next in list] [prev in thread] [next in thread]
List: info-cyrus
Subject: Re: cyrus http proxy in murder HTTP/1.1 403 Forbidden
From: Jean-Christophe Delaye <Jean-Christophe.Delaye () eurecom ! fr>
Date: 2019-04-04 13:42:31
Message-ID: a37d4701-aebf-97e5-0eb8-90f418fc3768 () eurecom ! fr
[Download RAW message or body]
On 4/2/19 7:15 PM, Ken Murchison wrote:
>
> On 4/2/19 1:02 PM, Jean-Christophe Delaye wrote:
>> Hello,
>>
>> We're testing Cyrus3.0.9 in a murder configuration.
>> It works fine for imap/imaps services. I can access mailboxes from
>> differents frontend, and move mailboxes from on backend to another !
>>
>> I'm now blocked with the calendar features in this configuration.
>> It works fine in both read and write mode directly from the backend.
>>
>> http://backend.eurecom.fr/dav/calendars/user/xxxx/Default/
>>
>> PUT
>> /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics
>> HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") =>
>> "HTTP/1.1 204 No Content"
>>
>> I've configured http/https also on the frontend to enable accessing
>> calendars from there:
>>
>> http://frontend.eurecom.fr/dav/calendars/user/xxxx/Default/
>>
>> It work perfectly in read only mode from the frontend, but if I try to
>> do some changes, it does not complete with Forbidden message.
>>
>> "PUT
>> /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics
>> HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") =>
>> "HTTP/1.1 403 Forbidden"
>
Thanks for your reply.
I've activated telemetry and debug mode on both frontend and backend.
My feeling is that the frontend do not forward to selected backend when
operate in WRITE mode [:method: PUT] (can't see authentication request
on the backend nor network activity between them while monitored with
snoop).
But it works fine when just accessing and browsing the calendar without
modification [:method: PROPFIND] or even delete events [:method: DELETE]
http log for user xxxx on backend:
<1554373427<REPORT /dav/calendars/user/xxxx/Default/ HTTP/1.1
Host: backend.eurecom.fr
Via: 2 frontend.eurecom.fr (Cyrus/3.0.9)
Forwarded:
proto=https;host=backend.eurecom.fr;for=172.17.20.150;for=192.168.106.207
I've attached the complete http sequence on the frontend before and
after the 403 response.
Thank you.
>
> Is there any body in the 403 response with more information? You might
> have to enable telemetry on the backend.
>
> Is the frontend proxy authenticating as the owner of the calendar?
> Check the cyrus log on the backend.
>
>
>> I've compiled backend and frontend with the same options
>>
>> Server: Cyrus-HTTP/3.0.9 Cyrus-SASL/2.1.26 OpenSSL/1.0.0 Nghttp2/1.35.0
>> Zlib/1.2.11 LibXML2.9.5 SQLite/3.24.0 LibiCal/3.0 ICU4C/59.1 Jansson/2.10
>> WWW-Authenticate: Basic realm="frontend.eurecom.fr"
>> DAV: 1, 2, 3, access-control, extended-mkcol, resource-sharing
>> DAV: calendar-access, calendar-auto-schedule
>> DAV: calendar-query-extended, calendar-availability,
>> calendar-managed-attachments
>> DAV: calendarserver-sharing, inbox-availability
>> DAV: addressbook
>> Allow: OPTIONS, GET, HEAD, POST, PUT, PATCH, DELETE, TRACE
>> Allow: PROPFIND, REPORT, COPY, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK, ACL
>> Allow: MKCALENDAR
>> Content-Length: 0
>>
>> The question is:
>> Is there specific configuration parameters to enable proxy http/https in
>> murder configuration ? I can't find usefull informations in the
>> documentation. I've seen the Interactive HTTP test program httptest, but
>> can't find parameters to simulate calendar clients.
>>
>> Thank you
>>
>> ----
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>> To Unsubscribe:
>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
["http.txt" (text/plain)]
cyrus/https[1651]: [ID 560950 local3.debug] tls_client_ca_dir=(NULL) \
tls_client_ca_file=/global/cyrus/etc/ssl/DigiCertCA.crt cyrus/https[1651]: [ID 810032 \
local3.debug] tls_server_cert=/global/cyrus/etc/ssl/imap_eurecom_fr.crt \
tls_server_key=/global/cyrus/etc/ssl/imap.eurecom.fr.key cyrus/https[1651]: [ID \
817102 local3.notice] inittls: Loading hard-coded DH parameters cyrus/https[1651]: \
[ID 495959 local3.debug] Set client CA list: Client cert requested, not required \
cyrus/https[1651]: [ID 704172 local3.debug] TLS Server Name Indication (SNI) \
Extension: "imap.eurecom.fr" cyrus/https[1651]: [ID 574029 local3.debug] SSL_accept() \
incomplete -> wait cyrus/https[1651]: [ID 867439 local3.debug] SSL_accept() succeeded \
-> done cyrus/https[1651]: [ID 702911 local3.notice] starttls: TLSv1.2 with cipher \
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits new) no authentication; application \
protocol = h2 cyrus/https[1651]: [ID 652924 local3.debug] http2_send_cb(15): 0
cyrus/https[1651]: [ID 739106 local3.debug] ret: 0, eof: 0, want read: 1
cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 148, eof = 0, \
err = '', errno = 0 cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): \
n = 430, eof = 0, err = '', errno = 0 cyrus/https[1651]: [ID 611534 local3.debug] \
http2_begin_headers_cb(id=15, type=1) cyrus/https[1651]: [ID 235260 local3.debug] \
http2_header_cb(:method: PUT) cyrus/https[1651]: [ID 235260 local3.debug] \
http2_header_cb(:path: \
/dav/calendars/user/xxxx/Default/040000008200E00074C5B7101A82E008000000006007B06BAC90D40100000000000000001000000007FC4F557397EF40A2F49271F210CC15.ics)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:authority: \
imap.eurecom.fr) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:scheme: \
https) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(user-agent: \
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 \
Lightning/6.2.5) cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(accept: \
text/xml) cyrus/https[1651]: [ID 235260 local3.debug] \
http2_header_cb(accept-language: en-GB,en;q=0.5) cyrus/https[1651]: [ID 235260 \
local3.debug] http2_header_cb(accept-encoding: gzip, deflate, br) cyrus/https[1651]: \
[ID 235260 local3.debug] http2_header_cb(accept-charset: utf-8,*;q=0.1) \
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(content-length: 9332) \
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(content-type: \
text/calendar; charset=utf-8) cyrus/https[1651]: [ID 235260 local3.debug] \
http2_header_cb(if-match: "50ab3d1a71c68976f2738e4c7a8276f8d41d4468") \
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(cookie: \
SESS2f0096f341f49daa238064955414f109=k69uvq1krqi679tguccttm2qs0) cyrus/https[1651]: \
[ID 235260 local3.debug] http2_header_cb(authorization: Basic \
c3RhbmRhcmQ6SGVyc2VsLg==) cyrus/https[1651]: [ID 235260 local3.debug] \
http2_header_cb(pragma: no-cache) cyrus/https[1651]: [ID 235260 local3.debug] \
http2_header_cb(cache-control: no-cache) cyrus/https[1651]: [ID 572367 local3.debug] \
http2_frame_recv_cb(id=15, type=1, flags=0x24 cyrus/https[1651]: [ID 364641 \
local3.debug] conn flags: 0 upgrade flags: 0 tls req: 0 cyrus/https[1651]: [ID \
909740 local3.debug] http_auth: status=0 scheme='' creds='Basic <response>' \
cyrus/https[1651]: [ID 796571 local3.debug] http_auth: find client scheme \
cyrus/https[1651]: [ID 113398 local3.debug] http_auth: found matching scheme: Basic \
cyrus/https[1651]: [ID 564409 local3.notice] login: anjou.eurecom.fr [172.17.20.150] \
xxxx Basic+TLS User logged in SESSIONID=<cyrus-1651-1554383568-1-6250751509654826835> \
cyrus/https[1651]: [ID 572367 local3.debug] http2_frame_recv_cb(id=15, type=8, \
flags=0 cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 4096, \
eof = 0, err = '', errno = 0 cyrus/https[1651]: [ID 809992 local3.debug] \
http2_data_chunk_recv_cb(id=15, len=4087, txnflags=0) cyrus/https[1651]: [ID 545980 \
local3.debug] http2_recv_cb(16384): n = 4096, eof = 0, err = '', errno = 0 \
cyrus/https[1651]: [ID 809992 local3.debug] http2_data_chunk_recv_cb(id=15, len=4096, \
txnflags=0) cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = \
1149, eof = 0, err = '', errno = 0 cyrus/https[1651]: [ID 809992 local3.debug] \
http2_data_chunk_recv_cb(id=15, len=1149, txnflags=0) cyrus/https[1651]: [ID 572367 \
local3.debug] http2_frame_recv_cb(id=15, type=0, flags=0x1 cyrus/https[1651]: [ID \
133476 local3.debug] write_body(code = -1964266992, flags.te = 0, len = 0) \
cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(:status: 403) \
cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(Date: Thu, 04 Apr 2019 \
13:12:49 GMT) cyrus/https[1651]: [ID 204120 local3.debug] \
simple_hdr(Strict-Transport-Security: max-age=600) cyrus/https[1651]: [ID 204120 \
local3.debug] simple_hdr(Cache-Control: no-cache) cyrus/https[1651]: [ID 204120 \
local3.debug] simple_hdr(Content-Length: 0) cyrus/https[1651]: [ID 518894 \
local3.debug] end_resp_headers(code = -1964266992, len = 0, flags.te = 0) \
cyrus/https[1651]: [ID 829378 local3.debug] nghttp2_submit headers(id=15, flags=0x1) \
cyrus/https[1651]: [ID 702911 local3.info] anjou.eurecom.fr [172.17.20.150] as "xxxx" \
with "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 \
Lightning/6.2.5"; "PUT \
/dav/calendars/user/xxxx/Default/040000008200E00074C5B7101A82E008000000006007B06BAC90D40100000000000000001000000007FC4F557397EF40A2F49271F210CC15.ics \
HTTP/2" (if-match="50ab3d1a71c68976f2738e4c7a8276f8d41d4468") => "HTTP/2 403 \
Forbidden" cyrus/https[1651]: [ID 334236 local3.debug] nghttp2_submit_data(id=15, \
len=0, outlen=0, flags=0x1) cyrus/https[1651]: [ID 652924 local3.debug] \
http2_send_cb(9): 0 cyrus/https[1651]: [ID 652924 local3.debug] http2_send_cb(63): 0
cyrus/https[1651]: [ID 640762 local3.debug] http2_stream_close_cb(id=15)
cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 9, eof = 0, err \
= '', errno = 0 cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = \
-504, eof = 0, err = '', errno = 11
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic