When a DNS request/reply is sent to/by a DNS server on another subnet, what IP destination address will be used in the IP header?
DNS is a normal UDP protocol: The real IP-address of the Client-Host and DNS-Server is sent (it will only change if there is a NAT-Service in between).
Example:
Host: 1.1.1.1
NAT-Router-Service: private 1.1.1.2 / public 2.2.2.2
DNS-Server: 3.3.3.3
1. Host: request-packet from 1.1.1.1 to 3.3.3.3
2. NAT-Service: request-packet from 2.2.2.2 to 3.3.3.3
3. DNS-Server: reply-packet from 3.3.3.3 to 2.2.2.2
4. NAT-Service: reply-packet from 3.3.3.3 to 1.1.1.1
Regards Thomas
Related
I am trying to use Squid as http proxy (proxy all requests from 88.99.219.124 using 85.10.219.144/29 subnet).
$ cat /etc/squid3/squid.conf
acl client src 88.99.219.124
acl proxy dst 85.10.219.144/29
http_access allow client proxy
http_access deny all
http_port 3129
$ tail -f /var/log/squid3/access.log
1543865940.128 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
1543865940.138 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
1543865940.147 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
1543865940.156 0 88.99.219.124 TCP_DENIED/403 3486 CONNECT google.com:443 - HIER_NONE/- text/html
Whats wrong with my config?
Squid config:
$ cat /etc/squid3/squid.conf
acl client src 88.99.219.124
http_access allow client
http_access deny all
http_port 3129
debug_options ALL,1
To allow your server to use 85.10.219.144/29 subnet, add ip adresses from subnet to network interfaces.
Use subnet calculator to find min & max ip in subnet range.
Network interfaces:
$ cat /etc/network/interfaces
...
auto vmbr0
iface vmbr0 inet static
address x.x.x.x
netmask x.x.x.x
gateway x.x.x.x
bridge-ports __network_interface_name__
bridge-stp off
bridge-fd 0
auto vmbr0:0
iface vmbr0:0 inet static
address 85.10.219.145
netmask 255.255.255.248
auto vmbr0:1
iface vmbr0:1 inet static
address 85.10.219.146
netmask 255.255.255.248
auto vmbr0:2
iface vmbr0:2 inet static
address 85.10.219.147
netmask 255.255.255.248
auto vmbr0:3
iface vmbr0:3 inet static
address 85.10.219.148
netmask 255.255.255.248
auto vmbr0:4
iface vmbr0:4 inet static
address 85.10.219.149
netmask 255.255.255.248
auto vmbr0:5
iface vmbr0:5 inet static
address 85.10.219.150
netmask 255.255.255.248
And now when we try to use our proxy, it works!
$ curl -x http://85.10.219.150:3129 -L http://google.com
In log file:
$ cat /var/log/squid/access.log
1544717769.941 58 _your_ip_ TCP_MISS/200 13234 GET http://www.google.com/ - HIER_DIRECT/2a00:1450:4001:809::2004 text/html
I'm running a local http server and local squid instance. A local http client opens a socket connecting to the squid instance, which seems to work. I then try to tunnel to the local http server by issuing the following http request:
CONNECT localhost:80 HTTP/1.1\r\n
which yields the response headers
Content-Language en
Content-Length 3612
Content-Type text/html;charset=utf-8
Date Thu, 21 Jun 2018 17:28:10 GMT
Mime-Version 1.0
Server squid/3.5.27
Vary Accept-Language
X-Squid-Error ERR_DNS_FAIL 0
with status 503.
I also tried connecting to 127.0.0.1, which yields this response:
Content-Language en
Content-Length 3433
Content-Type text/html;charset=utf-8
Date Thu, 21 Jun 2018 17:35:16 GMT
Mime-Version 1.0
Server squid/3.5.27
Vary Accept-Language
X-Squid-Error ERR_CONNECT_FAIL 111
My squid.conf looks like this:
http_port 3128
coredump_dir /var/spool/squid
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
acl any_host src all
acl all_dst dst all
http_access allow any_host
http_access allow all_dst
Is there a different way to tell squid to connect to localhost?
I found that what was failing what the localhost resolving to [::1] and not 127.0.0.1.
In order to bypass the /etc/hosts/ simply add the following to /etc/squid/hosts:
127.0.0.1 localhost
Then hosts_file /etc/squid/hosts in your squid.conf.
Of course the file can be put anywhere you would like.
Somehow squid tried to resolve localhost to 127.0.0.1, which ended up in a connection failure. Specifying [::1] instead of localhost, however, performs as expected.
In my case I was using the squid machine hostname (e.g. mysquid.proxy) and the problem was not related to the DNS resolutions because the squid machine could resolve itself correctly using its hostname.
The problem was rather caused by the configuration of an additional port in the same proxy. I was using squid as both forward proxy and reverse proxy with two different ports:
3128 - forward proxy
443 - reverse proxy
The client was connecting to the (forward) proxy mysquid.proxy:3128 and the request was something like:
CONNECT mysquid.proxy:443 HTTP/1.1
So the the reverse proxy port was used at the end.
However on that port it was configured a url_rewrite_program (a Perl script) to filter and change some path of specific url and such script was wrongly redirecting the request to a non-existant url which caused the error "503 Service Unavailable" in the client.
Hi I have a question ~ I want to use nginx proxy to distribute websocket connect to other port. like this .
client ====> proxy =====> ws server
but my question is the websocket tunnel is build on the client and ws server or client and proxy and ws server.
client === proxy ==== ws server
Or
client ===== ws server
Thanks ~~~
You don't skip proxy as such. The proxy makes the connection on behalf of you. See the below excerpt from https://www.nginx.com/blog/websocket-nginx/
A WebSocket application keeps a long‑running connection open between the client and the server, facilitating the development of real‑time applications. The HTTP Upgrade mechanism used to upgrade the connection from HTTP to WebSocket uses the Upgrade and Connection headers. There are some challenges that a reverse proxy server faces in supporting WebSocket. One is that WebSocket is a hop‑by‑hop protocol, so when a proxy server intercepts an Upgrade request from a client it needs to send its own Upgrade request to the backend server, including the appropriate headers. Also, since WebSocket connections are long lived, as opposed to the typical short‑lived connections used by HTTP, the reverse proxy needs to allow these connections to remain open, rather than closing them because they seem to be idle.
Edit-1 - Connections Comparisons between Nginx and direct NodeJS
So finally I did some test to make sure. Started a socket.io app on 3000 and nginx on 80 to forward to request to the Socket.io
Nginx
When I access the app using http://IP/ in two browser windows, the open connection are as below
$ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 4443 vagrant 11u IPv6 25730 0t0 TCP *:3000 (LISTEN)
node 4443 vagrant 13u IPv6 28591 0t0 TCP localhost:3000->localhost:42698 (ESTABLISHED)
node 4443 vagrant 14u IPv6 28626 0t0 TCP localhost:3000->localhost:42712 (ESTABLISHED)
nginx 5144 vagrant 6u IPv4 28402 0t0 TCP *:http (LISTEN)
nginx 5144 vagrant 13u IPv4 28589 0t0 TCP 192.168.33.100:http->192.168.33.1:64799 (ESTABLISHED)
nginx 5144 vagrant 14u IPv4 28590 0t0 TCP localhost:42698->localhost:3000 (ESTABLISHED)
nginx 5144 vagrant 15u IPv4 28625 0t0 TCP localhost:42712->localhost:3000 (ESTABLISHED)
nginx 5144 vagrant 16u IPv4 28624 0t0 TCP 192.168.33.100:http->192.168.33.1:64826 (ESTABLISHED)
Now after closing both the tabs
$ lsof
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 4443 vagrant 11u IPv6 25730 0t0 TCP *:3000 (LISTEN)
nginx 5144 vagrant 6u IPv4 28402 0t0 TCP *:http (LISTEN)
NodeJS
Opening two browser tabs with direct connection to NodeJS http://<IP>:3000. Then the results are as below
$ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 4443 vagrant 11u IPv6 25730 0t0 TCP *:3000 (LISTEN)
node 4443 vagrant 13u IPv6 30014 0t0 TCP 192.168.33.100:3000->192.168.33.1:52550 (ESTABLISHED)
node 4443 vagrant 14u IPv6 30015 0t0 TCP 192.168.33.100:3000->192.168.33.1:52551 (ESTABLISHED)
node 4443 vagrant 15u IPv6 30016 0t0 TCP 192.168.33.100:3000->192.168.33.1:52552 (ESTABLISHED)
node 4443 vagrant 16u IPv6 30017 0t0 TCP 192.168.33.100:3000->192.168.33.1:52553 (ESTABLISHED)
node 4443 vagrant 17u IPv6 30018 0t0 TCP 192.168.33.100:3000->192.168.33.1:52554 (ESTABLISHED)
node 4443 vagrant 18u IPv6 30020 0t0 TCP 192.168.33.100:3000->192.168.33.1:52556 (ESTABLISHED)
node 4443 vagrant 19u IPv6 30024 0t0 TCP 192.168.33.100:3000->192.168.33.1:52578 (ESTABLISHED)
nginx 5144 vagrant 6u IPv4 28402 0t0 TCP *:http (LISTEN)
This may look a bit strange, but this is because the connections used to open the site are also kept alive for few seconds. So after waiting for sometime
$ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 4443 vagrant 11u IPv6 25730 0t0 TCP *:3000 (LISTEN)
node 4443 vagrant 18u IPv6 30020 0t0 TCP 192.168.33.100:3000->192.168.33.1:52556 (ESTABLISHED)
node 4443 vagrant 19u IPv6 30024 0t0 TCP 192.168.33.100:3000->192.168.33.1:52578 (ESTABLISHED)
nginx 5144 vagrant 6u IPv4 28402 0t0 TCP *:http (LISTEN)
As you can see no. of connections will be always be higher when you use Nginx
Scenario:
Site 1 settings -
url: https://www.site1.com
ip: 1.1.1.1
port: 443
cert: *.site1.com
Site 2 settings -
url: https://www.site2.com
ip: 1.1.1.1
port: 443
cert: *.site2.com
IS this even possible on IIS7 or do I have to force one of the sites to go through a different port?
What do the bindings look like in this case?
With IIS 7, you can only have one IP per certificate. With IIS 8, you can use SNI and use multiple certificates per IP. With only one IP address on you server, you'll need to put site2 onto a different port.
Site 1 settings - url: https://www.site1.com ip: 1.1.1.1 port: 443 cert: *.site1.com
Site 2 settings - url: https://www.site2.com ip: 1.1.1.1 port: 444 cert: *.site2.com
I want to succesfully ping some hostnames. These hostnames have the same IP, 127.0.0.1
So i edited /etc/network/hosts:
127.0.0.1 host1
127.0.0.1 host2
127.0.0.1 host3
127.0.0.1 host4
127.0.0.1 host5
127.0.0.1 host6
127.0.0.1 host7
127.0.0.1 host8
127.0.0.1 host9
My /etc/network/interfaces file was:
auto lo
iface lo inet loopback
Then i added this:
iface eth0 inet static
address 127.0.0.1
network 127.0.0.0
netmask 255.255.255.0
broadcast 127.0.0.255
But when i try to do:
ping host1
it doesn't work, even with other hostnames in /etc/network/hosts
In the recent kernels the couples hostname-IP are saved in /etc/hosts, not in /etc/network/hosts, the edit in /etc/network/interfaces is useless, i just tried everything