Thursday, 2012-06-21

*** charlie (d4826f76@gateway/web/freenode/ip.212.130.111.118) has joined #wikid		11:41
*** charlie is now known as Guest39825		11:42
Guest39825	hello everyone	11:42
Guest39825	Did anyone had to change domain ID for a wikid server? (public IP change) Is there any way to do it without generating new token authorizations fr everyone?	11:45
Guest39825	thanks in advance for any suggestions	11:45
*** nowen (~nowen@adsl-74-176-163-56.asm.bellsouth.net) has joined #wikid		12:18
laszlof	hm. Apparently using a lighttpd mod_proxy isnt going to work for token clients to communicate with wikid	12:42
nowen	hmm, works with Apache	12:42
laszlof	Guest39825: contact support @ wikid (or ask nowen), they can redirect the old domain ID to your new IP	12:43
laszlof	nowen: maybe its something else, let me try direct	12:43
laszlof	I moved my wikid installation to another VPS, havent tested it yet	12:43
laszlof	hmm, never got that error before	12:44
laszlof	"Could not obtain configuration for: (DOMAIN ID)	12:44
nowen	the token can't get to the server	12:44
nowen	are you running the token in debug mode?	12:44
laszlof	no	12:45
laszlof	laszlof@wookie [~]# host 050116042094.wikidsystems.net	12:45
laszlof	Host 050116042094.wikidsystems.net not found: 3(NXDOMAIN)	12:45
laszlof	actually	12:46
laszlof	i didnt create a domain for that	12:46
laszlof	I just created one for the redirect	12:47
laszlof	050116041106	12:47
laszlof	yeah, there we go	12:48
laszlof	it works fine that way	12:48
laszlof	so, with the redirect to internal. the domain ID I specific in wikid, that should be the external IP correct?	12:48
laszlof	not the internal one	12:48
*** SEJeff has parted #wikid ("Leaving")		12:49
*** Guest39825 has quit (Quit: Page closed)		12:50
laszlof	heh, it might help if that server wasnt down at the moment	12:52
laszlof	...	12:52
nowen	always does	13:00
laszlof	bleh..	13:02
laszlof	I requested a second IP for this VPS to do the proxying	13:03
laszlof	so they gave me one	13:03
laszlof	one is assigned via DHCP, the new one, assigned statically	13:03
laszlof	they change the NEW one to be assigned via DHCP	13:03
laszlof	so when I edited the /etc/sysconfig/network-scripts/* files, I added the new IP as a static	13:03
laszlof	which subsequently dropped the main IP of the box when the DHCP lease expired	13:03
laszlof	nowen: I should just have to redirect port 80 right?	13:08
nowen	yes	13:08
laszlof	ok	13:08
laszlof	so I have 3 domains right now to cover all my bases	13:09
laszlof	1 is the main public IP of the wikid box (that works)	13:09
laszlof	1 is the internal private IP of the wikid box	13:09
laszlof	and 1 is the public IP of the box I want to redirect from	13:09
laszlof	however, if I enter the public IP of the redirect box, it doesnt seem to work as the domain id	13:10
laszlof	manually going to the IP in a browser, it tries to redirect me to https://X.X.X.X/WiKIDAdmin	13:10
laszlof	as expected	13:10
laszlof	so I know its hitting the wikid server	13:11
nowen	what is the proxy config?	13:11
laszlof	I just have server1 setup with lighttpd, and a mod_proxy redirect port 80 to the box	13:11
laszlof	I havent made any special configurations on server2 (wikid)	13:11
nowen	to /wikid ?	13:11
laszlof	the entire IP is proxied	13:12
nowen	if it is just doing to /, it will get the redirect to /WIKIDAdmin	13:12
laszlof	it should be doing it for anything to that IP	13:12
laszlof	whats a full URL I can test from the browser that would mimic a token client?	13:12
nowen	http://www.wikidsystems.com/support/wikid-support-center/troubleshooting-faq/how-do-i-run-the-token-in-debug-mode	13:13
nowen	that will give you the url, and then some	13:13
laszlof	http://pastebin.com/f2yaRvHq	13:16
nowen	https://50.116.41.106/WiKIDAdmin/	13:17
nowen	that page is not available	13:17
laszlof	yes I know, I'm not redirecting 443	13:17
nowen	this is the url http://50.116.41.106/wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=0&S=050116041106&lck=1&CT=1	13:17
nowen	that seems to get through	13:17
nowen	seems like the server is not responding	13:18
nowen	do you have reverse proxy on too?	13:19
laszlof	no	13:19
laszlof	if I go direct to the public IP, it works fine	13:19
nowen	I think it is the return route	13:19
laszlof	it should be communicating through the established http session?	13:20
nowen	here's how one customer has it in apache:	13:20
nowen	ProxyPass /wikid http://10.192.158.53/wikid	13:20
nowen	ProxyPassReverse /wikid http://10.192.158.53/wikid	13:20
laszlof	hm	13:21
laszlof	you shouldnt need that for lighttpd	13:24
laszlof	the fact that its even serving an error page tells me its working	13:24
laszlof	let me restart wikid, maybe its something dumb	13:26
nowen	the post is working	13:26
nowen	the return isn't	13:26
laszlof	the return should come through the same http connection as any other request, unless it tries to establish a new connection	13:31
nowen	I'm not sure. I only know how it works on apache.	13:37
laszlof	im going to do a packet capture on the full session to see what it does	13:37
laszlof	ok. This is weird	13:40
laszlof	i get NO traffic when using the token client	13:40
nowen	where?	13:40
laszlof	but I get traffic when accessing directly the IP through a browser	13:40
laszlof	on the wikid box	13:40
laszlof	let me try something else, one sec	13:41
nowen	hmm	13:41
laszlof	yeah, something isnt right	13:41
laszlof	the POST request isnt getting through	13:41
laszlof	but a GET request is	13:41
laszlof	if I go to http://50.116.41.106/wikid/servlet/com.wikidsystems.server.InitDevice4AES?a=0&S=050116041106&lck=1&CT=1 in a browser, I see the traffic	13:42
laszlof	but the token client isnt working	13:42
nowen	brb, coffee time	13:44
laszlof	posting from a mock form seems to work as expected	13:45
laszlof	i see the traffic, and get a blank page in the browser	13:45
laszlof	I get the same when using the direct IP, so I assume the blank page is to be expected	13:48
laszlof	hm, can you add a dns entry for 192168173241.wikidsystems.net to 50.116.41.106	13:53
laszlof	temporarily	13:54
laszlof	I want to see if thats the problem	13:54
nowen	a non-internal ip would be better	13:55
laszlof	well thats the thing. The public IP isnt assigned to the box	13:56
laszlof	the public IP is assigned to the box the connections are being proxied through	13:56
nowen	and the domain uses that ip for the identifier, correct?	13:56
nowen	done	13:57
laszlof	I tried both internal/external on the wikid box, as well as the public IP of the proxy box	13:57
laszlof	i have all 3 setup as domains	13:57
laszlof	same result there.	13:58
laszlof	this is really weird	13:58
laszlof	I guess I'll fire up apache and see what it does, but I really didnt want to have to run apache	13:58
laszlof	you can kill that DNS record	13:58
nowen	ok	13:58
laszlof	ok, something is jacked up	14:04
laszlof	I enabled debug on the proxy module for lighttpd	14:04
laszlof	I get nothing in the logs when I try to auth with the token	14:04
laszlof	if I access it directly with a browser, it shows the redirect	14:04
nowen	it doesn't like our token	14:05
laszlof	apparently	14:06
laszlof	though I assume its just a normal post request	14:06
nowen	yes, just a java post request	14:07
laszlof	nowen: does the post request use SSL?	14:22
laszlof	on port 80	14:22
nowen	no, it uses asymmetric encryption	14:22
laszlof	checking with #lighttpd right now.. we're pretty puzzled	14:30
laszlof	can you give me the headers that are sent by the token client	14:32
laszlof	we think it might be something regarding some non-standard headers that are being sent	14:32
laszlof	cause the traffic isnt even hitting lighttpd	14:32
nowen	I don't know and Eric is offline right now. he'd be the best person to ask	14:38
laszlof	I was able to get it in an strace	14:43
laszlof	I think the token client is sending some kind of funky header thats causing a bug in lighttpd	14:44
nowen	causing, or finding? ;)	14:45
laszlof	a bit of both	14:45
laszlof	ideally lighttpd should handle the request	14:45
nowen	I doubt there is anything fancy in the code, probably just java standard. We tend to keep thing simple since we have to work across so many client platforms	14:46
laszlof	yeah	14:46
laszlof	any chance you could give me a snippet of that code from the token client?	14:46
laszlof	are you using a standard java library?	14:46
laszlof	for http requests	14:46
laszlof	or hand codingit	14:46
nowen	I believe so	14:46
laszlof	http://pastebin.com/dPyynfJS	14:48
laszlof	the request itself looks a bit "off"	14:48
laszlof	is http://pastebin.com/MzZpwZkX the java error here to be expected if it cant connect?	15:00
nowen	yes	15:00
laszlof	ok, figured so	15:00
laszlof	works fine with nginx too	15:27
nowen	good to know	15:28
nowen	does nginx or lighthttpd support mod-auth-xxx yet?	15:29
laszlof	?	15:29
nowen	mod-auth-radius, e.g.	15:30
laszlof	ah	15:30
laszlof	I think they have PAM modules	15:31
laszlof	which supports radius	15:31
laszlof	lighttpd has a mod_auth module that supports radius	15:31
laszlof	I'm working with limited RAM on these test servers, so I dont want to use a full blown apache install	15:32
laszlof	particularly since I dont need it, and the web site runs a hell of a lot faster on lighttpd	15:32
laszlof	so I have both lighttpd and nginx running side by side now	15:32
laszlof	lighttpd + php running the website	15:32
laszlof	and nginx acting as a proxy for wikid	15:32
laszlof	the site loads insanely fast on lighttpd :)	15:33
laszlof	http://my2factor.com/	15:33
nowen	https://developers.google.com/speed/pagespeed/insights#url=http_3A_2F_2Fmy2factor.com_2F&mobile=false	15:35
nowen	interesting	15:35
laszlof	its still under development so I havent done a lot of those things yet (like minifying the code)	15:38
nowen	yeah, but it still seems a lot faster than that	15:39
laszlof	thats not an actual "speed" test	15:39
laszlof	it tests various optimizations	15:39
laszlof	not the actual loading speed	15:39
nowen	yeah, ture	15:40
nowen	true	15:40
laszlof	looks like the line endings coming from the http query in the token client uses \n\n	16:35
laszlof	rather than \r\n as defined in the HTTP RFC spec	16:35
laszlof	apache and nginx both seem to silently ignore it and work anyways	16:35
laszlof	lighttpd just barfs on itself	16:35
nowen	hmm	17:04
*** HybridAccess (3eff891d@gateway/web/freenode/ip.62.255.137.29) has joined #wikid		18:41
HybridAccess	any one know if there is a xenserver download for the auth server?	18:41
nowen	HybridAccess: no, sorry.	18:42
nowen	what issue are you having?	18:42
HybridAccess	ok thanks	18:42
nowen	you aren't the first	18:42
HybridAccess	thought as much	18:42
nowen	the iso is based on centos 32 bit, so I don't know what the issue could be	18:43
HybridAccess	the vmware download, is this an appliance or just a bootable iso?	18:43
HybridAccess	sorry i havent rtfm yet	18:43
nowen	we dropped the vmware zip file. all we have now is an iso	18:43
HybridAccess	ok	18:43
HybridAccess	thanks	18:43
HybridAccess	presumably i don't need extensive Linux knowledge to set up using the iso	18:44
nowen	no, you can just run the setup scripts and the rest is web-based	18:44
HybridAccess	ok many thanks	18:45
nowen	i recommend this doc: https://www.wikidsystems.com/support/wikid-support-center/manual/how-to-install-the-wikid-strong-authentication-server/how-to-install-the-wikid-strong-authentication-server-enterprise-edition	18:46
*** HybridAccess has quit (Quit: Page closed)		18:46
laszlof	decided to completely get rid of lighttpd and switched everything over to nginx instead	19:47
laszlof	seems to be working well	19:47
nowen	works for me! ;)	19:47
laszlof	the token clients should probably have the proper line endings and lighttpd should just silently ignore them.. so really faults on both sides	19:48
nowen	yes	19:48
nowen	I've created a minor bug for ti	19:51
laszlof	shouldnt be difficult to fix.	19:52
laszlof	you need a logout button in the wikid admin :)	21:28
nowen	yes	21:28
laszlof	so. As we talked about before, I'm trying to replicate the login action, but it doesnt seem to be taking for some reason	21:29
nowen	the login to WiKIDAdmin?	21:29
laszlof	just getting a bad username/password, even though its correct	21:29
laszlof	yes	21:29
nowen	this is just on your script, right?	21:29
laszlof	yes	21:30
laszlof	I'm doing a curl post to the /WiKIDAdmin/j_security_check	21:30
laszlof	which should be correct	21:30
nowen	could it be accepting the cert?	21:31
laszlof	curl will throw an error if theres a cert issue	21:31
laszlof	I made it ignore invalid certs anyways	21:31
laszlof	just says Invalid username and/or password, please try again.	21:32
nowen	huh	21:33
nowen	what's the curl command?	21:33
nowen	let me try	21:33
laszlof	its in PHP	21:33
laszlof	http://pastebin.com/L8k7Eiqd	21:34
laszlof	i guess I could try with command line curl	21:35
laszlof	one sec	21:35
nowen	that's what I was thinking	21:35
laszlof	heh	21:38
laszlof	HTTP Status 408 - The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and ...	21:38
laszlof	... re-open your browser</u></p><p><b>description</b> <u>The client did not produce a request within the time that the server was prepared to wait (The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser)	21:38
laszlof	I havent a clue why it would do that	21:38
laszlof	it appears instantly	21:39
laszlof	does the same thing from another host directly to the admin (not on the private interface)	21:40
laszlof	ah, the login form sets a session when you visit it	21:41
laszlof	and then checks that session on submit	21:41
* laszlof tries something		21:42
* nowen waits		21:42
laszlof	arg, didnt work	21:52
laszlof	so I access the login page first, grabbed the session ID from there, appended the session ID to the post URL	21:53
laszlof	still get invalid usernamd and/or password	21:53
laszlof	there must be some kind of security measure thats blocking it	21:53
laszlof	nowen: can you check with the developers and see if the login form does any kind of header validation	22:19
nowen	yeah, but i have to head home - 12 year old's bday	22:19
nowen	can you wait til tomorrow?	22:20
laszlof	yeah	22:20
laszlof	i'll do my own investigating	22:20
nowen	ok, thanks	22:20
laszlof	it looks like a standard tomcat login form	22:20
nowen	later	22:20
*** nowen has quit (Quit: Leaving.)		22:20
*** ken5m1th (185b79d7@gateway/web/freenode/ip.24.91.121.215) has joined #wikid		22:31
ken5m1th	hey hey hey	22:31
ken5m1th	u around Nick?	22:31
*** ken5m1th has quit (Quit: Page closed)		22:50

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!