Are there any more thoughts on why my passthroughs are not working? Cheers, Andi
-----Original Message----- From: Morris, Andi [mailto:[email protected]] Sent: 18 January 2012 14:54 To: [email protected] Subject: Re: [Packetfence-users] Passthrough list not working Thanks for your help Olivier, I am interested in having the passthrough in vlan isolation mode. Here is the var/conf/httpd.conf # This file is generated from a template at /usr/local/pf/conf/httpd.conf # Any changes made to this file will be lost on restart # Apache configuration # This file is manipulated on PacketFence's startup before being given to Apache User pf Group pf ServerAdmin [email protected] ServerTokens Prod ServerSignature Off UseCanonicalName Off Timeout 50 KeepAliveTimeout 10 # PERFORMANCE RELATED # These values are automatically adjusted by PacketFence based on total system memory # Feel free to override if you know better MaxClients 40 # To resist to bursts we start more processes than default and we keep more spares than recommended StartServers 20 MinSpareServers 10 HostnameLookups off # to avoid memory leaks over a long period MaxRequestsPerChild 1000 ServerName pfence01.internal.uwic.ac.uk Listen 0.0.0.0:80 Listen 0.0.0.0:443 Listen 0.0.0.0:1443 NameVirtualHost *:80 NameVirtualHost *:443 PidFile /usr/local/pf/var/run/httpd.pid LogFormat "%{User-agent}i" agent LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined ErrorLog /usr/local/pf/logs/error_log AddDefaultCharset UTF-8 AddHandler cgi-script .cgi TypesConfig /etc/mime.types AddType .gif image/gif binary AddType .jpg image/jpg binary Options Indexes DirectoryIndex index.html index.cgi index.php <IfModule !mod_auth_basic.c> LoadModule auth_basic_module modules/mod_auth_basic.so </IfModule> <IfModule !mod_authn_file.c> LoadModule authn_file_module modules/mod_authn_file.so </IfModule> <IfModule !mod_authz_user.c> LoadModule authz_user_module modules/mod_authz_user.so </IfModule> <IfModule !mod_authz_groupfile.c> Loadmodule authz_groupfile_module modules/mod_authz_groupfile.so </IfModule> <IfModule !mod_rewrite.c> LoadModule rewrite_module modules/mod_rewrite.so </IfModule> <IfModule !mod_cgi.c> LoadModule cgi_module modules/mod_cgi.so </IfModule> <IfModule !mod_mime.c> LoadModule mime_module modules/mod_mime.so </IfModule> <IfModule !mod_dir.c> LoadModule dir_module modules/mod_dir.so </IfModule> <IfModule !mod_alias.c> LoadModule alias_module modules/mod_alias.so </IfModule> <IfModule !mod_log_config.c> LoadModule log_config_module modules/mod_log_config.so </IfModule> <IfModule !mod_ssl.c> LoadModule ssl_module modules/mod_ssl.so </IfModule> <IfModule !mod_env.c> LoadModule env_module modules/mod_env.so </IfModule> <IfModule !mod_setenvif.c> LoadModule setenvif_module modules/mod_setenvif.so </IfModule> <IfModule !mod_proxy.c> LoadModule proxy_module modules/mod_proxy.so </IfModule> <IfModule !proxy_http.c> LoadModule proxy_http_module modules/mod_proxy_http.so </IfModule> <IfModule !mod_authz_host.c> LoadModule authz_host_module modules/mod_authz_host.so </IfModule> <IfModule !mod_headers.c> LoadModule headers_module modules/mod_headers.so </IfModule> <IfModule !sapi_apache2.c> LoadModule php5_module modules/libphp5.so </IfModule> <IfModule !mod_perl.c> LoadModule perl_module modules/mod_perl.so </IfModule> # -- GLOBAL OPTIONS -- PerlSwitches -I/usr/local/pf/lib PerlChildInitHandler "sub { srand }" php_value date.timezone "America/Montreal" AddType application/x-httpd-php .php # Prevent Browsers (Chrome and Firefox) to cache DNS while under the captive portal Header always set X-DNS-Prefetch-Control off ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> RewriteLock /usr/local/pf/var/apache_rewrite_lock SSLPassPhraseDialog builtin SSLSessionCache dbm:/usr/local/pf/var/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/usr/local/pf/var/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 <VirtualHost *:80> DocumentRoot /usr/local/pf/html/captive-portal ServerName pfence01.internal.uwic.ac.uk:80 # Alias, Logs, Access Control, Perl Config Include /usr/local/pf/var/conf/captive-portal-common.conf # Rules that reduce server load by blocking undesired requests Include /usr/local/pf/var/conf/block-unwanted.conf # NO auto-generated mod_rewrite rules for PacketFence Passthroughs # NO auto-generated mod_rewrite rules for PacketFence Remediation # Captive Portal Clean URLs Include /usr/local/pf/var/conf/captive-portal-cleanurls.conf # Warning: old cgi style URL deprecated will be removed in an upcoming release # Still accepted for a transition period. To be deprecated in 2012. ScriptAlias /cgi-bin/ "/usr/local/pf/html/captive-portal/" RewriteRule ^/cgi-bin/content/(.*)$ /content/$1 [PT] RewriteCond %{REQUEST_URI} !^/cgi-bin/guest-selfregistration.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/email_activation.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/mobile-confirmation.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/guest-management.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/redir.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/release.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/register.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/enabler.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/wispr.cgi RewriteCond %{REQUEST_URI} !^/common RewriteCond %{REQUEST_URI} !^/content RewriteCond %{REQUEST_URI} !^/favicon.ico RewriteCond %{REQUEST_URI} !^/proxies RewriteCond %{REQUEST_URI} !^/proxy RewriteCond %{REQUEST_URI} !^/remediation.php # Now using temporary redirects instead of permanent (fixes #757) RewriteRule ^.*$ https://pfence01.internal.uwic.ac.uk/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI} [R=307,L] </VirtualHost> <VirtualHost *:443> DocumentRoot "/usr/local/pf/html/captive-portal" ServerName pfence01.internal.uwic.ac.uk:443 SSLEngine on SSLProxyEngine on Include /usr/local/pf/var/conf/ssl-certificates.conf # Alias, Logs, Access Control, Perl Config Include /usr/local/pf/var/conf/captive-portal-common.conf # Rules that reduce server load by blocking undesired requests Include /usr/local/pf/var/conf/block-unwanted.conf # NO auto-generated mod_rewrite rules for PacketFence Passthroughs # NO auto-generated mod_rewrite rules for PacketFence Remediation # Captive Portal Clean URLs Include /usr/local/pf/var/conf/captive-portal-cleanurls.conf # Warning: old cgi style URL deprecated will be removed in an upcoming release # Still accepted for a transition period. To be deprecated in 2012. ScriptAlias /cgi-bin/ "/usr/local/pf/html/captive-portal/" RewriteRule ^/cgi-bin/content/(.*)$ /content/$1 [PT] RewriteCond %{REQUEST_URI} !^/cgi-bin/guest-selfregistration.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/email_activation.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/mobile-confirmation.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/guest-management.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/redir.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/release.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/register.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/enabler.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/wispr.cgi RewriteCond %{REQUEST_URI} !^/common RewriteCond %{REQUEST_URI} !^/content RewriteCond %{REQUEST_URI} !^/favicon.ico RewriteCond %{REQUEST_URI} !^/proxies RewriteCond %{REQUEST_URI} !^/proxy RewriteCond %{REQUEST_URI} !^/remediation.php # Now using temporary redirects instead of permanent (fixes #757) RewriteRule ^.*$ https://pfence01.internal.uwic.ac.uk/captive-portal?destination_url=https://%{HTTP_HOST}%{REQUEST_URI} [R=307,L] ProxyPassReverse /proxies/tools/stinger.exe http://download.nai.com/products/mcafee-avert/stng260.exe ProxyPass /proxies/tools/stinger.exe http://download.nai.com/products/mcafee-avert/stng260.exe </VirtualHost> <VirtualHost 127.0.0.1:80> DocumentRoot /usr/local/pf/html/captive-portal ServerName pfence01.internal.uwic.ac.uk:80 # Alias, Logs, Access Control, Perl Config Include /usr/local/pf/var/conf/captive-portal-common.conf # Rules that reduce server load by blocking undesired requests Include /usr/local/pf/var/conf/block-unwanted.conf # NO auto-generated mod_rewrite rules for PacketFence Passthroughs # NO auto-generated mod_rewrite rules for PacketFence Remediation # Captive Portal Clean URLs Include /usr/local/pf/var/conf/captive-portal-cleanurls.conf # Warning: old cgi style URL deprecated will be removed in an upcoming release # Still accepted for a transition period. To be deprecated in 2012. ScriptAlias /cgi-bin/ "/usr/local/pf/html/captive-portal/" RewriteRule ^/cgi-bin/content/(.*)$ /content/$1 [PT] RewriteCond %{REQUEST_URI} !^/cgi-bin/guest-selfregistration.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/email_activation.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/mobile-confirmation.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/guest-management.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/redir.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/release.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/register.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/enabler.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/wispr.cgi RewriteCond %{REQUEST_URI} !^/common RewriteCond %{REQUEST_URI} !^/content RewriteCond %{REQUEST_URI} !^/favicon.ico RewriteCond %{REQUEST_URI} !^/proxies RewriteCond %{REQUEST_URI} !^/proxy RewriteCond %{REQUEST_URI} !^/remediation.php # Now using temporary redirects instead of permanent (fixes #757) # inline_redirect_prefix is controlled by inline.portal_redirect, see the documentation in conf/documentation.conf RewriteRule ^.*$ https://pfence01.internal.uwic.ac.uk/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI} [R=307,L] </VirtualHost> <VirtualHost 127.0.0.1:443> DocumentRoot "/usr/local/pf/html/captive-portal" ServerName pfence01.internal.uwic.ac.uk:443 SSLEngine on SSLProxyEngine on Include /usr/local/pf/var/conf/ssl-certificates.conf # Alias, Logs, Access Control, Perl Config Include /usr/local/pf/var/conf/captive-portal-common.conf # Rules that reduce server load by blocking undesired requests Include /usr/local/pf/var/conf/block-unwanted.conf # NO auto-generated mod_rewrite rules for PacketFence Passthroughs # NO auto-generated mod_rewrite rules for PacketFence Remediation # Captive Portal Clean URLs Include /usr/local/pf/var/conf/captive-portal-cleanurls.conf # Warning: old cgi style URL deprecated will be removed in an upcoming release # Still accepted for a transition period. To be deprecated in 2012. ScriptAlias /cgi-bin/ "/usr/local/pf/html/captive-portal/" RewriteRule ^/cgi-bin/content/(.*)$ /content/$1 [PT] RewriteCond %{REQUEST_URI} !^/cgi-bin/guest-selfregistration.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/email_activation.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/mobile-confirmation.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/guest-management.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/redir.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/release.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/register.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/enabler.cgi RewriteCond %{REQUEST_URI} !^/cgi-bin/wispr.cgi RewriteCond %{REQUEST_URI} !^/common RewriteCond %{REQUEST_URI} !^/content RewriteCond %{REQUEST_URI} !^/favicon.ico RewriteCond %{REQUEST_URI} !^/proxies RewriteCond %{REQUEST_URI} !^/proxy RewriteCond %{REQUEST_URI} !^/remediation.php # Now using temporary redirects instead of permanent (fixes #757) # inline_redirect_prefix is controlled by inline.portal_redirect, see the documentation in conf/documentation.conf RewriteRule ^.*$ https://pfence01.internal.uwic.ac.uk/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI} [R=307,L] ProxyPassReverse /proxies/tools/stinger.exe http://download.nai.com/products/mcafee-avert/stng260.exe ProxyPass /proxies/tools/stinger.exe http://download.nai.com/products/mcafee-avert/stng260.exe </VirtualHost> <VirtualHost *:1443> DocumentRoot "/usr/local/pf/html/admin" ServerName pfence01.internal.uwic.ac.uk:1443 Alias /favicon.ico /usr/local/pf/html/common/favicon.ico Alias /common/ /usr/local/pf/html/common/ Alias /cgi-bin/pfcmd.cgi /usr/local/pf/bin/pfcmd Alias /docs/ /usr/local/pf/docs/ # Allows previewing captive-portal remediation pages SetEnv VHOST ADMIN Alias /remediation.php /usr/local/pf/html/captive-portal/remediation.php Alias /content/ /usr/local/pf/html/captive-portal/content/ #LogLevel debug CustomLog /usr/local/pf/logs/admin_access_log combined ErrorLog /usr/local/pf/logs/admin_error_log SSLEngine on Include /usr/local/pf/var/conf/ssl-certificates.conf RewriteEngine On #RewriteLogLevel 3 #RewriteLog /usr/local/pf/logs/admin_rewrite_log # Clean URLS RewriteRule ^/guests/manage(.*)$ /guest-management.cgi$1 [PT] RewriteRule ^/soh([^.]*)$ /soh.cgi$1 [PT] <Location /cgi-bin/pfcmd.cgi> SetHandler cgi-script Options Indexes FollowSymLinks ExecCGI </Location> # mod_perl hosted pf::WebAPI (lib/pf/WebAPI.pm) PerlPostConfigRequire /usr/local/pf/lib/pf/web/backend_modperl_require.pl <Location /webapi> SetHandler perl-script PerlHandler pf::WebAPI # Basic Authentication AuthUserFile /usr/local/pf/conf/admin.conf AuthGroupFile /dev/null AuthName "PacketFence Authentication" AuthType Basic require valid-user </Location> <Location /guest-management.cgi> SetHandler perl-script PerlResponseHandler ModPerl::PerlRun PerlOptions +ParseHeaders Options Indexes FollowSymLinks ExecCGI </Location> <LocationMatch /cgi-bin/pfcmd.cgi> AuthUserFile /usr/local/pf/conf/admin.conf AuthGroupFile /dev/null AuthName "PacketFence Authentication" AuthType Basic require valid-user </LocationMatch> <Location ~ /> Options Indexes FollowSymLinks ExecCGI #AllowOverride None php_value session.save_path "/usr/local/pf/var/session" php_value memory_limit "128M" #(E_ALL & ~E_NOTICE) = 2047-8 php_value error_reporting 2039 php_value short_open_tag On </Location> </VirtualHost> Thanks again, Andi -----Original Message----- From: Olivier Bilodeau [mailto:[email protected]] Sent: 18 January 2012 14:24 To: [email protected] Subject: Re: [Packetfence-users] Passthrough list not working Passthrough with IPs *won't* work with passthrough=proxy since we perform DNS blackholing on the registration VLAN (rewriting all DNS to the same IP). As you already noted, squid redirector is to bypass client-side proxy configuration. This is not what you are looking for. On 18/01/12 5:40 AM, Morris, Andi wrote: > This is still causing trouble. To troubleshoot I've added: > > google=http://www.google.co.uk > > under the [passthroughs] section of pf.conf and restarted the > packetfence services. The new entry appears under the passthroughs > section of the admin GUI so I'm confident that it has taken effect. > > However, I still cannot access www.google.co.uk > <http://www.google.co.uk>. The captive portal access log shows the > following (sorry about the long log). It looks to me like > www.google.co.uk <http://www.google.co.uk> is still being blocked, but > somehow windows update agent is successfully accessing the internet, > which is odd as I haven't declared this anywhere. > Windows Update Agent is specifically denied by our server rules. What you see is that it is hitting the apache server and that we are returning an error 501. Can you post your var/conf/httpd.conf? Also, are you interested on this feature on VLAN isolation or Inline interface? -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ >From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >University. From the 6th December, as part of this change, all email >addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. >All emails sent from Cardiff Metropolitan University will now be sent >from the new @cardiffmet.ac.uk address. Please could you ensure that >all of your contact records and databases are updated to reflect this >change. Further information can be found on the website >here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ >From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >University. From the 6th December, as part of this change, all email addresses >which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent >from Cardiff Metropolitan University will now be sent from the new >@cardiffmet.ac.uk address. Please could you ensure that all of your contact >records and databases are updated to reflect this change. Further information >can be found on the website >here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
