Re: AOL Proxy Servers not connecting via https - resolved
On Thu, Sep 25, 2003 at 04:48:11PM -0700, Andy Ellifson wrote: Actually a /12. But the value of 172.16.0.0 0.15.255.255 has been burned into my head for some reason... yup... s/20/12/ typo...thanks Andy -ron
AOL Proxy Servers not connecting via https
I'm looking for a clueful person either inside of AOL's NetOps or someone else that can help us. Problem; Using AOL Dial-Up, through AOL Browser or MSIE users can connect to our web servers and our clients web servers via normal http with no problem. If they connect to a secure site (https://) they get 'page can not be displayed' and other errors. We have this issue with Linux/Apache as well as MSIE servers. Sniffing such connections, we get one of two scenerios: 1. A connection is opened from an AOL proxy server (172.151.135.3 for example) yet no data is transmitted. 2. A connection is opened from an AOL proxy server. what looks like a request is sent (580 bytes) and some response is sent back (5k bytes) Yet the clients browser never gets a website.. The webserver logs an 'error 408' from the request, Which is a request timeout. 2 test websites to try from AOL: https://www.krystal.net MS https://www.onrope1.com Linux/Apache Clue Bat's welcome. Thank You --Mike--
Re: AOL Proxy Servers not connecting via https
Last time I checked, SSL connections do not get proxied through the AOL caching servers. They go directly from the client. 172.151.135.3 is not an AOL proxy server, it is an end user IP address that a AOL user gets when they dial in. cache-rf03.proxy.aol.com is an AOL proxy. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: mike harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 2:24 PM Subject: AOL Proxy Servers not connecting via https I'm looking for a clueful person either inside of AOL's NetOps or someone else that can help us. Problem; Using AOL Dial-Up, through AOL Browser or MSIE users can connect to our web servers and our clients web servers via normal http with no problem. If they connect to a secure site (https://) they get 'page can not be displayed' and other errors. We have this issue with Linux/Apache as well as MSIE servers. Sniffing such connections, we get one of two scenerios: 1. A connection is opened from an AOL proxy server (172.151.135.3 for example) yet no data is transmitted. 2. A connection is opened from an AOL proxy server. what looks like a request is sent (580 bytes) and some response is sent back (5k bytes) Yet the clients browser never gets a website.. The webserver logs an 'error 408' from the request, Which is a request timeout. 2 test websites to try from AOL: https://www.krystal.net MS https://www.onrope1.com Linux/Apache Clue Bat's welcome. Thank You --Mike--
Re: AOL Proxy Servers not connecting via https
On Thu, 25 Sep 2003, Brian Bruns wrote: Last time I checked, SSL connections do not get proxied through the AOL caching servers. They go directly from the client. 172.151.135.3 is not an AOL proxy server, it is an end user IP address that a AOL user gets when they dial in. cache-rf03.proxy.aol.com is an AOL proxy. Thanks, It seems when the connection swaps from a proxy/cache connection, that the AOL browser gets redirected to another AOL address first, and then goes out. There is a noticable delay (a second or two) from when the request gets sent, to when we see it on our network.. like an overloaded cache/proxy. Perhaps AOL is using some kind of transparent proxy.. or maybe it's the Dept of Homeland Security's mystery sniffer (just speculating in wild paranoid mode). Or maybe it's something on our network mangling packets.. But calls to AOL get me no-where..
Re: AOL Proxy Servers not connecting via https - resolved
A Clue Bat was gently swung by a friendly and clueful (semi-anonymous) AOL NetOps guys who contacted me from my post on Nanog. Thanks Nanog, and this sounds strange from me, but Thank's AOL. :) And yes, it should have been obvious on my part.. a router was configured with a 172.0.0.0/8 netmask. ..there is what we call an RFC1918 issue. AOL was given some IPs in the 172.16.x.x range by ARIN. These are valid routable IPs, and we use them as IPs for the AOL user's machines (kinda like DHCP). The problem is that some people block all of 172.x.x.x thinking it's only for non-routable IPs when it's only half that range that is non-routable. (172.16.0.0/20 is the routable part). That appears to be the case with this one. We've asked ARIN for a different range, and they told us to go away, so we are stuck with this issue. If you can ask someone who does firewall and/or router ACLs in front of that website, they should be able to fix the issue.
Re: AOL Proxy Servers not connecting via https - resolved
This might be helpful to people setting up ACLs and the like: http://webmaster.info.aol.com/proxyinfo.html -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.2mbit.com ICQ: 8077511 - Original Message - From: mike harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 25, 2003 5:10 PM Subject: Re: AOL Proxy Servers not connecting via https - resolved A Clue Bat was gently swung by a friendly and clueful (semi-anonymous) AOL NetOps guys who contacted me from my post on Nanog. Thanks Nanog, and this sounds strange from me, but Thank's AOL. :) And yes, it should have been obvious on my part.. a router was configured with a 172.0.0.0/8 netmask. ..there is what we call an RFC1918 issue. AOL was given some IPs in the 172.16.x.x range by ARIN. These are valid routable IPs, and we use them as IPs for the AOL user's machines (kinda like DHCP). The problem is that some people block all of 172.x.x.x thinking it's only for non-routable IPs when it's only half that range that is non-routable. (172.16.0.0/20 is the routable part). That appears to be the case with this one. We've asked ARIN for a different range, and they told us to go away, so we are stuck with this issue. If you can ask someone who does firewall and/or router ACLs in front of that website, they should be able to fix the issue.
Re: AOL Proxy Servers not connecting via https - resolved
On Thu, Sep 25, 2003 at 06:11:23PM -0400, Brian Bruns wrote: This might be helpful to people setting up ACLs and the like: http://webmaster.info.aol.com/proxyinfo.html I think the point that Mike was making is that RFC1918 space is 172.16.0.0/20 not a /8. -ron
Re: AOL Proxy Servers not connecting via https - resolved
Actually a /12. But the value of 172.16.0.0 0.15.255.255 has been burned into my head for some reason... ---snip--- Page 4 3 Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0- 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) ---snip--- --- Ron da Silva [EMAIL PROTECTED] wrote: On Thu, Sep 25, 2003 at 06:11:23PM -0400, Brian Bruns wrote: This might be helpful to people setting up ACLs and the like: http://webmaster.info.aol.com/proxyinfo.html I think the point that Mike was making is that RFC1918 space is 172.16.0.0/20 not a /8. -ron
Re: AOL Proxy Servers not connecting via https - resolved
On Thu, 25 Sep 2003, Ron da Silva wrote: On Thu, Sep 25, 2003 at 06:11:23PM -0400, Brian Bruns wrote: This might be helpful to people setting up ACLs and the like: http://webmaster.info.aol.com/proxyinfo.html I think the point that Mike was making is that RFC1918 space is 172.16.0.0/20 not a /8. At least two people have posted incorrectly about 172.16, wrt who has what and how big it is. Rekhter, et al Best Current Practice [Page 3] RFC 1918Address Allocation for Private Internets February 1996 3. Private Address Space The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets: 10.0.0.0- 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) AOL has NetRange: 172.128.0.0 - 172.191.255.255 CIDR: 172.128.0.0/10 NetRange: 172.192.0.0 - 172.211.255.255 CIDR: 172.192.0.0/12, 172.208.0.0/14 and apparently a bunch of other blocks. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_