[Rabbit-dev] strange 403 response

Romain Godefroy rgodefroy at thalos.fr
Tue Nov 29 09:41:41 CET 2011 

Hi,

Many thanks for your help.

Here is the configuration :
------------------------------------------------------------------
########## Configuration generale
[rabbit.proxy.HttpProxy]
listen_ip=0.0.0.0
port=28082
logo=http://$proxy/FileSender/public/logo_thalos.png
serverIdentity=ocb_proxy
StrictHTTP=false
http_generator_factory=rabbit.proxy.StandardHttpGeneratorFactory

[logging]
access_log_level=FINEST
access_log=logs/access_log.%g
access_size_limit=1000 # in MB
access_num_files=1
error_log_level=FINEST
error_log=logs/error_log.%g
error_size_limit=1000 # in MB
error_num_files=1

[data_sources]

[dns]
dnsHandler=rabbit.dns.DNSSunHandler

[rabbit.dns.DNSJavaHandler]
dnscachetime=8

[rabbit.io.ConnectionHandler]
keepalivetime=30000
usepipelining=false

[rabbit.proxy.StandardHttpGeneratorFactory]

[rabbit.proxy.FileTemplateHttpGeneratorFactory]
error_pages=htdocs/error_pages

[sslhandler]
allowSSL=443

######### Activation des filtres HTTP
[Filters]
accessfilters=rabbit.filter.AccessFilter
httpinfilters=rabbit.filter.HttpBaseFilter,rabbit.filter.ProxyAuth,rabbit.filter.ReplaceHeaderFilter,rabbit.filter.RevalidateFilter
httpoutfilters=rabbit.filter.HttpBaseFilter
conectfilters=


######### Parametrage des filtres HTTP
[rabbit.filter.AccessFilter]
accessfile=conf/access

[rabbit.filter.HttpBaseFilter]
remove=Connection,Proxy-Connection,Keep-Alive,Public,Transfer-Encoding,Upgrade,Proxy-Authorization,TE,Proxy-Authenticate,Trailer
userfile=conf/users
# cacher les contenus avec un cookie (les sites doivent renvoyer un 
don't cache en cas de données sensibles)
cookieid=false

[rabbit.filter.ProxyAuth]
one_ip_only=false
cachetime=5
authenticator=plain
userfile=conf/allowed

[rabbit.filter.ReplaceHeaderFilter]
# se faire passer pour un mobile
request.User-Agent=Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en-US) 
AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.246 Mobile 
Safari/534.1+

[rabbit.filter.RevalidateFilter]
# ce qui est dans le revalidate est toujours demandé au serveur 
(vérification du cache)
alwaysrevalidate=false
# a regexp matching sites to re-validate
#revalidate=freshmeat.net/$|slashdot.org/$|http://www/$|newsforge.com/$
revalidate=


########## Declaration des handlers sur les content-type
[Handlers]
# recompresser les images en webp
image/.*=rabbit.handler.ImageHandler*webp
# filtrer le html
text/html(;(charset\=.*)?)?=rabbit.handler.FilterHandler
application/xhtml.*=rabbit.handler.FilterHandler
text/xhtml(;(charset\=.*)?)?=rabbit.handler.FilterHandler
# Seulement compresser ces types mimes :
text/plain(;(charset\=.*)?)?=rabbit.handler.GZipHandler
text/xml(;(charset\=.*)?)?=rabbit.handler.GZipHandler
application/xml(;(charset\=.*)?)?=rabbit.handler.GZipHandler
application/postscript(;(charset\=.*)?)?=rabbit.handler.GZipHandler
text/css(;(charset\=.*)?)?=rabbit.handler.GZipHandler
# politique par defaut :
defaulthandler=rabbit.handler.ForbiddenHandler

[CacheHandlers]

[rabbit.cache.NCache]
directory=cache
# sans durée de vie, le cache expire au bout de : (en heures)
cachetime=720
# taille du cache en Mo
maxsize=10000
# temporisation du scrutateur de nettoyage du cache (en secondes)
cleanloop=300


########## Parametrage des handlers sur les content-types
# celui pour le filtre HTML
[rabbit.handler.FilterHandler]

filters=rabbit.filter.ScriptFilter,rabbit.filter.AdFilter
#filters=rabbit.filter.AdFilter
compress=true
repack=true

[rabbit.handler.ImageHandler*webp]
convert=/usr/bin/gm
convertargs=convert -quality 100 -resize "800>" -flatten $filename 
+profile "*" jpeg:$filename && /opt/webp/libwebp/cwebp -m 6  -q 10 
$filename -o $filename.c
min_size=0
force_converted=true

[rabbit.handler.GZipHandler]
compress=true

[rabbit.handler.ForbiddenHandler]


########## Parametrage des filtres HTML
#XXX RGO/GHU : liste pub ?
# The list of evils. A regexp.
[rabbit.filter.AdFilter]
adlinks=[/.]((c|net|ns|surf|page|imag)?ad([svq]|fu|srv|[sz]erver|log|bannercenter|_?click|verts|finity|force|click|tech)?\d*|banner|linkexchange|acc_clickthru|action|vertising)[/.]|gen_addframe|event.ng|/m=|/ad(num|vert|name)?=|/site_id=|support.net|/redir\.|\?assoc=
adreplacer=http://$proxy/FileSender/public/stop.png
---------------------------------------------------------------------------------

We tried to replace defaulthandler=rabbit.handler.ForbiddenHandler with 
BaseHandler but the 403 is still there sometimes.

Romain

Le 28/11/2011 22:09, Robert Olofsson a écrit :
> Hi!
>
> On Mon, 2011-11-28 at 17:40 +0100, Romain Godefroy wrote:
>> For the same ressource, without any change to configuration, sometimes
>> Rabbit return a 403, and not to all clients at the same time.
> That sounds odd.
> I know of only a few different reasons that rabbit start dealing out
> 403 results.
> 1) SSL traffic that is not allowed (by the configuration).
> 2) BlockFilter / SQLBlockFilter
> 3) A path for status pages when you run rabbit as a reverse proxy
>
> You do not say anything about what filters you have enabled so
> it is very hard for me to diagnose it like this.
>
> Can you provide the configuration?
>
> /robo
>
>
>

More information about the Rabbit-dev mailing list