环境:
HP DL360 G5
RHEL3.4.5-2
Sun JES Proxy Server Version: 4.0.3 B05/21/2006 22:49
故障现象:
bjproxy所有用户无法使用socks代理,均提示:
[03/Feb/2007:13:55:41] 000 debug: new socket accepted[1]
[03/Feb/2007:13:55:41] 002 debug: request from 192.168.221.117:4885
[03/Feb/2007:13:55:41] 002 warning: socks4 request from 192.168.221.117:4885 can’t authenticate
[03/Feb/2007:13:55:41] 000 debug: new socket accepted[1]
[03/Feb/2007:13:55:41] 003 debug: request from 192.168.221.117:4886
[03/Feb/2007:13:55:41] 003 debug: auth: userpass
[03/Feb/2007:13:55:41] 003 debug: authentication type 2 successful for testmail
[03/Feb/2007:13:55:41] 003 debug: request 1 to 65.54.239.140:1863
[03/Feb/2007:13:55:41] 003 request: testmail 5 connect: denied 192.168.221.117:4886 -> 65.54.239.140:1863
[03/Feb/2007:13:55:41] 003 FATAL: Error : 2 [2364487233:1863]
[03/Feb/2007:13:55:41] 002 debug: request from 192.168.221.117:4885
[03/Feb/2007:13:55:41] 002 warning: socks4 request from 192.168.221.117:4885 can’t authenticate
[03/Feb/2007:13:55:41] 000 debug: new socket accepted[1]
[03/Feb/2007:13:55:41] 003 debug: request from 192.168.221.117:4886
[03/Feb/2007:13:55:41] 003 debug: auth: userpass
[03/Feb/2007:13:55:41] 003 debug: authentication type 2 successful for testmail
[03/Feb/2007:13:55:41] 003 debug: request 1 to 65.54.239.140:1863
[03/Feb/2007:13:55:41] 003 request: testmail 5 connect: denied 192.168.221.117:4886 -> 65.54.239.140:1863
[03/Feb/2007:13:55:41] 003 FATAL: Error : 2 [2364487233:1863]
分析:
手册和帮助文件写的很不好,基本上没有有用的信息。分析以往日志发现:错误代码与用户不在允许的地址范围内时出现的错误代码相同。
解决:
| require user-password | all | - | - | - | - | - | deny |
改为:
| require user-password | all | - | - | - | - | - | permit |
后,故障消失。
修改后经测试,内部可以访问,外部访问报错:FATAL: Error : 2。
ok,达到目的。
疑问:
1.其中的socks配置部分,在Set SOCKS v5 Authentication 和Set SOCKS v5 Connections中均有IP地址的限制项。这俩个限制项有何区别?同时应用有何问题?
2.将上述修表格改项删除后,故障依旧。由于找不到关于IP限制部分的深入说明,因此只好将其加上1863端口的限制,以最大限度减小安全风险。
| require user-password | all | - | - | - | 1863 | - | permit |