How do I configure proxy for my terminal with v2ray?

With v2ray on macOX 10.13.6, I can access some sites from Chrome but I cannot access those sites from terminal.

the configuration for v2ray looks like this

{
    "v": "2",
    "ps": "u8bxx-Azure",
    "add": "xx.acrossgw.info",
    "port": 8088,
    "id": "xxx-b6xxx8954c",
    "aid": "16",
    "net": "ws",
    "type": "none",
    "host": "xxx.acrossgw.info",
    "path": "/data",
    "tls": "tls"
}

Per this post, this command sets proxy for terminal session

export http_proxy="username:password@ip address:port number"

I put this line at the end of my ~/.bash_profile

export http_proxy="xxx-b6xxx8954c:u8bxx-Azure@xx.acrossgw.info:8088"

but I cannot access those sites from terminal either, how do I do?

redirects – get nginx proxy for https://hostname to work

I’m using nginx to proxy a site internal to our firewall. Right now the following urls work:
    http://sitename (-> https://sitename.example.com)
    http://sitename.example.com (-> https://sitename.example.com)
    https://sitename.example.com

But https://sitename fails (error below) and I’d like it to work. Is this possible? If so, how?

The nginx.conf file looks like:

server {
    listen 80;
    server_name sitename.example.com;
    return 301 https://sitename.example.com$request_uri;
}
server {
    listen 443 ssl;
    server_name sitename.example.com;
    ssl_certificate /etc/letsencrypt/live/sitename.example.com/fullchain.pem;
    ...
    location / {
        proxy_pass http://foo.example.com:3000;
    }
}

I’ve tried inserting sections like this into nginx.conf:

server {
    listen 443 ssl;
    server_name sitename;
    return 301 https://sitename.example.com$request_uri;
}

or:

server {
    listen 443 ssl;
    server_name sitename;
    ssl_certificate /etc/letsencrypt/live/sitename.example.com/fullchain.pem;
    ...
    location / {
        proxy_pass http://foo.example.com:3000;
    }
}

Any of the combinations I’ve tried results in the same error:

$ curl -vL https://sitename
*   Trying 10.0.0.2:443...
* Connected to sitename (10.0.0.2) port 443 (#0)
    ...
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=sitename.example.com
*  start date: May  5 23:18:34 2021 GMT
*  expire date: Aug  3 23:18:34 2021 GMT
*  subjectAltName does not match sitename
* SSL: no alternative certificate subject name matches target host name 'sitename'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

$ echo $?
60

smtp – Use HAProxy as a Forward Proxy for PowerMTA

PowerMTA can use HAProxy as forward proxy to deliver mail using the IP address HAProxy is serving on.

This is not the typical use case of HAProxy because it’s not load balancing, it is connecting THROUGH haproxy to use the IP address that HAProxy is on. They wrote an article about this here:

PowerMTA 5.0: Using a proxy for email delivery

I’ve googled and not found much. The one article I did find is like the opposite of what I want:

Set Up SMTP & IMAP Proxy with HAProxy (Debian, Ubuntu, CentOS)

They say to use the following:

frontend ft_smtp
      bind 12.34.56.78:25
      mode tcp
      timeout client 1m
      log global
      option tcplog
      default_backend bk_smtp

backend bk_smtp
      mode tcp
      log global
      option tcplog
      timeout server 1m
      timeout connect 7s
      server postfix 10.10.10.101:2525 send-proxy

I am wanting to connect to HAProxy on port 2525, and have it act as a proxy to connecting to smtp servers, i.e. test@gmail.com.

I am not sure if I explained this well enough, if not please let me know. Any help would be much appreciated as I can not find much online.

linux networking – How can I set up a layer 3 bridge using Proxy ARP such that http requests can be made to the inside/proxied host’s IP successfully?

Currently I am using a Raspberry Pi to bridge an ethernet connected printer to wireless internet and have used DNAT successfully to give the printer internet access, manually forwarding the printer’s port 80 to the Rpi’s wlan0 interface port 80 along with other needed ports to access the printer using outside hosts. I’ve also been able to use Proxy ARP so that the printer’s static IP address is visible on the network, the Pi responding to ARP broadcasts on the printer’s behalf and proxying ARP requests for the printer. What I would like to do is combine the functionality of the DNAT approach with the IP separation provided by Proxy ARP.

The problem is that I cannot figure out how to seamlessly accomplish the needed forwarding/spoofing with the Rpi so that instead of directing requests to the Pi’s port 80, outside hosts can make requests using the printer’s IP directly even if it’s on a different subnet, say 10.1.2.254:80, to access the http page.

Is it possible to accomplish this routing in tandem with Proxy ARP? Are there other approaches that are better suited for this arrangement, or could IP aliases alongside DNAT accomplish this illusion that the printer’s IP and active ports are also present on the network/another network?

apache 2.4 – Proxy to a load balancer automatically add additional path

I’m running httpd 2.4.6 on Redhat 7.9. I’m trying to use ProxyPass work with Balancer. Here is my configuration.

Balancer

<Proxy balancer://mycluster>
    BalancerMember http://10.10.12.103:8080
    BalancerMember http://10.10.12.107:8080
</Proxy>

VirtualHost

<VirtualHost *:8080>

    ServerName      www.abcdef.com
    DocumentRoot "/app/httpd/html"

    <Location /heartbeat >
    </Location>

    <Location /up >
        ProxyPass balancer://mycluster/myapp1
        ProxyPassReverse balancer://mycluster/myapp1
    </Location>
    <Location /myapp1 >
        ProxyPass balancer://mycluster/myapp1
        ProxyPassReverse balancer://mycluster/myapp1
    </Location>
    <Location / >
        ProxyPass balancer://mycluster/myapp1
        ProxyPassReverse balancer://mycluster/myapp1
    </Location>

</VirtualHost>

I was hoping all 3 paths: /, /myapp1, /up can be all passed to /myapp1 on my backend servers. But I got 404 error for /myapp1 and /up.

I checked tomcat access log ad found something was added to the end of the url:

(03/May/2021:22:02:45 +0000)|10.10.55.55|10.29.9.6||-|http-bio-8076-exec-4|0|10.10.55.55|-|-|"-"|"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"|"GET /myapp1myapp1/ HTTP/1.1"|404|-
(03/May/2021:22:03:01 +0000)|10.10.55.55|10.29.9.6||-|http-bio-8076-exec-5|0|10.10.55.55|-|-|"-"|"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"|"GET /myapp1up/ HTTP/1.1"|404|-

The url changed: /up to /myapp1up/, /myapp1 to /myapp1myapp1/, obviously not exist.

I tried to research online and didn’t find any result about this. Would someone have experience like this can shed some light why it has this kind of behavior? Thanks

amazon web services – Postfix behind AWS NLB with Proxy Protocol does not send banner until CRLF is sent

I’ve redeployed my mail stack as a Kubernetes pod. This pod is on an EKS cluster in the private subnet, behind an NLB. Postfix and the NLB are configured to speak proxy protocol v2.

Originally I had this setup without proxy protocol, and the Postfix ports responded as expected, immediately sending the Postfix banner upon connect, however Postfix could not identify the remote server sending mail to it correctly, and it marked everything as spam. So I’ve decided to go the proxy protocol route.

When connecting via telnet, the connection opens, but Postfix does not send it’s banner. It’s banner is not sent until a CRLF is sent (enter key is pressed) – You can send any other character and nothing will happen until the CRLF is sent. This affects the submission port on (587) and breaks client connections, as SMTP protocol declares the receiving server must respond first.

Initial connection:

❯ telnet mx01.example.com 587
Trying x.x.x.x...
Connected to mx01.example.com.
Escape character is '^)'.

After CRLF is sent:

❯ telnet mx01.example.com 587
Trying x.x.x.x...
Connected to mx01.example.com.
Escape character is '^)'.

220 mx01.example.com ESMTP Postfix (Ubuntu)
500 5.5.2 Error: bad syntax


And this is without the Proxy Protocol configuration:

❯ telnet mx01.example.com 587
Trying x.x.x.x...
Connected to mx01.example.com.
Escape character is '^)'.
220 mx01.example.com ESMTP Postfix (Ubuntu)


Versions:

OS: Ubuntu 20.10

Postfix version: 3.5.6-1

Postfix master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       1       postscreen
smtpd     pass  -       -       y       -       -       smtpd
dnsblog   unix  -       -       y       -       0       dnsblog
tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o cleanup_service_name=header_cleanup
  -o smtpd_upstream_proxy_protocol=haproxy
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
header_cleanup unix n   -       -       -       0       cleanup
 -o header_checks=regexp:/etc/postfix/submission_header_cleanup.cf
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

Messages asking me permission to access the proxy data stored in keychain

When connected to my office network, I keep getting messages asking me permission to access the proxy data stored in keychain. They keep popping up every few minutes (even seconds), no matter what I do.
I enter my keychain password and click on “Always”, but the messages still appear. I click on “Deny” and they still come back!
And if I click on “Deny”, nothing seems to happen: everything works fine alla the same… These messages look like they are perfectly useless…
I attach a screenshot.
enter image description here

ssl – NGINX proxy to node server (https to http) ERR_CONNECTION_REFUSED

I want to use NGINX as a reverse proxy to my nodejs application running as a docker container on port 3000.

My domain name is from freenom and the ssl certificates are generated using certbot.

I have ensured that the security group for my ec2 instance has inbound 443 and 80 open.

I even tried a http -> http proxy on the first server {} block to my config, and that works fine, but https to http does not work.

The log file at /var/log/nginx/access.log and error.log are empty. If I try to access the site via http, the access.log file gets an entry like this:

my_machine_ip – (01/May/2021:14:35:01 +0530) “GET / HTTP/1.1” 301 178 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.49”

If it is of any importance: I also have a private docker registry running on the server on port 5000 (with ssl) as well as other http services on port 4000 and 9000.

Below is my config at /etc/nginx/sites-available/default.

server {
    listen 80;
    server_name some_domain.com;
    return 301 https://some_domain.com;
}

server {
    listen 443 ssl;
    server_name some_domain.com;
    client_max_body_size 75M;
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
    }

    ssl_certificate /etc/letsencrypt/live/some_domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/some_domain.com/privkey.pem;
    ssl_session_timeout 1h;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    add_header Strict-Transport-Security “max-age=15768000” always;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
}

uri – How to prevent proxy URLs in link field from being encoded?

Others appear to have similar issues to Drupal 8/9 encoding URLs in the link field though I see no solutions.

We’re a library site and have many links for our patrons to external database websites that we link to with proxy URLs such as:

https://somewebsite.com/login?auth=password&url=https://link.gale.com/apps/doc/K1606004825/BIC?u=schools&sid=BIC&xid=2aefeae4

However, Drupal encodes the URL after the second https so it looks like:

https://somewebsite.com/login?auth=password&url=https%3A//link.gale.com/apps/doc/K1606004825/BIC%3Fu%3Dschools&sid=BIC&xid=2aefeae4

which returns an error.

Is there a way to turn off this function or disable URL encoding for the link field?

proxy – My news website is banned in one country. Is there a way I can still serve that audience without them having to install any vpn

We have a large news website and one country has banned it. As a result our readers from that country get an error page put up by that country’s proxy filter or simply gives some error.

We have thousands of pages on Google search and we get a lot of traffic from that. But now all those links are broken for audiences from that country.

I wanted to know if we could do any sort of engineering and still serve pages to that audience – like using service workers or perhaps getting a server hosted within the country (I am assuming that their proxy kicks in only for traffic that leaves the country but I am not sure how such a blocking filter proxy works)

We do fight court battles and win them most of the time but it takes time to fight such bans legally and our site and our audience suffers meanwhile.

Also wanted to know if Google will penalize us for the broken links for that audience.

FYI the majority of the traffic is from that country – like about 70 to 80 percent. So the links break for a majority of the audience coming from Google.

Cam we ask Google to redirect all links in their search results to a different domain but same url? Temporarily I mean.