Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
0
Helpful
9
Replies

12.6.2 Reverse Proxy (for Finesse): 404 for non-default path

elias.eggel
Level 1
Level 1

‎06-22-2023 04:16 AM - edited ‎06-22-2023 06:50 AM

Hello

We just upgraded to the 12.6.2 Reverse Proxy that has now an automated installer.

It's proxying without issues when accessing the standard finesse desktop. However if I e.g. want to access static files of "3rdpartygadget" user, I get an 404 error.

OK: https://finesse.lan:8445/desktop 
OK: https://proxy.lan:8445/desktop 
OK: https://finesse.lan:8445/3rdpartygadget/files/myCustomPage.html 
NOK: https://proxy.lan:8445/3rdpartygadget/files/myCustomPage.html 

 

Error 404 - Not Found:

The 404 (Not Found) status code indicates that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists. A 404 status code does not indicate whether this lack of representation is temporary or permanent; the 410 (Gone) status code is preferred over 404 if the origin server knows, presumably through some configurable means, that the condition is likely to be permanent.
 
I tried to modify various files on the host working directory's conf folder (e.g. desktop_proxy) without success.
 
Does anyone know where the allow/block rules can be configured? As the reverse proxy comes with an automated installer, I would prefer to set such rules within the .env files that the installer takes as input parameter.

access.log for that request logs this line:
[22/Jun/2023:15:41:36 +0200] client:"10.36.2.139" host:"proxy.lan" user:"-" server_block:"proxy.lan:8445" request:"GET /3rdpartygadget/files/myCustomPage.html HTTP/2.0" requestid:"-" cache_status:"-" rsp_status:"404(-)" body_bytes_sent:"2027" time_taken:"0.000(-)" up_connect_time:"-"
 
There are no log entries in blocking.log or error.log

Regards
Elias

Labels:
0 Helpful
9 Replies 9

dhiarumu
Cisco Employee
Cisco Employee

‎06-22-2023 05:23 AM

Hi Elias,

Is only html file not accessible via reverse proxy, could please you check the same file is accessible in LAN network?

Regards

Dhina

0 Helpful

elias.eggel
Level 1
Level 1
In response to dhiarumu

‎06-22-2023 06:45 AM - edited ‎06-22-2023 06:48 AM

Hi Dhina

Yes of course it's accessible if I use the direct link to finesse server.

Regards
Elias

PS: I edited my original post slightly to better show what is working and what is not. Also added access.log entry for failed request.

0 Helpful

dhiarumu
Cisco Employee
Cisco Employee

‎06-22-2023 07:12 AM - edited ‎06-22-2023 07:13 AM

Hi Elias,

There is nothing specific added in rules to filter /3rdpartygadgets, all the requests are routed to upstream server. I have tested in my lab the requests are properly routed to upstream. This could be cache issue, could you please clear cache in reverse proxy and try once?

/3rdpartygadget requests served from my reverse proxy:

[16/Jun/2023:13:02:51 +0530] client:"10.65.36.230" host:"somename.cisco.com" user:"-" server_block:"somename.cisco.com:8445" request:"GET /3rdpartygadget/files/SuperSampleGadget.xml HTTP/2.0" requestid:"-" cache_status:"-" rsp_status:"200(200)" body_bytes_sent:"5494" time_taken:"0.001(0.002)" up_connect_time:"0.000"

[16/Jun/2023:13:03:13 +0530] client:"10.65.36.230" host:"somename.cisco.com" user:"-" server_block:"somename.cisco.com:8445" request:"GET /3rdpartygadget/files/testt.html HTTP/2.0" requestid:"-" cache_status:"-" rsp_status:"200(200)" body_bytes_sent:"31" time_taken:"0.001(0.001)" up_connect_time:"0.000"

Regards

Dhina

0 Helpful

elias.eggel
Level 1
Level 1
In response to dhiarumu

‎06-22-2023 11:31 PM

Hi Dhina

Clearing cache didn't seem to work unfortunately.

So I encountered something weird today. When testing I've seen that some files in another path seem to be accessible for some reason from the proxy. I made a copy of one such file and tried to access it but surprisingly that copy couldnt be accessed from the proxy. Any idea about that? File permissions remained the same.. I don't know what else I could check

OK: https://finesse.lan:8445/3rdpartygadget/files/test.txt
NOK: https://proxy.lan:8445/3rdpartygadget/files/copyOfTest.txt

Regards
Elias

0 Helpful

dhiarumu
Cisco Employee
Cisco Employee
In response to elias.eggel

‎06-22-2023 11:48 PM

Elias,

You could try restarting the reverse proxy and check once?

When you copy and access the file, is that the same 404 you get is it?

Regards

Dhina

0 Helpful

elias.eggel
Level 1
Level 1
In response to dhiarumu

‎06-23-2023 03:43 AM

Hi,

Restarting seems to help. This is what I did:

1. clear proxy cache -> file still not available

2. restarting finesse now -> fill still not available

3. restarting container -> fill is AVAILABLE

 

I'll have to monitor this behaviour, but seems to be OK for now at least for what we want to do.

 

The only thing we're struggling with is the NGX_VALID_REFERRERS. We set all the FQDN's but it doesnt seem to work.

For that reason we're currently commenting out returning of "417" status code in server_filters file once the container is deployed/started. Is it possible to just whitelist all domains as this is a lab? Or do you have any other advice what I could check in that direction?

Thanks
Elias

0 Helpful

dhiarumu
Cisco Employee
Cisco Employee
In response to elias.eggel

‎06-23-2023 03:59 AM - edited ‎06-23-2023 04:00 AM

Elias,

We have tested the NGX_VALID_REFERRERS multiple times, it used to work as expected.

For now NGX_VALID_REFERRERS won't support wildcard characters to add all domains in the allowed list.

You could try this: From the browser network tab, you can check the requests that are rejected with the 417, find the referrer header  for the request and append it to theNGX_VALID_REFERRERS and restart reverse proxy.

Regards

Dhina

0 Helpful

elias.eggel
Level 1
Level 1

‎06-29-2023 01:12 AM

Hi Dhina

OK so that NGX_VALID_REFERRERS is working OK now, I missed an entry in the list.

In the meantime however we're still struggling with accessing static files. The behaviour so far seems quite random. E.g. right now the file is uploaded to finesse's 3rdpartygadget user in the base directory and is available always when checking. However the same (html) file in a nested directory is not accessible. On the other hand, I can access other html files within the same subdirectory.

Any idea what could cause this behaviour?

Regards
Elias

0 Helpful

elias.eggel
Level 1
Level 1
In response to elias.eggel

‎07-11-2023 11:47 PM - edited ‎07-11-2023 11:49 PM

Just posting an update after a troubleshooting session yesterday:

After adding some more logging in 3rdpartygadgetresources_list lua script (and restarting finesse and proxy server several times) the issue couldn't be reproduced anymore. I was at this point already once some weeks ago that everything seemed to work.

So with logging enabled we will wait for the issue to be reproducible so logs can be sent for further analysis.

 

// EDIT: here's the command we used to check the list of accessible files on finesse 3rdpartygadget user FROM reverse proxy host:

curl 'https://<finesseServerFQDN>:8445/desktop/api/ResourceURLs?type=3rdParty' -H 'User-Agent: Mozilla/5.0' -k -H 'Host:<proxyServerFQDN>' | tr  ',' '\n'

0 Helpful
Customers Also Viewed These Support Documents