cyrus http proxy in murder HTTP/1.1 403 Forbidden

[Jean-Christophe Delaye]

On 4/2/19 7:15 PM, Ken Murchison wrote:
> 
> On 4/2/19 1:02 PM, Jean-Christophe Delaye wrote:
>> Hello,
>>
>> We're testing Cyrus3.0.9 in a murder configuration.
>> It works fine for imap/imaps services. I can access mailboxes from
>> differents frontend, and move mailboxes from on backend to another !
>>
>> I'm now blocked with the calendar features in this configuration.
>> It works fine in both read and write mode directly from the backend.
>>
>> http://backend.eurecom.fr/dav/calendars/user/xxxx/Default/
>>
>> PUT
>> /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics
>> HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") =>
>> "HTTP/1.1 204 No Content"
>>
>> I've configured http/https also on the frontend to enable accessing
>> calendars from there:
>>
>> http://frontend.eurecom.fr/dav/calendars/user/xxxx/Default/
>>
>> It work perfectly in read only mode from the frontend, but if I try to
>> do some changes, it does not complete with Forbidden message.
>>
>> "PUT
>> /dav/calendars/user/xxxx/Default/8d6377bb-7c3f-4a55-a183-a05dae6fce0d.ics
>> HTTP/1.1" (if-match="970dfe515581407e1f4eeaa887316530b3ef3020") =>
>> "HTTP/1.1 403 Forbidden"
> 
Thanks for your reply.
I've activated telemetry and debug mode on both frontend and backend.

My feeling is that the frontend do not forward to selected backend when
operate in WRITE mode [:method: PUT] (can't see authentication request
on the backend nor network activity between them while monitored with
snoop).

But it works fine when just accessing and browsing the calendar without
modification [:method: PROPFIND] or even delete events [:method: DELETE]
http log for user xxxx on backend:

<1554373427<REPORT /dav/calendars/user/xxxx/Default/ HTTP/1.1
Host: backend.eurecom.fr
Via: 2 frontend.eurecom.fr (Cyrus/3.0.9)
Forwarded:
proto=https;host=backend.eurecom.fr;for=172.17.20.150;for=192.168.106.207

I've attached the complete http sequence on the frontend before and
after the 403 response.

Thank you.

> 
> Is there any body in the 403 response with more information?  You might
> have to enable telemetry on the backend.
> 
> Is the frontend proxy authenticating as the owner of the calendar? 
> Check the cyrus log on the backend.
> 
> 
>> I've compiled backend and frontend with the same options
>>
>> Server: Cyrus-HTTP/3.0.9 Cyrus-SASL/2.1.26 OpenSSL/1.0.0 Nghttp2/1.35.0
>> Zlib/1.2.11 LibXML2.9.5 SQLite/3.24.0 LibiCal/3.0 ICU4C/59.1 Jansson/2.10
>> WWW-Authenticate: Basic realm="frontend.eurecom.fr"
>> DAV: 1, 2, 3, access-control, extended-mkcol, resource-sharing
>> DAV: calendar-access, calendar-auto-schedule
>> DAV: calendar-query-extended, calendar-availability,
>> calendar-managed-attachments
>> DAV: calendarserver-sharing, inbox-availability
>> DAV: addressbook
>> Allow: OPTIONS, GET, HEAD, POST, PUT, PATCH, DELETE, TRACE
>> Allow: PROPFIND, REPORT, COPY, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK, ACL
>> Allow: MKCALENDAR
>> Content-Length: 0
>>
>> The question is:
>> Is there specific configuration parameters to enable proxy http/https in
>> murder configuration ? I can't find usefull informations in the
>> documentation. I've seen the Interactive HTTP test program httptest, but
>> can't find parameters to simulate calendar clients.
>>
>> Thank you
>>
>> ----
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>> To Unsubscribe:
>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
> 
> 
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
> 







-------------- next part --------------
cyrus/https[1651]: [ID 560950 local3.debug] tls_client_ca_dir=(NULL) tls_client_ca_file=/global/cyrus/etc/ssl/DigiCertCA.crt
cyrus/https[1651]: [ID 810032 local3.debug] tls_server_cert=/global/cyrus/etc/ssl/imap_eurecom_fr.crt tls_server_key=/global/cyrus/etc/ssl/imap.eurecom.fr.key
cyrus/https[1651]: [ID 817102 local3.notice] inittls: Loading hard-coded DH parameters
cyrus/https[1651]: [ID 495959 local3.debug] Set client CA list: Client cert requested, not required
cyrus/https[1651]: [ID 704172 local3.debug] TLS Server Name Indication (SNI) Extension: "imap.eurecom.fr"
cyrus/https[1651]: [ID 574029 local3.debug] SSL_accept() incomplete -> wait
cyrus/https[1651]: [ID 867439 local3.debug] SSL_accept() succeeded -> done
cyrus/https[1651]: [ID 702911 local3.notice] starttls: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits new) no authentication; application protocol = h2
cyrus/https[1651]: [ID 652924 local3.debug] http2_send_cb(15): 0
cyrus/https[1651]: [ID 739106 local3.debug] ret: 0, eof: 0, want read: 1
cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 148, eof = 0, err = '', errno = 0
cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 430, eof = 0, err = '', errno = 0
cyrus/https[1651]: [ID 611534 local3.debug] http2_begin_headers_cb(id=15, type=1)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:method: PUT)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:path: /dav/calendars/user/xxxx/Default/040000008200E00074C5B7101A82E008000000006007B06BAC90D40100000000000000001000000007FC4F557397EF40A2F49271F210CC15.ics)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:authority: imap.eurecom.fr)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(:scheme: https)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 Lightning/6.2.5)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(accept: text/xml)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(accept-language: en-GB,en;q=0.5)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(accept-encoding: gzip, deflate, br)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(accept-charset: utf-8,*;q=0.1)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(content-length: 9332)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(content-type: text/calendar; charset=utf-8)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(if-match: "50ab3d1a71c68976f2738e4c7a8276f8d41d4468")
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(cookie: SESS2f0096f341f49daa238064955414f109=k69uvq1krqi679tguccttm2qs0)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(authorization: Basic c3RhbmRhcmQ6SGVyc2VsLg==)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(pragma: no-cache)
cyrus/https[1651]: [ID 235260 local3.debug] http2_header_cb(cache-control: no-cache)
cyrus/https[1651]: [ID 572367 local3.debug] http2_frame_recv_cb(id=15, type=1, flags=0x24
cyrus/https[1651]: [ID 364641 local3.debug] conn flags: 0  upgrade flags: 0  tls req: 0
cyrus/https[1651]: [ID 909740 local3.debug] http_auth: status=0   scheme=''   creds='Basic <response>'
cyrus/https[1651]: [ID 796571 local3.debug] http_auth: find client scheme
cyrus/https[1651]: [ID 113398 local3.debug] http_auth: found matching scheme: Basic
cyrus/https[1651]: [ID 564409 local3.notice] login: anjou.eurecom.fr [172.17.20.150] xxxx Basic+TLS User logged in SESSIONID=<cyrus-1651-1554383568-1-6250751509654826835>
cyrus/https[1651]: [ID 572367 local3.debug] http2_frame_recv_cb(id=15, type=8, flags=0
cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 4096, eof = 0, err = '', errno = 0
cyrus/https[1651]: [ID 809992 local3.debug] http2_data_chunk_recv_cb(id=15, len=4087, txnflags=0)
cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 4096, eof = 0, err = '', errno = 0
cyrus/https[1651]: [ID 809992 local3.debug] http2_data_chunk_recv_cb(id=15, len=4096, txnflags=0)
cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 1149, eof = 0, err = '', errno = 0
cyrus/https[1651]: [ID 809992 local3.debug] http2_data_chunk_recv_cb(id=15, len=1149, txnflags=0)
cyrus/https[1651]: [ID 572367 local3.debug] http2_frame_recv_cb(id=15, type=0, flags=0x1
cyrus/https[1651]: [ID 133476 local3.debug] write_body(code = -1964266992, flags.te = 0, len = 0)
cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(:status: 403)
cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(Date: Thu, 04 Apr 2019 13:12:49 GMT)
cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(Strict-Transport-Security: max-age=600)
cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(Cache-Control: no-cache)
cyrus/https[1651]: [ID 204120 local3.debug] simple_hdr(Content-Length: 0)
cyrus/https[1651]: [ID 518894 local3.debug] end_resp_headers(code = -1964266992, len = 0, flags.te = 0)
cyrus/https[1651]: [ID 829378 local3.debug] nghttp2_submit headers(id=15, flags=0x1)
cyrus/https[1651]: [ID 702911 local3.info] anjou.eurecom.fr [172.17.20.150] as "xxxx" with "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 Lightning/6.2.5"; "PUT /dav/calendars/user/xxxx/Default/040000008200E00074C5B7101A82E008000000006007B06BAC90D40100000000000000001000000007FC4F557397EF40A2F49271F210CC15.ics HTTP/2" (if-match="50ab3d1a71c68976f2738e4c7a8276f8d41d4468") => "HTTP/2 403 Forbidden"
cyrus/https[1651]: [ID 334236 local3.debug] nghttp2_submit_data(id=15, len=0, outlen=0, flags=0x1)
cyrus/https[1651]: [ID 652924 local3.debug] http2_send_cb(9): 0
cyrus/https[1651]: [ID 652924 local3.debug] http2_send_cb(63): 0
cyrus/https[1651]: [ID 640762 local3.debug] http2_stream_close_cb(id=15)
cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = 9, eof = 0, err = '', errno = 0
cyrus/https[1651]: [ID 545980 local3.debug] http2_recv_cb(16384): n = -504, eof = 0, err = '', errno = 11