Proxy issues
ThinkBriK opened this issue · comments
Hi, I tried to set http options in /opt/bastillion-ec2/jetty/bastillion/WEB-INF/classes/BastillionConfig.properties but I can't make the AWS client connect:
com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/54.239.29.25] failed: connect timed out
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1163)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1109)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1368)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1335)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1324)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:491)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:464)
at io.bastillion.manage.util.AWSClientConfig.getCredentials(AWSClientConfig.java:141)
at io.bastillion.manage.control.IAMRoleKtrl.validateSaveIAMRole(IAMRoleKtrl.java:85)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at loophole.mvc.base.BaseKontroller.execute(BaseKontroller.java:163)
at loophole.mvc.base.DispatcherServlet.execute(DispatcherServlet.java:75)
at loophole.mvc.base.DispatcherServlet.doPost(DispatcherServlet.java:57)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:867)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:214)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at loophole.mvc.filter.SecurityFilter.doFilter(SecurityFilter.java:96)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at loophole.mvc.filter.CSRFFilter.doFilter(CSRFFilter.java:75)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at io.bastillion.common.filter.AuthFilter.doFilter(AuthFilter.java:123)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.base/java.lang.Thread.run(Thread.java:844)
Caused by: org.apache.http.conn.ConnectTimeoutException: Connect to sts.amazonaws.com:443 [sts.amazonaws.com/54.239.29.25] failed: connect timed out
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
at com.amazonaws.http.conn.$Proxy31.connect(Unknown Source)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1285)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101)
... 67 more
Caused by: java.net.SocketTimeoutException: connect timed out
at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:400)
at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:243)
at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:225)
at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:402)
at java.base/java.net.Socket.connect(Socket.java:591)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:339)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:142)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
... 83 moreContent of BastillionConfig.properties
# cat /opt/bastillion-ec2/jetty/bastillion/WEB-INF/classes/BastillionConfig.properties
#
# Bastillion-EC2 Configuration Options
#
#set to true to regenerate and import SSH keys
resetApplicationSSHKey=false
#SSH key type 'dsa', 'rsa', or 'ecdsa' for generated keys
sshKeyType=rsa
#SSH key length for generated keys. 2048 => 'rsa','dsa'; 521 => 'ecdsa'
sshKeyLength=2048
#private ssh key, leave blank to generate key pair
privateKey=
#public ssh key, leave blank to generate key pair
publicKey=
#default passphrase, leave blank for key without passphrase
defaultSSHPassphrase=${randomPassphrase}
#alarm state select values
alarmState=OK:OK,INSUFFICIENT_DATA:Insufficient Data,ALARM:Alarm
#system status select values
systemStatus=ok:OK,impaired:Impaired,insufficient-data:Insufficient Data,not-applicable:Not-Applicable
#instance status select values
instanceStatus=ok:OK,impaired:Impaired,insufficient-data:Insufficient Data,not-applicable:Not-Applicable
#instance state select values
instanceState=pending:Pending,running:Running,shutting-down:Shutting-down,terminated:Terminated,stopping:Stopping,stopped:Stopped
#default instance state
defaultInstanceState=running
#default system user
defaultSystemUser=ec2-user
#default system port
defaultSystemPort=22
#keep audit logs for in days
deleteAuditLogAfter=90
#The number of seconds that the client will wait before sending a null packet to the server to keep the connection alive
serverAliveInterval=60
#enable audit
enableInternalAudit=false
#default timeout in minutes for websocket connection (no timeout for <=0)
websocketTimeout=0
#enable SSH agent forwarding
agentForwarding=false
#enable two-factor authentication with a one-time password - 'required', 'optional', or 'disabled'
oneTimePassword=optional
#Use private DNS for instances
useEC2PvtDNS=false
#Use private IP for instances
useEC2PvtIP=false
#Regular expression to enforce password policy
passwordComplexityRegEx=((?=.*\\d)(?=.*[A-Z])(?=.*[a-z])(?=.*[!@#$%^&*()_=\\[\\]{};':\"\\|\,.<>\\/?+-]).{8\,20})
#Password complexity error message
passwordComplexityMsg=Passwords must be 8 to 20 characters\, contain one digit\, one lowercase\, one uppercase\, and one special character (Benoit)
#HTTP header to identify client IP Address - 'X-FORWARDED-FOR'
clientIPHeader=
#specify a external authentication module (ex: ldap-ol, ldap-ad). Edit the jaas.conf to set connection details
jaasModule=
#proxy settings for AWS client
awsProtocol=https
awsProxyHost=my.proxy.my.cloud
awsProxyPort=3128
awsProxyUser=
awsProxyPassword=
#Requires JDK with "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" installed - http://www.oracle.com/technetwork/java/javase/downloads/index.html
use256EncryptionKey=false
#Database and connection pool settings
#Database user
dbUser=bastillion
#Database password
dbPassword=AES{PDSzncYQzb/E7Pph9wHFnu6xJ7xxclHl6dL6c7T1hO2YzTuXPfjydQrnj8JmOJ9Q}
#Database JDBC driver
dbDriver=org.h2.Driver
#Connection URL to the DB
dbConnectionURL=jdbc:h2:ec2db/bastillion;CIPHER=AES;
#Max connections in the connection pool
maxActive=25
#When true, objects will be validated before being returned by the connection pool
testOnBorrow=true
#The minimum number of objects allowed in the connection pool before spawning new ones
minIdle=2
#The maximum amount of time (in milliseconds) to block before throwing an exception when the connection pool is exhausted
maxWait=15000
#The session time out value of application in minutes
sessionTimeout=15
# The optional tag on an instance that defines the host user to use
userTagName=bastillion-user
#AWS IAM access key
accessKey=AES{f8PMuVQSZ6ZEwFFaM2o8D3Ja+kgB8Yjs4wXvVVcNTlg=}
#AWS IAM secret key
secretKey=AES{kY8pbOMAXTsvQ1zxKfMZMxX6qCqw6kPcbXiCfOzB53ZupjG1679s39Gs6JxUZjZb}
On the system curl is working OK:
# curl -v -x my.proxy.my.cloud:3128 https://sts.amazonaws.com
* Rebuilt URL to: https://sts.amazonaws.com/
* Trying 10.33.224.106...
* TCP_NODELAY set
* Connected to my.proxy.my.cloud (10.33.224.106) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to sts.amazonaws.com:443
> CONNECT sts.amazonaws.com:443 HTTP/1.1
> Host: sts.amazonaws.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=sts.amazonaws.com
* start date: Jul 19 00:00:00 2019 GMT
* expire date: Jun 29 12:00:00 2020 GMT
* subjectAltName: host "sts.amazonaws.com" matched cert's "sts.amazonaws.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: sts.amazonaws.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 302 Found
< x-amzn-RequestId: ebdf2e58-dbbb-11e9-a90f-d9b337d266b9
< Location: https://aws.amazon.com/iam
< Content-Length: 0
< Date: Fri, 20 Sep 2019 15:32:56 GMT
<
* Connection #0 to host my.proxy.my.cloud left intact