Proxy rule for CE
I have one CE configured as a transporent proxy for the clients. The DNS is located in SP. There is one intranet-web-site that requires special proxy. The DNS does not know anything about this site.
I created proxy-rule in CE, but does not work. I sniffed the traffic and I see that CE still tries 1st of all resolve the ip address with DNS, instead of redirect this traffic to different proxy.
The rule looks as:
rule enable
rule action use-proxy 168.192.1.17 8080 pattern-list 10 protocol all
rule pattern-list 10 url-regex \http://home.intranet.client.com/
Does somebody has suggestions what to do?
Natalia,
Have you verified the requests actually go to the server instead of the proxy, or only that the CE is doing a DNS lookup. Below is what the documentation states for rules, so it might be important to see what the proxy request looks like.
Michael Voight
CSE
If a rule is configured with a fully qualified domain name (FQDN) and a request is received with the partial domain name in transparent mode, the rule fails to be executed, because the FQDN is not in the request URL. In transparent mode, if a request is destined for a particular domain (for which a domain rule is configured) and does not contain the Host header, the rule pattern match fails.
Similar Messages
-
Apache Reverse rule for BSP applicaiton to run in Portal
Dear Expert,
In my portal lanscape we are using reverse proxy and have written some re-write rule in conf file.
All my application other than BSP's are working fine..i am not able to figure it out as what went wrong in my reverse proxy rule
for BSP applicaiton...can any one help me please..?
My reverse proxy rule is as follows -
<VirtualHost XX.XX.XX.XX:443>
ServerAdmin webmaster@MDCLINUXHYPERV
ServerName etenderqua.harmony.co.in
DocumentRoot /var/www/html/ssl/irj
ProxyRequests Off
ProxyPreserveHost On
ProxyVia on
ProxyTimeout 900
RequestHeader set ClientProtocol https
RewriteEngine On
RewriteLogLevel 9
Portal Rewrite Rules -
RewriteRule ^/(irj\(.*) http://mdcqa7.hardev.com:50000/irj/$1 [P,L]
RewriteRule ^/(webdynpro\(.*) http://mdcqa7.hardev.com:50000/webdynpro/$1 [P,L]
RewriteRule ^/(logon\(.*) http://mdcqa7.hardev.com:50000/logon/$1 [P,L]
RewriteRule ^/(rtmfCommunicator\(.*) http://mdcqa7.hardev.com:50000/rtmfCommunicator/$1 [P,L]
SRM Rewrite Rules -
RewriteRule ^/(cfol1\(.*) http://mdcqa3.hardev.com:8000/cfol1/$1 [P,L]
RewriteRule ^/(sap\(.*) http://mdcqa3.hardev.com:8000/sap/$1 [P,L]
RewriteRule ^/(webdynpro\(.*) http://mdcqa3.hardev.com:8000/webdynpro/$1 [P,L]
RewriteRule ^/(rtmfCommunicator\(.*) http://mdcqa3.hardev.com:8000/rtmfCommunicator/$1 [P,L]
RewriteRule ^/(srm7\(.*) http://mdcqa3.hardev.com:8000/srm7/$1 [P,L]
RewriteRule ^/(zbidder\(.*) http://mdcqa3.hardev.com:8000/zbidder/$1 [P,L]
ECC Rewrite Rules -
RewriteRule ^/(ecc\(.*) http://mdcqa1.hardev.com:8000/ecc/$1 [P,L]
RewriteRule ^/(sap\(.*) http://mdcqa1.hardev.com:8000/sap/$1 [P,L]
RewriteRule ^/(webdynpro\(.*) http://mdcqa1.hardev.com:8000/webdynpro/$1 [P,L]
RewriteRule ^/(rtmfCommunicator\(.*) http://mdcqa1.hardev.com:8000/rtmfCommunicator/$1 [P,L]
BI Rewrite Rules -
RewriteRule ^/(bi\(.*) http://mdcqa5.hardev.com:8000/bi/$1 [P,L]
RewriteRule ^/(sap\(.*) http://mdcqa5.hardev.com:8000/sap/$1 [P,L]
RewriteRule ^/(webdynpro\(.*) http://mdcqa5.hardev.com:8000/webdynpro/$1 [P,L]
RewriteRule ^/(rtmfCommunicator\(.*) http://mdcqa5.hardev.com:8000/rtmfCommunicator/$1 [P,L]
SSL Configuration -
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4RSA:HIGH:MEDIUM:LOW:SSLv2:EXP:+eNULL
SSLCertificateFile /etc/pki/tls/certs/etender.crt
SSLCertificateKeyFile /etc/pki/tls/certs/etender.key
Portal Proxy Pass Rules -
ProxyPass /irj http://mdcqa7.hardev.com:50000/irj
ProxyPassReverse /irj http://mdcqa7.hardev.com:50000/irj
ProxyPass /webdynpro http://mdcqa7.hardev.com:50000/webdynpro
ProxyPassReverse /webdynpro http://mdcqa7.hardev.com:50000/webdynpro
ProxyPass /logon http://mdcqa7.hardev.com:50000/logon
ProxyPassReverse /logon http://mdcqa7.hardev.com:50000/logon
ProxyPass /rtmfCommunicator http://mdcqa7.hardev.com:50000/rtmfCommunicator
ProxyPassReverse /rtmfCommunicator http://mdcqa7.hardev.com:50000/rtmfCommunicator
SRM Proxy Pass Rules -
ProxyPass /sap http://mdcqa3.hardev.com:8000/sap
ProxyPassReverse /sap http://mdcqa3.hardev.com:8000/sap
ProxyPass /cfol1 http://mdcqa3.hardev.com:8000/cfol1
ProxyPassReverse /cfol1 http://mdcqa3.hardev.com:8000/cfol1
ProxyPass /srm7 http://mdcqa3.hardev.com:8000/srm7
ProxyPassReverse /srm7 http://mdcqa3.hardev.com:8000/srm7
ProxyPass /zbidder http://mdcqa3.hardev.com:8000/zbidder
ProxyPassReverse /zbidder http://mdcqa3.hardev.com:8000/zbidder
ProxyPass /webdynpro http://mdcqa3.hardev.com:8000/webdynpro
ProxyPassReverse /webdynpro http://mdcqa3.hardev.com:8000/webdynpro
ProxyPass /rtmfCommunicator http://mdcqa3.hardev.com:8000/rtmfCommunicator
ProxyPassReverse /rtmfCommunicator http://mdcqa3.hardev.com:8000/rtmfCommunicator
ECC Proxy Pass Rules -
ProxyPass /ecc http://mdcqa1.hardev.com:8000/ecc
ProxyPassReverse /ecc http://mdcqa1.hardev.com:8000/ecc
ProxyPass /sap http://mdcqa1.hardev.com:8000/sap
ProxyPassReverse /sap http://mdcqa1.hardev.com:8000/sap
ProxyPass /webdynpro http://mdcqa1.hardev.com:8000/webdynpro
ProxyPassReverse /webdynpro http://mdcqa1.hardev.com:8000/webdynpro
ProxyPass /rtmfCommunicator http://mdcqa1.hardev.com:8000/rtmfCommunicator
ProxyPassReverse /rtmfCommunicator http://mdcqa1.hardev.com:8000/rtmfCommunicator
BI Proxy Pass Rules -
ProxyPass /bi http://mdcqa5.hardev.com:8000/bi
ProxyPassReverse /bi http://mdcqa5.hardev.com:8000/bi
ProxyPass /sap http://mdcqa5.hardev.com:8000/sap
ProxyPassReverse /sap http://mdcqa5.hardev.com:8000/sap
ProxyPass /webdynpro http://mdcqa5.hardev.com:8000/webdynpro
ProxyPassReverse /webdynpro http://mdcqa5.hardev.com:8000/webdynpro
ProxyPass /rtmfCommunicator http://mdcqa5.hardev.com:8000/rtmfCommunicator
ProxyPassReverse /rtmfCommunicator http://mdcqa5.hardev.com:8000/rtmfCommunicator
Error Logs -
ErrorLog logs/qua.portal.domain.com-error_log
CustomLog logs/qua.portal.domain.com-access_log common
RewriteLog logs/qua.portal.domain_unsecured_rewrite.log
</VirtualHost>Dear Keseli,
Now..i am facing one more issue...
My rules are as follows : -
SRM Rewrite rule -
RewriteRule ^/(sap\(.*) http://mdcqa5.hardev.com:8000/sap/$1 P,L
ProxyPass /sap http://mdcqa5.hardev.com:8000/sap
ProxyPassReverse /sap http://mdcqa5.hardev.com:8000/sap
BI Rewrite Rule -
RewriteRule ^/(sap\(.*) http://mdcqa7.hardev.com:8000/sap/$1 P,L
ProxyPass /sap http://mdcqa7.hardev.com:8000/sap
ProxyPassReverse /sap http://mdcqa7.hardev.com:8000/sap
these rules are written under the same Virtual Host, we are using only one virtual host .From our analysis we knew that the reverse proxy read this file from the starting as as soon as it find the pattern at the left side of the rule it simply directs the request to URL right hand side.
My issue is, since we have created BSP services in SRM and BI...it always directs the request to the matching pattern given in the first occrences.
In the above example it always directs the call to the SRM bsp..never reaches to BI.
Can you suggest us any way out..? -
Strange info in "Bypass Proxy Settings for These Hosts and Domains"
For my Mac Mini my Network IP Address always has a self-assigned 169.254 number that I cannot change. Strangely, this same IP number is similar to info that is in the Proxies section (of Network Settings) under "Bypass Proxy Settings for These Hosts and Domains".
No matter what I do, this info (*,local, 169.254/16) appears in my Network Settings in the Proxies section under "Bypass Proxy Settings for These Hosts and Domains". (I tried removing the info and it would cause the "Configure Proxies" selection to default to "Always Use PAC File". Had to go back and retrash all the plist files to have Proxies go back to "Configure Proxies-Manually". Still, the info (*,local, 169.254/16) continues to appear in the "Bypass Proxy Settings for These Hosts and Domains" section and my IP address is always a 169.254 number.)
Comcast cable modem via direct hardwired Ethernet works fine with my other computer, so not the modem. Also, other computer does not have any info in the "Bypass Proxy Settings for These Hosts and Domains" section.
Installed a fresh copy of OS X 11.5 on a new hard drive. Still the same problem.
I posted this issue before but only got one responder and the problem still exists. Any clues? Somebody must know about this stuff. Help please.
ThanksWhen your Mac wakes up, it does not yet have an IP Addresss. It wants to send a request to a Router for an apprpriste IP address to use now. But it needs to have an IP address (like a return address) to receive any messages. So, ... wait for it,
... it (your Mac) makes one up. There are rules that ensure it is a random address, but they always start with 169.254. It is on the same subnet with any low-order 16 bits This is the "self-assigned" range of IP Addresses. This address is only good for talking on a local network segment, for things like asking for a valid IP Address from a DHCP-enabled Router.
In most cases, on most networks, the 169.254 self-assigned IP Address is replaced by a valid Local IP Address such as 192.168.xxx yyy or 10.0.xxx.yyy so quickly that you never even see the 169.254 Address.
If you do see the 169.254 Address, it can be read as "Nobody will talk to me" or "Nobody will give me an IP Address". When you have this IP Address for more than an instant, you should suspect bad cables for Ethernet connections, bad signal strength or interference for wireless, Router configuration problems, or Mac configuration problems.
Mac configuration problems are often solved by using the "Assist Me" button is System Preferences > Network and choosing to set up again.
Another diagnostic is to try using Network Utility and the Ping function, and Ping-ing the address of your Airport base Station, often 192.168.0.1 or 10.0.0.1 or similar. This will tell you if the Router is reachable, or there are cabling/wirelss signal problems.
In this case, proxies are not an issue, and are simply a distraction from the real problems. -
ASA - cut through proxy authentication for RDP?
I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.
OUTSIDE to INSIDE RDP is currently working.
I have 2 servers I want RDP open for..
[*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100
[*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200
What's required for OUTSIDE users to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?
Here is my current config.
[code]
ASA Version 8.2(5)
hostname ASA5505
names
name 10.10.0.0 LANTraffic
name 10.10.30.0 SALES
name 10.10.40.0 FoodServices
name 10.10.99.0 Management
name 10.10.20.0 Office
name 10.10.80.0 Printshop
name 10.10.60.0 Regional
name 10.10.70.0 Servers
name 10.10.50.0 ShoreTel
name 10.10.100.0 Surveillance
name 10.10.90.0 Wireless
interface Ethernet0/0
description TO INTERNET
switchport access vlan 11
interface Ethernet0/1
description TO INSIDE 3560X
switchport access vlan 10
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
security-level 50
no ip address
interface Vlan10
description Cisco 3560x
nameif INSIDE
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Vlan11
description Internet Interface
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.224
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
domain-name test.local
access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389
access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389
pager lines 24
logging enable
logging timestamp
logging trap warnings
logging device-id hostname
logging host INSIDE 10.10.70.100
mtu INSIDE 1500
mtu OUTSIDE 1500
ip verify reverse-path interface OUTSIDE
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INSIDE) 1 LANTraffic 255.255.0.0
static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255
access-group RDP-INBOUND in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http Management 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.10.70.100 255.255.255.255 INSIDE
ssh Management 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username scott password CNjeKgq88PLZXETE encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e9d278ce656f22829809f4c46b04a07
: end
[/code]You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).
There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC). -
Privacy Enhancing Filtering Proxy Chain for OS X
A privacy enhanced web proxy is a nearly essential tool on the modern web: it blocks ads, malicious scripts, and conceals information used to track you around the web. I've provided a quick setup below in case it's useful to others. This will build a privatizing squid:privoxy proxy chain that works with any browser, and can be used by anyone on your LAN, including and especially secure VPN logins and ssh tunnels. In my experience, this setup is a lot more capable and effective than using a simple adblocking Firefox Add-On. There's a world of difference between reading ad-filled web pages with and without a filtering proxy server. I've also included information for a polipo proxy that can be used with Tor for full anonymity, as well as a script for ssh tunnelling
Install Xcode and Macports
Install squid, privoxy, and polipo:
$ sudo port selfupdate
$ sudo port install squid privoxy polipo
$ sudo port load squid privoxy polipo
Configure the squid/privoxy/polipo config files shown below, then relaunch the proxies and test to make sure they're up:
$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Squid.plist
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist
$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Privoxy.plist
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Privoxy.plist
$ sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Polipo.plist
$ sudo launchctl load -w /Library/LaunchDaemons/org.macports.Polipo.plist
$ nmap -p 3128,8118,8123 localhost
Starting Nmap 5.51 ( http://nmap.org ) at 2012-02-07 11:47 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT STATE SERVICE
3128/tcp open squid-http
8118/tcp open privoxy
8123/tcp open polipo
Now web applications can use your filtering web proxy chain. If you use the config files below, websites will not know where you came from (HTTP_REFERER header is forged), and will not know your User Agent (also forged), and read access is block to several HTTP header fields. Ads are filtered. Your connection looks like this:
Application <--port 3128--> Squid <--port 8118--> Privoxy <----> Internet
Configure your network to add an option to route your web traffic through this proxy. System Preferences>Network>Wi-Fi/Ethernet/...>Locations:>Edit Locations...> Gear icon, Duplicate Location, Advanced...>Proxies> Check boxes for HTTP and HTTPS web proxies with proxy server localhost:3128.
While you're at it, configure your OS and browsers to block Adobe flash cookies. Read this WSJ article series to understand how this impacts your privacy.
System Preferences>Flash Player>Block all sites from storing information, using your camera and microphone, and networking with peers. Also Delete all data and go to this Adobe Flash Player Settings web page and block all sites from storing information, using your camera and microphone, and networking with peers.
Firefox/Safari>DO NOT ALLOW third party cookies, request not to be tracked
Firefox Add-Ons: NoScript (blocks/manages JavaScript), Beef TACO (blocks/manages flash cookies), BetterPrivacy (blocks/manages flash cookies), and the EFFs HTTPS Everywhere.
You can also download the Tor anonymous proxy chain for both OS X and iOS devices. This will run a little polipo proxy natively on mobile devices.
Here are the config file settings. Search through the config file too see the appropriate location for these settings. Turn off http_access and icp_access (squid), permit-access (privoxy), and allowedClients (polipo) if you do not want everyone on your LAN to be able to use the proxy. Double check that you're not running an open web proxy on the internet.
$ sudo vi /opt/local/etc/squid/squid.conf
# See http://www.privoxy.org/user-manual/config.html
# Define Privoxy as parent proxy (without ICP)
cache_peer 127.0.0.1 parent 8118 7 no-query
http_access allow localnet
icp_access allow localnet
via off
# old 'http_anonymizer standard'
header_access From deny all
# forge Referer in Privoxy
# header_access Referer deny all
header_access Server deny all
# forge User-Agent in Privoxy
# header_access User-Agent deny all
header_access WWW-Authenticate deny all
header_access Link deny all
# more privacy
header_access Cache-Control deny all
header_access Proxy-Connection deny all
header_access X-Cache deny all
header_access X-Cache-Lookup deny all
header_access Via deny all
header_access Forwarded-For deny all
header_access X-Forwarded-For deny all
header_access Pragma deny all
header_access Keep-Alive deny all
shutdown_lifetime 10 seconds
# See http://www.privoxy.org/user-manual/config.html
# Define ACL for protocol FTP
acl ftp proto FTP
# Do not forward FTP requests to Privoxy
always_direct allow ftp
# See http://www.privoxy.org/user-manual/config.html
# Forward all the rest to Privoxy
never_direct allow all
dns_nameservers 10.0.1.2 10.0.1.1
forwarded_for off
$ sudo vi /opt/local/etc/privoxy/config
forward / .
$ sudo vi /opt/local/etc/privoxy/match-all.action
+change-x-forwarded-for{block} \
+deanimate-gifs{last} \
+filter{refresh-tags} \
+filter{img-reorder} \
+filter{banners-by-size} \
+filter{webbugs} \
+filter{jumping-windows} \
+filter{ie-exploits} \
+hide-from-header{block} \
+hide-referrer{conditional-block} \
+session-cookies-only \
+set-image-blocker{pattern} \
/ # Match all URLs
# See http://www.christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privo xy/
+hide-referrer{conditional-forge} \
+hide-user-agent{Mozilla/5.0} \
/ # Match all URLs
$ sudo vi /opt/local/etc/privoxy/user.action
# fix bing's travel site, others
{ -block }
ads1.msn.com/
.bing.com/travel/jsxc\.vjs\?
.onecause.com
.apple.com
.go.com
# sourceforge
{ -block -filter -deanimate-gifs}
.sourceforge.net
.dell.com
# expedia
{ -hide-user-agent }
.expedia.com
# don't filter downloads
{-filter -deanimate-gifs}
/.*\.iso(\?|$)
/.*\.mp3(\?|$)
/.*\.mp4(\?|$)
/.*\.mov(\?|$)
/.*\.mpg(\?|$)
/.*\.ogg(\?|$)
/.*\.aac(\?|$)
/.*\.zip(\?|$)
/.*\.pdf(\?|$)
/.*\.dmg(\?|$)
/.*\.tar(\?|$)
/.*\.gz(\?|$)
/.*\.dat(\?|$)
$ sudo vi /opt/local/etc/privoxy/config
proxyAddress = "0.0.0.0" # IPv4 only
allowedClients = 127.0.0.1, 10.0.1.0/16This configuration looks great and I was try to apply for my laptop. Unfortunatly I'm not an expert, and I have problem with config file settings for squid.config.
I was installing squid (at first 2.7 version but later 3.1, because being able to use the GUI squidMan)), Privoxy and polipo with sucess with MacPorts. Using also MacPort to get nmap.and proxies look to be up :
Starting Nmap 6.01 ( http://nmap.org ) at 2012-08-23 21:59 PHT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
PORT STATE SERVICE
3128/tcp open squid-http
8118/tcp open privoxy
8123/tcp open polipo
Configure the network was not a problem (just an interrogation about FTP proxy ?)
To edit and add lines and save match-all.action,user.action
was fine also. I don't know why the command sudo vi /opt/local/etc/privoxy/config is repeat twice one to add forward / and later
proxyAddress = "0.0.0.0" # IPv4 only
allowedClients = 127.0.0.1, 10.0.1.0/16
I was add these 3 lines anyway, the main problem being I guess to put properly configurations for squid.conf
Here below the template gave by SquidMan,(easier for me getting the main lines!) I just have modified Privoxy as parent proxy but I was not able to manage properly where adding these settings.( getting error about localhost ie).
Could you kindly past them in this template ? I guess it will fix my configuration ! thank you in advance.
Sincerly,
Franck
# WARNING - do not edit this template unless you know what you are doing
# the parent cache
cache_peer 127.0.0.1 parent 8118 7 no-query no-digest no-netdb-exchange default
# disk and memory cache settings
cache_dir ufs %CACHEDIR% %CACHESIZE% 16 256
maximum_object_size %MAXOBJECTSIZE%
# store coredumps in the first cache dir
coredump_dir %CACHEDIR%
# the hostname squid displays in error messages
visible_hostname %VISIBLEHOSTNAME%
# log & process ID file details
cache_access_log %ACCESSLOG%
cache_log %CACHELOG%
cache_store_log %STORELOG%
pid_filename %PIDFILE%
# Squid listening port
http_port %PORT%
# Access Control lists
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
%ALLOWEDHOSTS%
%DIRECTHOSTS%
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# protect web apps running on the proxy host from external users
http_access deny to_localhost
# rules for client access go here
http_access allow localhost
%HTTPACCESSALLOWED%
# after allowed hosts, deny all other access to this proxy
# don't list any other access settings below this point
http_access deny all
# specify which hosts have direct access (bypassing the parent proxy)
%ALWAYSDIRECT%
always_direct deny all
# hierarchy stop list (squid-recommended)
hierarchy_stoplist cgi-bin ?
# refresh patterns (squid-recommended)
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320 -
Advance Rules for routing in Oracle BPM Human Task
Hi,
I am working on SOA 11.1.1.5.0. I have created a sample SOA application with a Human Task.
following are the Assignment details for my Human Task.
1. Created a stage1
2. Created a participant with following details
Type = Single
Build a list of participant using : ApproverGroup
Specify attribute using : Rule-Based
List Ruleset : SampleRuleset
I have created some Advance Rules for routing as specified at http://www.orastudy.com/oradoc/selfstu/fusion/integration.1111/e10224/bp_hwfmodel.htm#BABGJGBD .Routing is perfectly working in my application.
But when I login into WorklitApplication via weblogic user and accessed Administration link, under Task Configuration > Data Driven tab these Routing Rules are not appearing, however I can see this SampleRuleset there.
I want to know whether these Routing Rules will be appeared in the WorklistApplication or not?
regards,Hi,
Concerning your first question the answer is yes, you can share the same UI with various Human Tasks. Assuming that your discriminator flag is the human task type, then you can create for example a taskflow parameter, pass this value and based on this value hide and show fields. You will have to bundle your UI project as an ADF shared library and attach it to each Human Task project that you would like to use it, drag and dropping the taskflow as a region (please have in mind that your taskflow pages definition should be set to fragments).
For you second question, again the answer is yes. This is an out-of-the-box functionality provided by the auto-generated human task. There is a section called history that holds and displays all this information.
For the third point, again the answer is yes. What you can do is that you can enable the OnTaskCompleted event so that whenever a participant complete their task to generate an event. Then you can have a mediator or a BPEL process that can subscribe to this event and process the notification.
For question 4 i don't think that is possible (out of the box). You will have to write like a proxy service that will fetch this additional information from your LDAP server and map it to your participants list.
Question 5, the organizational chart allows you to define the structure and hierarchy of your organization (users, groups, application roles) which can be used in your business processes to define your various approval types.
For you last question, the shared flag is used for to define whether your logical roles (also called application roles) should be specific to a process or can be shared across processes.
Regards
Antonis -
[SOLVED] how to use diffrent iptables rules for different ppp account?
x86 plantform run arch linux system , have two network interface etn1 eth0 .eth1 connect to internet. eth0 connect to other terminals through switch. want use different iptables rules for different pppoe account .also want to know how to forbidden more than one terminals established pppoe link use same account at the same time .
Last edited by linuxsir (2013-09-26 06:48:01)(You establish PPPoE sessions over the local network to the Arch machine? Which then routes the traffic?)
first question ,yes that is exactly what i am done. second question i also have a small scripts on windows pc to solve routes traffic problem
route -p delete 0.0.0.0
route -p add 192.168.9.0 mask 255.255.255.0 192.168.9.1
route -p add 0.0.0.0 mask 0.0.0.0 192.168.22.0
but after a while i found scripts is not necessary because windows always attempt to use PPPoE sessions as default internet connection local connection is also ok
and use -i pppX in my iptables rules dose not solve my problem , because same account start PPPoE session could be marked as ppp0 or ppp1. it is hard to identified which account start session. -
Data not coming from DOE to Mobile After defining Rule for device attribute
Hi All,
I have created a DO and rule for it.In case of Bulk Rule for all definition when i triggere extract from Portal then all the data comes to outbound queue but when i define rule for Device attribute then no data comes to my Outboun queue.Here is the scenario what i am doing :
1. I have order header in my backend which has a field named "Work_Center" and this will be criteria field.
2. In CDS table i have all the records for all the work center.
3. Now in RMM under customized , i have added an attribute named "Work_center".
4. Now i defined a rule with Device attribute mapping and activated the rule.
5. Now on Portal i assigned this data object and in the device attribute tab i assigned the value(this value exist in CDS table for few orders) of a Work center to the attribute "Work_Center" .
6. Then i triggrere extract but its Outbound queue is empty, what could be the reason.
Is my approach is correct
Regards,
AbhishekHi Abhishek,
You can check one ore thing, after you have performed all the steps till step 5, i.e. just before triggering
extract. Check if the AT table for ur DO has entries based on the criteria specified by you...
1. In the workbench click on the Data Object, and then right click and select "View Metadata".
2. Select Distribution Model tab.
3. Now select your DO's Association table.
4. For the input field DEVICE ID specify your corresponing device id,and also for status field specify it
as "I" and execute
If there are any entries now in the AT table, and on triggering extract if they are not coming to the
outbound Q there is some EXTRACT Q blocked. And is there were no entries in the AT then the rule
specified is not the satifying.
Thanks,
Swarna
Now if you have entries w -
Leave Quota generation with diifferent rules for different countries
Hi,
I have the following requirement need help in achieving this.
Employers must grant 10 days paid leave to employees that worked for six consecutive months from the time of hiring and who worked on not less than 80 per cent of all schedule work days. This paid leave may be taken consecutively or separately. Where an employee's application to take paid leave will hinder the normal business operations, the employer may require the employee to take such paid leave at a different time.
The number of days of paid leave available to employees increases in proportion to employees' length of service as set forth in the below table.
Years of Service 0.5 1.5 2.5 3.5 4.5 5.5 6.5+
Paid Holidays 10 11 12 14 16 18 20
The right to annual paid leave expires after two years. In other words, annual paid leave left over from one year may be carried over and taken the next year only. For example, if an employee is awarded 10 days paid leave after their first 6 months of employment; those paid holidays will become invalid after 2.5 years of employment. Use them or lose them.
Simply put, holidays from one year can be carried over to the next year, but not to the third year. So, if you don't take your leave from one particular year within 12 months of that year ending, you will lose that first year's allowance.
Employee can take leave encashment of holiday leave only when leaving their employer. It is not legal for companies to buy up the holiday leave of those still working for the firm.
In my organization one PSG grouping has been used for all countries, it wont be possible to change the grouping now. In such a case how can we provide different rule for different country without customizing the Leave module.
Do we have to use any PCR for this, if yes which??
Regards,
Jailakshmi
Edited by: Jailakshmi on Aug 3, 2011 7:16 AMHi,
Use QUOMO Feature to give different entitilement to employees.
Leave entitlement as per seniority can be configured in base entitlement.
Keep validity and deduction period for 2 years by using :Relative postion" option in validity and deduction period table.
Rgds,
Lata
Rgds, -
I am using a work laptop and have the same problem. When I try to change the "configure proxy", they only available option is "use this proxy server for all protocols". Could it be that my system administrator blocked me from changing it since they don't want us to use Firefox.
== User Agent ==
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.4; FNGP_SYS)Start Firefox in [[Safe Mode]] to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes).
See [[Troubleshooting extensions and themes]] and [[Troubleshooting plugins]]
If it does work in Safe-mode then disable all your extensions and then try to find which is causing it by enabling one at a time until the problem reappears.
You can use "Disable all add-ons" on the ''Safe mode'' start window.
You have to close and restart Firefox after each change via "File > Exit" (on Mac: "Firefox > Quit") -
Problem with nat / access rule for webserver in inside network asa 5505 7.2
Hello,
i have trouble setting up nat and access rule for webserver located in inside network.
I have asa 5505 version 7.2 and it has to active interfaces, inside 192.168.123.0 and outside x.x.x.213
Webserver has ip 192.168.123.11 and it needs to be accessed from outside, ip x.x.x.213.
I have created an static nat rule with pat (as an appendix) and access rules from outside network to inside interface ip 192.168.123.11 (tcp 80) but no luck.
What am i doing wrong?Command:
packet-tracer input outside tcp 188.x.x.213 www 192.168.123.11 www detailed
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.123.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x35418d8, priority=500, domain=permit, deny=true
hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=188.x.x.213, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
Report on settlement profile/rule for the Process Orders ?
Is there any report which will display settlement profile for process order or settlement rule for process order.
Hi,
Did you try this one: KOSRLIST_OR - Settlement Rules?
Regards,
Eli -
Any report to check vacation rule for users?
any report to check vacation rule for users?
Hello Anand,
there is no report but you may use the production order info system with list "components" and create a layout contaning the issued quantity and/or the final issue indicator. With a correct sorting, the list should show all orders with non-issued components at the top.
Regards, Andreas -
Error when activating update rules for R/3 training and event management
hi all,
when iam trying to activate update rules for training and event management cube it is giving fallowing error."IC=0PE_C01 IS=0HR_PE_1 error when checking the update rules
Message no. RSAU461".
please guide me how to solve this issue.
thanks & regards
Vamshi D KrishnaHi Vamsi,
Have you followed the following document to implement HR ?
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a0780530-bf03-2b10-d5ad-e9e8a53def23 -
How can I activate the transfer rules for the ODS updating a data target.
We are on BW 3.5 and I'm loading data into the 0FIGL_O10 ODS and then uploading the data into the cube 0FIGL_C10. The data loads just fine to the ODS but when I try to <u><b>'update the data target'</b></u> I get a date & time stamp' error on the info-package transfer rules.
I then Replicate the datasource 80FIGL_O01.
I must then <u><b>'activate' the transfer rules</b></u>.
However I cannot get the transfer rules for 80FIGL_O10 in CHANGE MODE to activate them.
How can I activate the transfer rules for the ODS updating a data target.
The error text is as follows:
DataSource 80FIGL_O10 has to be replicated (time stamp, see long text)
Message no. R3016
Diagnosis
DataSource 80FIGL_O10 does not have the same status as the source system in the Business Information Warehouse.
The time stamp in the source system is 02/15/2007 10:42:33.
The time stamp in the BW system is 11/07/2006 13:11:54.
System response
The load process has been terminated.
<b>Procedure
Copy the DataSource again and then activate the transfer rules that belong to it. You have to activate the transfer rules in every case, even if they are still active after the DataSource has been copied.</b>
Thanks for your assistance.
DennyHi Dennis,
Try, using Business Content to activate your data source
hope this will help you
How activate business content?
http://help.sap.com/saphelp_nw04/helpdata/en/80/1a66d5e07211d2acb80000e829fbfe/frameset.htm
Maybe you are looking for
-
Sequence tag error while importing the SSL certificate into ".keystore" fil
I have created the ".keystore " file successfully and also imported the "root.cer". but while importing the SSL certificate it says like "keytool error: java.security.cert.CertificateException: IOException: Sequence ta g error" (I got the certificate
-
Link-Group Asset Class, Depreciation Area & Depreciation Key
Dear Experts, I am new to FI-AA Customization & have a basic query about Group Asset Concept. I am working on Ecc 6.0 & for Country India. I want to create Group Asset for calculation of Depreciation as per Income Tax Act. Hence there is just one De
-
i bouht new ipad2 today . i connect it to itunes and i saw it in itunes but on the ipad it still showing the connection pic.
-
Had Adobe Flash Player installed, asked to update but refused due to their auto installation of Google Chrome. Since that time You Tube will not play.
-
need to deauthorize again. but systems says I have to wait until february. need to do it now. Spent tons of cash with Apple and need extra special service please