Project

General

Profile

Bug #25247

Document Proxy Bypass

Added by Anthony Chavez over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Important
Assignee:
Warren Block
Category:
Documentation
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

2 x iXsystems FreeNAS Mini XL + 1 x home-built Shuttle DH170

ChangeLog Required:
No

Description

A number of users are reporting this issue here.

I myself am running three FreeNAS installations on three different machines. Each installation is also exhibiting the same behavior: the Control Services link in the Django GUI simply does not display at all after upgrading from FreeNAS 10-STABLE to 11-STABLE.

In the screenshot I've attached, the three bars just keep looping.

control-services.jpg (267 KB) control-services.jpg Screenshot Anthony Chavez, 07/20/2017 02:50 PM
11843

Related issues

Related to FreeNAS - Bug #25360: Check AD tooltip and documentationClosed: Behaves correctly2017-07-30
Related to FreeNAS - Bug #25372: GUI communicate with plugins through system proxyClosed: Not To Be Fixed2017-07-31

Associated revisions

Revision 1910023e (diff)
Added by Warren Block over 3 years ago

Add tip about proxy and VPN software interference with Services screen. Ticket: #25247 Ticket: #25359

History

#1 Updated by Dru Lavigne over 3 years ago

  • Status changed from Unscreened to 15

Anthony: please attach a debug (System -> Advanced -> Save Debug). We'll mark the ticket private until a dev has a chance to review it.

#2 Updated by Anthony Chavez over 3 years ago

  • File debug-dionysos-20170720181446.tgz added

Sure, here it is.

#3 Updated by Dru Lavigne over 3 years ago

  • Status changed from 15 to Unscreened
  • Assignee changed from Release Council to William Grzybowski
  • Private changed from No to Yes

#4 Updated by William Grzybowski over 3 years ago

  • Status changed from Unscreened to 15
  • Priority changed from No priority to Important
  • Target version set to 11.0-U3

Second time I hear about it but was never able to reproduce.

Would you be willing to do a TeamViewer session?

#5 Updated by Anthony Chavez over 3 years ago

Be happy to but I would like to delete that debug ASAP.

#6 Updated by William Grzybowski over 3 years ago

  • File deleted (debug-dionysos-20170720181446.tgz)

#7 Updated by William Grzybowski over 3 years ago

Deleted. Can we schedule something for Monday?

#8 Updated by Anthony Chavez over 3 years ago

Sure, after 3pm PDT, my schedule is wide open.

#9 Updated by Anthony Chavez over 3 years ago

I noticed that 11.0-U2 was released recently so I upgraded one of the machines to that version and the issue persists.

#10 Updated by William Grzybowski over 3 years ago

after 3PM PDT is a terrible time for me, unfortunately. Is there any day you can make it at least 2 hours earlier?

Thanks

#11 Updated by Anthony Chavez over 3 years ago

I can do Wednesday at 1pm PDT.

What are you wanting to look at, exactly? Is there any sort of preparation you need me to do beforehand?

#12 Updated by William Grzybowski over 3 years ago

Anthony Chavez wrote:

I can do Wednesday at 1pm PDT.

What are you wanting to look at, exactly? Is there any sort of preparation you need me to do beforehand?

Ok, lets make it wednesday 1pm PDT.
I want to take a look from the browser whats is wrong with the websocket connection.

Just one idea though, do you have a proxy set up in your network? That could be a potential issue.

#13 Updated by Anthony Chavez over 3 years ago

Yes I do. I use WPAD to automatically configure my browsers with a proxy.pac file, but it returns DIRECT if the server IP is RFC 1918 or 127.0/8.

I also have the outbound proxy settings manually configured to connect to the proxy on each FreeNAS installation (for updates).

#14 Updated by William Grzybowski over 3 years ago

Anthony Chavez wrote:

Yes I do. I use WPAD to automatically configure my browsers with a proxy.pac file, but it returns DIRECT if the server IP is RFC 1918 or 127.0/8.

I also have the outbound proxy settings manually configured to connect to the proxy on each FreeNAS installation (for updates).

That could be the reason. Can you check if your proxy can handle websocket connections? More specifically watch for /websocket in freenas IP.

#15 Updated by Anthony Chavez over 3 years ago

I use c-icap+squidclamav on ArchLinux to scan for viruses, and I grep'ed both /var/log/squid/access.log and /var/log/c-icap/access.log for "websocket" and get nothing.

I also have iftop running on the proxy machine and see no connections to port 3128/tcp from either my browser or the FreeNAS machine when I use the FreeNAS WebUI.

Evidently, the browser is parsing the proxy.pac correctly and establishing direct connections to the FreeNAS machine rather than touching the proxy at all.

#16 Updated by Anthony Chavez over 3 years ago

Furthermore, if I manually configure the browser to use a direct connection rather than use proxy.pac at all, I still encounter the same issue.

#17 Updated by William Grzybowski over 3 years ago

Ok, thanks for looking. Lets wait Wednesday then.

#18 Updated by Anthony Chavez over 3 years ago

I'm available from this point forward.

#19 Updated by William Grzybowski over 3 years ago

Anthony Chavez wrote:

I'm available from this point forward.

Can you share your teamviewer credentials? In here (ticket is private) or william at ixsystems com

#20 Updated by William Grzybowski over 3 years ago

  • Status changed from 15 to Unscreened
  • Assignee changed from William Grzybowski to Dru Lavigne

Dru,

This was another issue with a proxy. Do you think we can note somewhere in the docs that if using a proxy it should be configured to bypass localnet and/or websocket connections?

#21 Updated by Dru Lavigne over 3 years ago

  • Category changed from 2 to Documentation
  • Assignee changed from Dru Lavigne to Warren Block

William: glad you found the culprit!

#22 Updated by Anthony Chavez over 3 years ago

I'm not familiar with WebSockets, but the Wikipedia article on the subject shed a little light.

I am running two proxies on my network. One is configured via WPAD, the other is, in fact, a transparent proxy, which is the one I had to configure to bypass the ws:// connection.

As the article notes, connections through transparent proxies will likely fail.

#23 Updated by Anthony Chavez over 3 years ago

Oops, I misread it. Transparent proxies are supported but the proxy must have websocket support.

The transparent proxy on my network is running squid 3.5.26, but it could also be that I have connections piped through squidclamav via c-icap also.

My firewall is running pfSense 2.3.4-p1, FWIW.

#24 Updated by Dru Lavigne over 3 years ago

  • Subject changed from Control Services will not open after upgrading to FreeNAS 11 to Document Proxy Bypass

#25 Updated by Dru Lavigne over 3 years ago

  • Private changed from Yes to No

#26 Updated by Dru Lavigne over 3 years ago

  • Related to Bug #25360: Check AD tooltip and documentation added

#27 Updated by Timur Bakeyev over 3 years ago

There are also reports on the forum, that at least Kaspersky Endpoint Security 10 may block access as well.

So I'd extend warning to the Anti-viruses with the embedded personal firewalls, and, namely, Kaspersky.

Also, wouldn't it be handy to implement alert either in the GUI itself or if possible - within standard Alerts framework, that would notify users that Websockets connections are not working?

#28 Updated by Dru Lavigne over 3 years ago

  • Related to Bug #25372: GUI communicate with plugins through system proxy added

#29 Updated by Warren Block over 3 years ago

  • Status changed from Unscreened to Screened

#30 Updated by Dru Lavigne over 3 years ago

  • Needs QA changed from Yes to No

#31 Updated by Warren Block over 3 years ago

  • Status changed from Screened to Resolved

Also available in: Atom PDF