I am running a Node.js SSH server that spawns a child process to exec code (using require('child_process').spawn) after successful authentication.
The client server connections works fine on port 22 and connection is kept alive successfully through spawned process.
I am trying to setup up now with HAProxy 1.6, to forward port 22 to a non-privileged port on which the SSH server is listening.
However, when the child process is spawned the server either errors Error: write EPIPE or Error: read ECONNRESET.
This suggests to me there is an issue with prematurely closed stream or connection between the client -> HAProxy -> server?
I am looking at websocket configurations and ssh configurations for HAProxy and various keep alive options. However I cannot get the connection to work.
My configuration:
global
daemon
maxconn 10000
log 127.0.0.1 local0
defaults
log global
option tcplog
option logasap
timeout connect 500s
timeout client 5000s
timeout server 2h
timeout server-fin 5000s
timeout client-fin 5000s
timeout tunnel 1h
option tcpka
frontend sshd
bind *:22
default_backend ssh
timeout client 2h
backend ssh
mode tcp
server ssh2server 127.0.0.1:5000 check port 5000
Any pointers or help would be awesome. Thanks in advance.
EDIT
Runing haproxy in debug mode I have
00000000:sshd.accept(0004)=0005 from [my ip]
00000000:ssh.srvcls[0005:0006]
00000000:ssh.clicls[0005:0006]
00000000:ssh.closed[0005:0006].
On the tcplog
Oct 15 15:15:38 localhost haproxy[16036]: 128.277.13.23:51146 [15/Oct/2016:15:15:38.804] sshd ssh/ssh2server 1/0/+0 +0 -- 1/1/1/1/0 0/0
Related
I have a simple program which creates a simple web server at localhost with a random port between 10000 and 65535 (which is the highest unsigned 16-bit integer). You can also specify a port but if you don't know on which port it runs it's hard to find out.
I have written a little helper program that should show every port that's being listened to.
The helper:
import requests
for port in range(10000, 65535):
try:
print(port, requests.get("http://localhost:{}".format(port)))
except Exception as e:
print("{}: {}".format(type(e).__name__, port), end="\r")
I expect it to show ConnectionError: 10000 and counting up to 65535 and showing any found connections. But it hangs always on port 25564 25565, last showing the message for port 25564. And if I do a completely unrelated request to 'http://localhost:25564' or any higher port it hangs.
The script hangs on port 25565 when I start a server on 25564.
Normally if a port has no server listening it will immediately refuse the connection and give a ConnectionError. Above port 25564 it doesn't but just waits until I stop it.
This behaviour seems completely random as port 25564 is unassigned according to speedguide.net.
Port 25565 is the standard MySQL and Minecraft Dedicated Server port (according to speedguide.net), both of which I haven't running on my machine. Therefore the hang still seems random.
I'm using python3 on Ubuntu 20.04 LTS.
Interestingly it didn't fail on my laptop with Linux Mint 21...
As #root requested in the comments, here is the output of nmap localhost:
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-25 11:42 CEST
Host is up (0.00014s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
80/tcp open http
631/tcp open ipp
8080/tcp open http-proxy
9050/tcp open tor-socks
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
Just a little note: port 80/tcp is listened on by apache2 with the "You are an idiot" flash animation.
As per the comments, you can try something like this:
You will note that i have added the timeout parameter in the requests. This units are in seconds. The default timeout is None, which means it'll wait (hang) until the connection is closed.
import requests
for port in range(10_000, 65_535):
try:
r = requests.get(f'http://localhost:{port}', timeout=5)
print(port)
except Exception as e:
print(f'{type(e).__name__}, {port}', end='\r')
We have a proftpd server on an AzureVM configured to use implicit ftps.
Error:
Status: Connecting to myPublicIP:990...
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by > server".
Error: Could not connect to server
Relevant configuration
# /etc/proftpd/proftpd.conf
Port 21
PassivePorts 49152 49190
MasqueradeAddress myPublicIP
# /etc/proftpd/tls.conf
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1 TLSv1.2
TLSCipherSuite AES128+EECDH:AES128+EDH
#TLSOptions NoCertRequest AllowClientRenegotiations UseImplicitSSL EnableDiags
TLSRSACertificateFile /etc/proftpd/ssl/certificate.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/certificate.key
TLSVerifyClient off
TLSRequired on
I have open the following ports in the security group and interface of the virtual machine:
20,21,49152-49190,990,989.
If I do not force the connection through the implicit port, the rest of the connections works perfectly
According to your configuration, you did not enable implicit. If you execute netstat -ant|grep 990, it should return null.
So, if you use port to connect ftp server, you will get the error log.
You could check this link to enable implicit.
<IfModule mod_tls.c>
<VirtualHost 0.0.0.0>
Port 990
TLSEngine on
TLSOptions UseImplicitSSL
</VirtualHost>
</IfModule>
Then you need restart ftp server, service xinetd restart
When you execute netstat -ant|grep 990, you will get like below:
root#shui:~# netstat -ant|grep 990
tcp6 0 0 :::990 :::* LISTEN
I am trying to bind a HaProxy on a Fedora 21 instance to socket 1883 (for the MQTT protocol).
I get
[ALERT] 215/130943 (926) : Starting proxy mqtt: cannot bind socket [0.0.0.0:1883]
There does not seem to be anything listening on this port as long as I could check. Does anyone have an idea about what might be the problem?
I can able to connect postgres from terminal as well as python manage.py dbshell command
But when i'm trying to connect from apache i'm Getting error as follows.
Error : OperationalError: could not connect to server: Permission denied
Is the server running on host "192.168.1.10" and accepting
TCP/IP connections on port 5432?
My listen Address on postgress conf file is 192.168.1.10 Address
pg_hg_cong allowed host all all 192.168.0.0/24 trust
And also selinux turned httpd_can_network_connect_db on
Port is listening on 192.168.1.10:5432 on netstat output.
And database's are storing in /tmp directory
wxrwxrwx. 1 postgres postgres 0 Dec 18 07:40 .s.PGSQL.5432
-rw-------. 1 postgres postgres 50 Dec 18 07:40 .s.PGSQL.5432.lock
Actually I have enabled selinux httpd_can_network_connect_db parameters on db server instead of web server
So issue got solved after enabling httpd_can_network_connect_db on web server
I'm trying to start up HAProxy on Cygwin. When I do so, I get the following response:
$ /usr/local/sbin/haproxy -f /usr/local/sbin/haproxy.cfg
[ALERT] 313/180006 (4008) : cannot change UNIX socket ownership
(/tmp/haproxy.socket). Aborting.
[ALERT] 313/180006 (4008) : [/usr/local/sbin/haproxy.main()]
Some protocols failed to start
their listeners! Exiting.
It looks like it's due to the following line in my config file, when I rip this it starts up:
stats socket /tmp/haproxy.socket uid haproxy mode 770 level admin
The entire config:
global
log 127.0.0.1 local0 info
stats socket /tmp/haproxy.socket uid haproxy mode 770 level admin
maxconn 1000
daemon
defaults
log global
mode tcp
option tcplog
option dontlognull
retries 3
option redispatch
maxconn 1000
timeout connect 5s
timeout client 120s
timeout server 120s
listen rabbitmq_local_cluster 127.0.0.1:5555
mode tcp
balance roundrobin
server rabbit_0 127.0.0.1:5673 check inter 5000 rise 2 fall 3
server rabbit_1 127.0.0.1:5674 check inter 5000 rise 2 fall 3
listen private_monitoring 127.0.0.1:8100
mode http
option httplog
stats enable
stats uri /stats
stats refresh 5s
Any ideas would be appreciated, Thanks!
Simple answer, as I expected. My user "haproxy" which is referenced in the problematic line:
stats socket /tmp/haproxy.socket uid haproxy mode 770 level admin
Did not have necessary permissions on the local machine. Once this was set up, it started up fine.
Nice to know that it still works on cygwin, what version of haproxy is this ? I did not know that UNIX sockets were supported on windows BTW. Or maybe they're emulated via named pipes ?