不久前,VPN 连接中断。管理员说这是因为向错误的 URLopenconnect
发送了POST
。转储如下所示:
echo 'MyPassword' | openconnect -b --pid-file=/tmp/openconnect-pid --user="MyUser" --printcookie --dump-http-traffic entry.foo.corp/subGroup
POST https://entry.foo.corp/subGroup
Attempting to connect to server 195.222.249.123:443
Connected to 195.222.249.123:443
SSL negotiation with entry.foo.corp
Connected to HTTPS on entry.foo.corp
> POST /subGroup HTTP/1.1
> Host: entry.foo.corp
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 0000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 219
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init"><version who="vpn">v8.05-1</version><device-id>linux-64</device-id><group-access>https://entry.foo.corp/subGroup</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-store
Pragma: no-cache
Connection: Keep-Alive
Date: Thu, 06 Apr 2023 08:56:31 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
X-Aggregate-Auth: 1
HTTP body chunked (-2)
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
<opaque is-for="sg">
<tunnel-group>AnyConnect-subGroup-TunnelGroup</tunnel-group>
<config-hash>1679989103949</config-hash>
</opaque>
<auth id="main">
<title>Login</title>
<message>Please enter your username and password.</message>
<banner></banner>
<form>
<input type="text" name="username" label="Username:"></input>
<input type="password" name="password" label="Password:"></input>
</form>
</auth>
</config-auth>
XML POST enabled
Please enter your username and password.
Password:
POST https://entry.foo.corp/
> POST / HTTP/1.1
> Host: entry.foo.corp
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 373
>
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-reply"><version who="vpn">v8.05-1</version><device-id>linux-64</device-id><opaque is-for="sg">
<tunnel-group>AnyConnect-subGroup-TunnelGroup</tunnel-group>
<config-hash>1679989103949</config-hash>
</opaque><auth><username>MyUser</username><password>MyPassword</password></auth></config-auth>
Got HTTP response: HTTP/1.1 404 Not Found
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Thu, 06 Apr 2023 08:56:31 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'
HTTP body http 1.0 (-1)
SSL socket closed uncleanly
Unexpected 404 result from server
Failed to obtain WebVPN cookie
因此,在第一个请求中,POST
转到https://entry.foo.corp/subGroup
。
但在第二个请求中,它却转到了https://entry.foo.corp
。这看起来不对,并且该 VPN 的管理员也同意这是错误的 URL。
那么,有什么方法可以告诉我两次都openconnect
应该发送到同一个 URL 吗?POST
(更好的是:有没有更好的解释为什么它突然失败了?)
答案1
第二个 POST 请求没有发送到正确的 URL,一种解决方案是创建一个本地反向代理,拦截该请求并将其转发到正确的 URL。
首先让我们安装,socat
sudo apt-get install socat
然后我们启动反向代理来监听端口 8080 并将所有流量转发到entry.foo.corp:443
socat TCP-LISTEN:8080,fork,reuseaddr TCP:entry.foo.corp:443
。
然后修改你的Openconnect
以使用此反向代理echo 'MyPassword' | openconnect -b --pid-file=/tmp/openconnect-pid --user="MyUser" --printcookie --dump-http-traffic http://localhost:8080/subGroup
如果仍然不起作用,请尝试更新Openconnect
。