Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Trying to pass through firewall programmatically

by dze27 (Pilgrim)
on Sep 10, 2001 at 23:13 UTC ( #111539=perlquestion: print w/replies, xml ) Need Help??

dze27 has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I am trying to write a perl script which passes through our firewall. We have a system at work which requires a separate user name/ password which is needed to access the global internet and if you do not make an HTTP request for a certain period of time, then you have to re-login. Now, ordinarily, this is not a problem since I just run one of those news alert programs which checks for news every 5 minutes and so it's not a huge bother. However, I have a few processes that I run with "at" (Win NT 4.0) on the weekend, and I would like to ensure that these run by running this script first.

I've Googled and SuperSearched and still no luck. What I have so far (pretty much copied from the perl cookbook & the LWP docs) is the following:

use strict; use diagnostics; use LWP::UserAgent; use HTTP::Request; use HTTP::Response; my $ua = LWP::UserAgent->new(); $ua->agent("Test/0.01"); $ua->credentials('mysite', 'myrealm', 'myuserid','mypassword'); my $req = HTTP::Request->new('GET', 'http://www.yahoo.com'); my $response = $ua->request($req); if ($response->is_error()) { printf " %s\n", $response->status_line; } else { print $response->content(); }

This returns 401 Unauthorized as the status line when my firewall connection is inactive (i.e. more than X minutes have elapsed (and my correct site, realm, username, password are filled in)

Normally, if I try to login through the firewall for the first time by typing in an external URL, it prompts me with the familiar dialog box (Site/Realm/Username/password). If I hit cancel, it redirects me to http://{IP address of firewall machine}/fwauthredirect{ip address of web server}id{a numeric code, looks to be a sequence number}

Thanks for any insight you can provide. If I left out any info you need, let me know.

Replies are listed 'Best First'.
Re: Trying to pass through firewall programmatically
by idnopheq (Chaplain) on Sep 10, 2001 at 23:39 UTC
    From lpwcook in perldoc:

    Some proxies also require that you send it a username/password in order to let requests through. You should be able to add the required header, with something like this:

    use LWP::UserAgent; $ua = LWP::UserAgent->new; $ua->proxy(['http', 'ftp'] => 'http://proxy.myorg.com'); $req = HTTP::Request->new('GET',"http://www.perl.com";); $req->proxy_authorization_basic("proxy_user", "proxy_password"); $res = $ua->request($req); print $res->content if $res->is_success;
    Replace proxy.myorg.com, proxy_user and proxy_password with something suitable for your site.

    HTH
    --
    idnopheq
    Apply yourself to new problems without preparation, develop confidence in your ability to to meet situations as they arrise.

      Yes!!! Thank you so much. As you might have gathered, this worked. I'm kicking myself a bit for not looking at the proxy stuff first.

Re: Trying to pass through firewall programmatically
by nardo (Friar) on Sep 10, 2001 at 23:39 UTC
    You can use get_basic_credentials if credentials isn't working for you.
    { package MyUserAgent; @ISA = qw(LWP::UserAgent); sub get_basic_credentials { my ($self, $realm, $uri) = @_; #do stuff with $realm and $uri if desired return ('myuserid', 'mypassword'); } } my $ua = MyUserAgent->new();
    Since it sounds like you are doing this to circumvent company security policy, you should probably get permission to do this if you haven't already.
      Since it sounds like you are doing this to circumvent company security policy, you should probably get permission to do this if you haven't already.

      I respectfully disagree with this statement in principle. I agree one should check their corporate IT security policy before programatically passing through. But to infer non-compliance ( at best ) or intentional misuse ( at worst ) based off the parent node is IMHO not logical.

      I have used this very technique to do things like update my installed modules via PPM; to verify a web server is answering on the public internet from my corporate gateway as part of systems monitoring; etc. Such methods were not addressed in the corporate guidelines nor was I ever asked to investigate any such doings as a Security Administrator.

      I anticipate that, as proxy access is performed via username and password, this user has requested and was granted such access. /s?he/ is then monitorable and auditable. Nothing in the original node leads me to anticipate ( even as a sceptical security admin ) that anything is amiss.

      I believe one should make as certain as possible than the data they acquire in this fashion offers no threat to the corporate assets. But to my eyes the threat here is no better or worse than that the average l^Huser can accomplish via IE or Netscape interactively.

      Anyway, I rant. YMMV :-)

      UPDATE: corrected typos ...

      HTH
      --
      idnopheq
      Apply yourself to new problems without preparation, develop confidence in your ability to to meet situations as they arrise.

      I think the credentials part was working, it was the proxy part that I was missing. Thanks though.

      As for the "circumventing company security policy" I appreciate the concern but I have read our AUP many times (to make sure the many things i do that most users don't do are OK) and there's nothing against doing this sort of thing. Every web access is logged with my machine name anyways, this wouldn't circumvent that. I have used that news alert program for 2 years, which has presumably generated 288 requests a day (one every 5 minutes) including Saturdays and Sundays and I have never heard anything about it. So I'm not going to be worried about the odd additional request. Obviously, as idnopheq says i had better be careful about what i'm accessing, but that applies in general.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://111539]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (2)
As of 2021-10-19 04:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My first memorable Perl project was:







    Results (76 votes). Check out past polls.

    Notices?