WinGate Forums

[Silver_Pharaoh]

Hi again!

I'm now having an issue with browsing websites that have a colon in the URL such as : http://warframe.wikia.com/wiki/Thread:155738
If I try to go to that site I get a webpage back from the Wingate server telling me Access Denied: "You do not have sufficient rights for access to this resource"

Why? I can't seem to find anything obvious but my gut is telling me some default Wingate access rule is causing this. I have not touched the web access part of Wingate 7 so I'm not sure how to add exceptions or edit what sites to block etc.

I know the server is blocking this website because I get the Access Denied page instantly, where as a normal page takes a few seconds to load due to my high latency internet so something inside the Wingate server is causing this.

Any ideas?
Thanks in advance!

[adrien]

Hi

which version of WinGate is this?

We had some old baked in rules relating to drive specifiers. I'm not sure if they are still there, but that error message rings a bell

Regards

Adrien

[Silver_Pharaoh]

Hi

which version of WinGate is this?

We had some old baked in rules relating to drive specifiers. I'm not sure if they are still there, but that error message rings a bell

Regards

Adrien

The latest Wingate 7.

EDIT: Sorry wrong version. I have 7.3.1 Build 3535 installed!

[adrien]

Hi

I just checked the code history, that bug was introduced in 1999 for some unknown reason, and was fixed 24 June 2013, and the fix was first released in WinGate 8.0.0

So I guess you're running WinGate 7?

Regards

Adrien

[Silver_Pharaoh]

Hi

I just checked the code history, that bug was introduced in 1999 for some unknown reason, and was fixed 24 June 2013, and the fix was first released in WinGate 8.0.0

So I guess you're running WinGate 7?

Regards

Adrien

Yes, Wingate 7 is installed.

[Silver_Pharaoh]

Checked the changelog and yup, the fix is listed under Wingate 8.0.0....

So the only solution is to install Wingate 8 then?

[MattP]

Hi,

The fix won't be migrated back to WinGate 7 so you will need to update to WinGate 8. If you would like to email sales@wingate.com we can let you know the cost to renew your version protection.

Matt

[Silver_Pharaoh]

Hi,

The fix won't be migrated back to WinGate 7 so you will need to update to WinGate 8. If you would like to email sales@wingate.com we can let you know the cost to renew your version protection.

Matt

Alright so I'm guessing I'm stuck with this bug since Wingate 8.x.x doesn't support Windows 2000, which is what I am running (Windows Advanced Server 2000)
I don't have a key for Server 2003 only for Server 2008 R2 which is 64bit and my Pentium 3's are x86 only...


There's no workaround for this bug is there....

[adrien]

Hi

sorry, there's no workaround, and unfortunately we aren't set up currently even to build the old WinGate 7 code tree any more so it's not just a simple matter of porting the fix back.

Windows 2000 was a great low-cost (in terms of resource usage) OS, and we only retired our last 2k machines about 12 months ago.

Adrien

[Silver_Pharaoh]

Hi

sorry, there's no workaround, and unfortunately we aren't set up currently even to build the old WinGate 7 code tree any more so it's not just a simple matter of porting the fix back.

Windows 2000 was a great low-cost (in terms of resource usage) OS, and we only retired our last 2k machines about 12 months ago.

Adrien

Ahh that's unfortunate.

Ah well. At least it only affects a few websites. The best solution I have found is to simply use my phone's mobile data to browse that webpage. (bypass the Wingate server)
2000 is a nice OS, runs super smooth on my dual Pentium 3 server, on top of that Wingate isn't very resource heavy :)

Thank you Adrien and Matt for providing the insight as to what's going on. At least I know it's not due to a mis-configuration.
Cheers!

[Silver_Pharaoh]

Okay might have found a way to bypass this bug.
What about Web proxy auto config? Just like this guy: viewtopic.php?f=12&t=40845

I have ENS disabled currently, so I'm wondering if PAC would work in my network?
Remember that I'm re-routing all port 80 traffic to the Wingate server, and the Proxy is set to NOT intercept any ports.

If i can find a way to setup this PAC you think it would allow me to have the troublesome sites bypass the proxy?

[MattP]

Yes, that's probably a good workaround.

[adrien]

Hi

I resurrected our old build server, got the code to it and managed to get it to spit out a new build of WinGate 7.

It's untested, but should fix this problem for you. Only change since build 3535 was the fix for this issue.

http://www.wingate.com/downloads/latest/WinGate7.3.2.3536-USE.exe

Regards

Adrien

[Silver_Pharaoh]

Hi

I resurrected our old build server, got the code to it and managed to get it to spit out a new build of WinGate 7.

It's untested, but should fix this problem for you. Only change since build 3535 was the fix for this issue.

http://www.wingate.com/downloads/latest/WinGate7.3.2.3536-USE.exe

Regards

Adrien

Adrien, I've installed the new build and so far everything is working great!
Not seeing that Access denied page for the websites I previously had issues with.

Thank you so much for taking the time to resurrect the old build server!!
I will email you if I come across any issues with the build. (Though I expect none.) :)


@Matt P
I actually found another workaround that I was using up until tonight.

iptables -t nat -A PREROUTING -i br0 -d 104.156.85.194 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -d 104.156.81.194 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -d 23.235.37.194 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -d 23.235.33.194 -p tcp --dport 80 -j ACCEPT

These rules in Iptables basically bypass the proxy for the Wika.com sites. So that solves the issue with the website I originally linked to. Obviously, this will get ridiculous over time when I have to manually add the IPs of other troublesome sites AND update the rules manually when the IPs change...

I think I will still look into PAC. Might as well learn it. Perhaps I can use it in the network....

[Silver_Pharaoh]

Okay, getting the "Access Denied" page for this URL: [http://]ad.doubleclick.net/ddm/clk/283550864;110381442;a;u=ds&sv1=5421231573&sv2=20160123160&sv3=453031;%3fhttp://www.homehardware.ca/en/index.htm?gclid=CPTR4ujIwMoCFQEaaQodK-AFbg

It is a Google ad for Homehardware.ca found as the first link in a google search for homehardware.

[adrien]

ok

that looks like the double slash.

Normally those are URL-escaped in embedded URLs.

Adrien

[adrien]

I've been looking through this code more and more, and I'm struggling to see how this restriction can even be checked except for in the case of server requests.

Are you diverting port 80 to the proxy (e.g. to the proxy rather than via it) and then forward proxying it?

Adrien

[Silver_Pharaoh]

I've been looking through this code more and more, and I'm struggling to see how this restriction can even be checked except for in the case of server requests.

Are you diverting port 80 to the proxy (e.g. to the proxy rather than via it) and then forward proxying it?

Adrien

That's exactly what I'm doing.

My 2nd router is forwarding ALL port 80 traffic to the Wingate Proxy which I have set to NOT intercept Port80 and I also have it set to make a proxy request out to the internet.

[adrien]

OK, I see the problem. We re-ordered things a bit in 8.0

The check for exploits that this code path is hitting was originally intended for the case where WinGate was serving a local file. This dates back to WinGate 4 or 5, before we added support for reverse proxying or proxying diverted connections.

So we moved the check so it's only performed in the case where WinGate is actually going to be serving (e.g. not reverse or forward proxying). So you won't hit it any more.

I'll send you another link to a build once it's done.

Cheers

Adrien

[adrien]

ok, try

http://www.wingate.com/downloads/latest/WinGate7.3.2.3537-USE.exe

Cheers

Adrien

[Silver_Pharaoh]

ok, try

http://www.wingate.com/downloads/latest/WinGate7.3.2.3537-USE.exe

Cheers

Adrien

I see!

Downloading now. I'll probably get around to installing it tomorrow though.

Thanks again for fixing these bugs Adrien!!