I have two production servers behind Sonicwalls here. We recently updated our Sonicwalls to the new version of advanced OS. (3 to 4) Since then I can’t get updates on either of my machines. I’ve tested using wget and the xml file loads with no issues. The php script simply cannot connect. I’ve tried all of the hacks listed here. Even the code that supposedly loads using wget commend. Nothing helped. The code hacks broke FreePBX, nothing would load. The only way I can load updates is to plug the server into the outside world on a static IP. This isn’t exactly possible on a production server. Keep in mind content filtering is turned off here. Is there any other way to get updates or load modules?
The following fixed my issue:
On October 26th, 2007 nathan31415 (tadpole) said:
I had the same problem tonight though I have a Sonicwall TZ170 running the Enhanced OS.
The solution is described here:
http://www.radiotope.com/writing/?p=95
In short, the CFS engine is running no matter if you have a license for it or not and the firewall is dropping only the HTTP GET packet (though the earlier SYN/SYN-ACK packets go through fine). You have to manually disable the CFS engine via the undocumented http://your.ip.address/diag.html URL after logging in.
My guess is that the short HTTP GET packet causes the CFS engine to drop the packet. Wireshark showed only
HTTP GET /modules-2.3.xml HTTP/1.0\r\n
with no other accompanying parameters as you typically find when a true browser does an HTTP GET (e.g. Host:, User-Agent:, Accept:, Keep-Alive:, Connection:, Referer:, Cookie:, Authorization:, etc. etc.) followed by TCP retransmissions (since no ACK was ever received back from freepbx.org). A wget of the the URL worked just fine from the same IP address so I’m not sure what else the Sonicwall triggers on, but I was stumped (and no mention of the “…examining stream for host header” message on either sonicwall.com or mysonicwall.com that I could find, sigh).
If FreePBX faked some of the additional fields when issuing the GET I bet the packet would pass through the Sonicwall just fine. I could see a security-paranoid web proxy do the same thing too (I wonder how you could force Squid to do this?).
Nathan
Please post this as a bug with your fixes. That way it will get tracked and addressed versus getting lost here in the forums.
Thanks.
hei ronald,
good sugestion on August 29th, 2007. I make your sugestion and vary good result! ThaksThanks bluetrepidation. That solved my problem!
I found the following article:
http://bugs.php.net/bug.php?id=29280
The issue is that php use a defaul streaming context that not includes any proxy you have to set it up manualy in “/var/www/html/admin/functions.inc.php”
$opts = array(‘http’ => array(‘request_fulluri’ => true, ‘proxy’ =>‘tcp://192.168.0.1:8080’));
$context _stream = stream_context_create($opts);
That create a new context using proxy address.
These 2 line should be present before each file_get_contents invoking an URL or fopen for retrieving modules.
Also you need to modify each file_get_contents and fopen adding “.false,$context_stream” as leadin parameters
Add the following 2 line at the top of these functions :
function module_getonlinexml
function module_get_annoucements
function module_download
function _module_readxml
Near line 1725 :
change : $data = @ file_get_contents($fn);
by : $data = @ file_get_contents($fn,false,$context _stream );
Near line 2929 :
change : $announcement = @ file_get_contents(“http://mirror.freepbx.org/version-".getversion().".html”.$options);
by : $announcement = @ file_get_contents(“http://mirror.freepbx.org/version-".getversion().".html”.$options,false,$context _stream);
Near line 2335:
change : if (!$dp = @fopen($url,‘r’)) {
by : if (!$dp = @fopen($url,'r,'false,$context _stream)) {
Near line 2705 :
change : $data = file_get_contents($xmlfile);
by : $data = file_get_contents($xmlfile,false,$context_stream);
It should not be too difficult to add this code in the source of freepbx and adding the proxy parameters in the general tab of the configuration.
all you need to do is set
HostNameLookups on
in /etc/httpd/conf/httpd.conf
I suggest those struggling here verify this setting. After verifying netcconfig, pinging urls, file access via wget, etc., this change with a stop and restart of Apache works for me.
Could anyone with better knowledge of BIND comment on any ramifications of this change in Apache verses any more encompassing DNS configuration or problem? Although it works, I am interested if this is a best practice going forward.
Hi, this change user_agent in the php.ini, works for my, I Do this change, restart httpd and amportal, run egain the process for update, and I cant get then.
Cangrejo
I know this is a old post but Jonathan Galpin’s advice fixed my problem. I just edit /etc/resolv.conf and point the nameserver to my firewall’s IP addres.
I gained a lot of useful information from this thread. What I have found in my case is that while mirror.freepbx.org seems to be fine, the url http://69.41.162.148 is blocked as a “Banner/Web Ads” site by M86 filtering appliances. Perhaps others as well.
I can download the XML file OK with Lynx and wget, but the PHP calls choke when they try and parse the XML file, because they are instead getting the BLOCKED PAGE notice to attempt to parse.
chufferd,
that is very interesting and good to know. So what’s the difference with wget? Is it nothing more than seeing the wget user agent?
What happens if you add the following to /var/www/html/admin/functions.inc.php:
Index: functions.inc.php
===================================================================
--- functions.inc.php (revision 9482)
+++ functions.inc.php (working copy)
@@ -2249,6 +2249,7 @@
}
//$fn = "/usr/src/freepbx-modules/modules.xml";
if (!$amp_conf['MODULEADMINWGET']) {
+ ini_set('user_agent','Wget/1.10.2 (Red Hat modified)');
$data = @ file_get_contents($fn);
} else {
$data = "";
@@ -3308,6 +3309,7 @@
}
if (file_exists($xmlfile)) {
+ ini_set('user_agent','Wget/1.10.2 (Red Hat modified)');
$data = file_get_contents($xmlfile);
//$parser = new xml2ModuleArray($data);
//$xmlarray = $parser->parseModulesXML($data);
@@ -3535,6 +3537,7 @@
$fn = "http://mirror.freepbx.org/version-".getversion().".html".$options;
if (!$amp_conf['MODULEADMINWGET']) {
+ ini_set('user_agent','Wget/1.10.2 (Red Hat modified)');
$announcement = @ file_get_contents($fn);
} else {
$announcement = '';basically just setting the user agent to “Wget/1.10.2 (Red Hat modified)”
any chance of trying this out and seeing if that allow sit to bypass the filter?
I tried the php and httpd changes, but they did not work.
I could not ping google.com, so the DNS is broken.
ping google.com
(Does not work)
edit resolv.conf
nano /etc/resolv.conf to:
nameserver 208.67.222.222
Restart HTTPd:
service httpd restart
That’s it.
Thanks,
restarting the httpd worked for me.
service httpd restart
See if this article helps…
I have a remote server (CentOS 6.4 x64 - FPBX v2.10.x.), where I switched to FreePBXDistro. I have also been getting the same error for a long time. … mirror(x).freepbx.com. Online modules are not available. I did some digging and found out something strange.
[Solution:] The file /etc/schmooze/pbx-brand was blank. So i edited it and added “FreePBXDistro” to that file. Now all the updates are working just fine. Just upgraded to 2.11.x
Hope it helps someone else.
Farhan Sabir
20130913-2200