Hi Jon,
As a matter of fact, while investigating on this java option, I found some posts that used the "127.0.0.1^" notation (regex style), so I also tested it. The same behavior is observed from the calls to DSess either with or without the ^.
But while writing this answer, I thought of one additional possibility to test, even if it doesn't make sense : adding the port. (127.0.0.1:2026).
And surprise : no more requests to 127.0.0.1 going through our internet proxy.
I then replaced the entry 127.0.0.1:2026 by
127.0.0.1*, and the behavior is still correct.
So for anyone wanting to configure an http(s) outgoing proxy, pay attention to the syntax used for the exceptions and do not forget to add "localhost*" and "127.0.0.1*" to cover all the loopback cases.
------------------------------
André Leruitte
------------------------------
Original Message:
Sent: Fri November 20, 2020 06:55 AM
From: Jon Harry
Subject: Configuring an outbound HTTP Proxy and its exceptions
Hi André,
You probably know this area better than me but I'm intrigued by the use of ^ in your patterns (especially since related to the 127.0.0.1 address you're having trouble with. I can't find any indication of what this symbol does.
Also, do you have other Java components communicating successfully with 127.0.0.1 (or localhost) without using the proxy? It's a bit odd because I thought that by default Java always bypassed proxy for localhost and 127.0.0.1.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Fri November 20, 2020 04:11 AM
From: André Leruitte
Subject: Configuring an outbound HTTP Proxy and its exceptions
Hello all,
We are giving internet access to our ISAM's so we can make use of OCSP endpoints as well as OIDC metadata/JWKS endpoints.
For that we are configuring an outgoing Http Proxy via the "Runtime parameters" HTTP(S) PROXY attributes.
We also added an exception list in the "Advanced Tuning parameters" with the following value : -Dhttp.nonProxyHosts="*.myinternal.domain.lu|*.mydomain.lu|*.myotherdomain.post.lu|localhost^|127.0.0.1^"
It seems the calls to DSess ignore this configuration, because we are encountering the following calls every 30 seconds at our internet proxy:
- "http://127.0.0.1:2026/DSess/services/DSess" with user agent "Apache CXF 2.6.2"
Does anyone have any idea on what is wrong in our configuration ? Has someone configured an outgoing http proxy and ran into similar issues ?
Thank you
------------------------------
André Leruitte
------------------------------