Opengate Error Check
As opengate interacts with many software, it is diffcult to recognize the behavior. Thus this memo is prepared to assist debug.
-
When error occured, check the stand alone action of each related software. Especially setting of ipfw is difficult and affects to many sides. At first, debug with ipfw fully open state. Then close it little by little.
-
Opengate uses following files, where the directorys are default. Is these files correctly settled.
/usr/local/www/data/index.html.var
/usr/local/www/cgi-bin/opengate/(opengatesrv.cgi, opengatefwd.cgi, opengateauth.cgi)
/usr/local/www/data/opengate/(ja, en)/(topindex.html, index.html, index-ssl.html, accept.html, accept2.hmtl, deny.html, deny-ssl.html, retry.html)
/etc/opengate/(opengatesrv.conf, rc.firewall, rc.irewall6, ipfwctrl.pl): Copy from *.sample
/var/log/opengate.log
And Opengate creates a lock file [/tmp/opengate.lock] at execution.
It can be removed.
-
Please understand the basic flow of the system by reading the description of system flow and Protocol between applications.
-
Test programs are prepared as opengatesrv/test-*.
-
Opengate put out info and error log to /var/log/opengate.log.
At error, see the log file. If you set Debug switch to 1 in /etc/opengate/opengatesrv.conf, many debug info is dumped to the log file. See also the Apache log and system log.
- Configuration file is /etc/opengate/opengatesrv.conf. Processing of 'make install' creates /etc/opengate/opengatesrv.conf.sample. Copy this to opengatesrv.conf. As the configuration parameters are changed between versions, do not use the file of different version.
Following is the list of errors and the descriptions at each execution step in the form as;
- Normal Action
- Opengate is installed successfully.
- Compiler tells the lack of librarys or headers.
- Opengate after Ver.0.56 can be compiled on FreeBSD4 or later.
- Make is successed but 'make install' is failed.
- 'make install' should be run by Root user.
- 'make install' is failed, when opengate process is exist. Check by ps and kill it.
- When you access to an external URL by a browser, the packet is forwarded to local Apache server by the ipfw's fwd rule.
- The external URL is displayed.
- The firewall is opened for the client IP address. Check the ipfw setting.
- If opengate process exists, the corresponding firewall open rule exists. Check by ps and 'ipfw list'.
- If NAT is inserted between the server and clients, all clients uses the same IP address in upper side of NAT. Thus a allow rule for one IP address becomes to allow the all clients. Especially, be care for the setting of wireless LAN access point gateway.
- Opengatefwd.cgi runs and sends out Refresh Request Page. The page is made from the topindex.html by replacing keywords. The page is displayed for a while and go to next.
- Apache server replys no responce.
- Check the Apache server setting.
- Apache server sends back the default installation page.
- Check DocumentRoot/index.html.var. The file should be fromed to call opengatefwd.cgi.
- Check httpd.conf. The index.html.var should be set to use as default index.
- Apache server sends back File Not Found error.
- Check the existence of the file.
- Check the setting of ErrorDocument404 in httpd.conf.
- Check the matching of Apache directory, opengatesrv.conf and Makefile.
- Apache server sends back Internal error.
- Some bug might occurs. See the opengate.log, httpd-error.log, and others.
- If Debug switch in opengatesrv.conf is 1, many debug info is dumped to opengate.log.
- Apache server sends back the topindexx.html, but the keywords are not replaced.
- Check opengatesrv.conf and the html file, not to modify the keyword strings.
- When one line in html file is too long, the keyword replacement might be failed. Insert Return code properly.
- Others
- If you skip the refresh page and access direct to auth page, the cgi cannot run normally.
- First access should be the external site mediated by the opengate server.
- Direct access to the openagte server is not preferable.
- Opengateauth.cgi runs. It send out Auth Request Page. The page is made from the index.html by replacing keywords.
- The refresh page does not move to auth page.
- Check the page source. If the keyword replacement is failed, check the description above.
- This page is accessed on SSL. If the page is displayed when refresh URL in topindex.html is changed to Non-SSL,check the apache SSL setting.
- Apache sends back Internal error or FileNotFound error.
- See the description above.
- At sending correct user ID and password, opengatesrv.cgi runs and sends back Accept Page. The page is made from the accept.html(or accept-ssl.hmtl) by replacing keywords.
- Apache server sends back Deny Page.
- Check the AuthServer setting in opengatesrv.conf. To divide the problem of the auth servers, firstly you should run Opengate in setting AuthServer/Protocol as 'accept'. The setting means that all users are accepted without auth server access.
- Check the AuthServer setting in opengatesrv.conf.
- Check the action of auth server independent to Opengate.
- Be care that the ExtraSet in opengatesrv.conf overrides the default setting.
- Apache server sends back EndWebAndRetry Page.
- Opengate denys the overlapped request from the client already opened.
- For no-javascript client, opengate cannot close the network immediately at browser closing. The network for the client is opened for a while.
- Apache sends back Internal error or FileNotFound error.
- In accept page, yellow bar is displayed. And user-id and start message are displayed in the bar.
- Yellow bar is not displayed.
- In no-Javascript mode, the network is opened for a while. the closing occurs when (a)specified duration is passed, (b)terminate link is clicked, (c)correspondence between IP address and MAC address is changed, (d)no packet is passed during a specific time length.
- Another window for Start Page is displayed.
- Another window is not popped up.
- If JavaScript is disabled, the window is not popped up.
- If the browser does not permit popup, the window is not popped up.
- To cope with these client, the start page link is prepared. Another window is prepared to save the window that runs JavaScript.
- From this moment to browser closing, communication with various protocol can be allowed.
- The communication is not allowed.
- Check the allow rules by using 'ipfw list'. The ipfw command should be run by Root user. Check the S bit of opengatesrv.cgi.
- Do not close the browser. When the browser is closed, the network is closed.
- The communication is permitted for a while, but is not after some duration.
- For no-JavaScript mode, see above description.
- When JavaScript runs, the network is closed in the following conditions, (a)JavaScript is terminated (includes browser or OS termination), (b)JavaScript returns no reply to hello.
- The message in yellow bar is changed every few minutes.
- The message is not changed.
- This means the failure of Hello exchange.
- When the browser is terminated and restarted, the authentication is requested again.
- The authetication is not requested and accessed external page is displayed.
- When JavaScript is not active, closing the network is delayed for a while.
- The deletion of allow rule in ipfw might be skipped when the opengate process is terminated abnormally. A script is prepared in tools directory to cope with the mistake.
- In some OS, the close button might mean resident behind the display.