EIO_Status CConnTest::GetFWConnections(string* reason)
{
SConnNetInfo* net_info = ConnNetInfo_Create(0, m_DebugPrintout);
if (net_info) {
const char* user_header;
net_info->req_method = eReqMethod_Post;
if (net_info->firewall) {
user_header = "NCBI-RELAY: FALSE";
m_Firewall = true;
} else
user_header = "NCBI-RELAY: TRUE";
if (net_info->stateless)
m_Stateless = true;
ConnNetInfo_OverrideUserHeader(net_info, user_header);
ConnNetInfo_SetupStandardArgs(net_info, 0/*w/o service*/);
}
string temp(m_Firewall ? "FIREWALL" : "RELAY (legacy)");
temp += " connection mode has been detected for stateful services\n";
if (m_Firewall) {
temp += "This mode requires your firewall to be configured in such a"
" way that it allows outbound connections to the port range ["
STRINGIFY(CONN_FWD_PORT_MIN) ".." STRINGIFY(CONN_FWD_PORT_MAX)
"] (inclusive) at the two fixed NCBI addresses, "
NCBI_FWD_BEMD " and " NCBI_FWD_STVA ".\n"
"To set that up correctly, please have your network administrator"
" read the following (if they have not already done so):"
" " NCBI_FWDOC_URL "\n";
} else {
temp += "This is an obsolescent mode that requires keeping a wide port"
" range [4444..4544] (inclusive) open to let through connections"
" to the entire NCBI site (130.14.xxx.xxx/165.112.xxx.xxx) -- this"
" mode was designed for unrestricted networks when firewall port"
" blocking had not been an issue\n";
}
if (m_Firewall) {
_ASSERT(net_info);
switch (net_info->firewall) {
case eFWMode_Adaptive:
temp += "Also, there are usually a few additional ports such as "
STRINGIFY(CONN_PORT_SSH) " and " STRINGIFY(CONN_PORT_HTTPS)
" at " NCBI_FWD_BEMD ", which can be used if connections to"
" the ports in the range described above, have failed\n";
break;
case eFWMode_Firewall:
temp += "Furthermore, your configuration explicitly forbids to use"
" any fallback firewall ports that may exist to improve"
" reliability of connection experience\n";
break;
case eFWMode_Fallback:
temp += "There are usually a few backup connection ports such as "
STRINGIFY(CONN_PORT_SSH) " and " STRINGIFY(CONN_PORT_HTTPS)
" at " NCBI_FWD_BEMD ", which can be used as a failover if"
" connections to the port range above fail. However, your "
" configuration explicitly requests that only those fallback"
" firewall ports (if any exist) are to be used for"
" connections: this also implies that no conventional ports"
" from the default range will be used\n";
break;
default:
temp += "Internal program error, please report!\n";
_ASSERT(0);
break;
}
} else {
temp += "This mode may not be reliable if your site has a restraining"
" firewall imposing a fine-grained control over which hosts and"
" ports the outbound connections are allowed to use\n";
}
if (m_HttpProxy) {
temp += "Connections to the aforementioned ports will be made via an"
" HTTP proxy at '";
temp += net_info->http_proxy_host;
temp += ':';
temp += NStr::UIntToString(net_info->http_proxy_port);
temp += "'";
if (net_info->http_proxy_leak) {
temp += ". If that is unsuccessful, a link bypassing the proxy"
" will then be attempted";
}
}
temp += '\n';
PreCheck(eFirewallConnPoints, 0/*main*/, temp);
PreCheck(eFirewallConnPoints, 1/*sub*/,
"Obtaining current NCBI " +
string(m_Firewall ? "firewall settings" : "service entries"));
EIO_Status status = x_GetFirewallConfiguration(net_info);
if (status == eIO_Interrupt)
temp = kCanceled;
else if (status == eIO_Success) {
if (!m_Fwd.empty()
|| (!m_FwdFB.empty()
&& m_Firewall && net_info->firewall == eFWMode_Fallback)) {
temp = "OK: ";
if (!m_Fwd.empty()) {
stable_sort(m_Fwd.begin(), m_Fwd.end());
temp += NStr::UInt8ToString(m_Fwd.size());
}
size_t down = 0;
if (!m_FwdFB.empty()) {
stable_sort(m_FwdFB.begin(), m_FwdFB.end());
if (!m_Fwd.empty())
temp += " + ";
temp += NStr::UInt8ToString(m_FwdFB.size());
ITERATE(vector<CConnTest::CFWConnPoint>, cp, m_FwdFB) {
if (cp->status != eIO_Success)
++down;
}
if (down)
temp += " - " + NStr::UInt8ToString(down);
}
temp +=
m_Fwd.size() + m_FwdFB.size() - down == 1 ? " port" : " ports";
} else {
EIO_Status CConnTest::GetFWConnections(string* reason)
{
SConnNetInfo* net_info = ConnNetInfo_Create(0);
if (net_info) {
const char* user_header;
net_info->req_method = eReqMethod_Post;
if (net_info->firewall) {
user_header = "NCBI-RELAY: FALSE";
m_Firewall = true;
} else
user_header = "NCBI-RELAY: TRUE";
if (net_info->stateless)
m_Stateless = true;
ConnNetInfo_OverrideUserHeader(net_info, user_header);
ConnNetInfo_SetupStandardArgs(net_info, 0/*w/o service*/);
}
string temp(m_Firewall ? "FIREWALL" : "RELAY (legacy)");
temp += " connection mode has been detected for stateful services\n";
if (m_Firewall) {
temp += "This mode requires your firewall to be configured in such a"
" way that it allows outbound connections to the port range ["
STRINGIFY(CONN_FWD_PORT_MIN) ".." STRINGIFY(CONN_FWD_PORT_MAX)
"] (inclusive) at the two fixed NCBI hosts, 130.14.29.112"
" and 165.112.7.12\n"
"To set that up correctly, please have your network administrator"
" read the following (if they have not already done so):"
" " NCBI_FW_URL "\n";
} else {
temp += "This is an obsolescent mode that requires keeping a wide port"
" range [4444..4544] (inclusive) open to let through connections"
" to any NCBI host (130.14.2x.xxx/165.112.xx.xxx) -- this mode was"
" designed for unrestricted networks when firewall port blocking"
" was not an issue\n";
}
if (m_Firewall) {
_ASSERT(net_info);
switch (net_info->firewall) {
case eFWMode_Adaptive:
temp += "There are also fallback connection ports such as 22 and"
" 443 at 130.14.29.112. They will be used if connections to"
" the ports in the range described above have failed\n";
break;
case eFWMode_Firewall:
temp += "Also, your configuration explicitly forbids to use any"
" fallback firewall ports that may exist to improve network"
" connectivity\n";
break;
case eFWMode_Fallback:
temp += "However, your configuration explicitly requests that only"
" fallback firewall ports (if any exist) are to be used for"
" connections: this also implies that no conventional ports"
" from the range above will be used\n";
break;
default:
temp += "Internal program error, please report!\n";
_ASSERT(0);
break;
}
} else {
temp += "This mode may not be reliable if your site has a restrictive"
" firewall imposing fine-grained control over which hosts and"
" ports the outbound connections are allowed to use\n";
}
if (m_HttpProxy) {
temp += "Connections to the aforementioned ports will be made via an"
" HTTP proxy at '";
temp += net_info->http_proxy_host;
temp += ':';
temp += NStr::UIntToString(net_info->http_proxy_port);
temp += "'";
if (net_info && net_info->http_proxy_leak) {
temp += ". If that is unsuccessful, a link bypassing the proxy"
" will then be attempted";
}
if (m_Firewall && *net_info->proxy_host)
temp += ". In addition, your";
}
if (m_Firewall && *net_info->proxy_host) {
if (!m_HttpProxy)
temp += "Your";
temp += " configuration specifies that instead of connecting directly"
" to NCBI addresses, a forwarding non-transparent proxy host '";
temp += net_info->proxy_host;
temp += "' should be used for all links";
if (m_HttpProxy)
temp += " (including those originating from the HTTP proxy)";
}
temp += '\n';
PreCheck(eFirewallConnPoints, 0/*main*/, temp);
PreCheck(eFirewallConnPoints, 1/*sub*/,
"Obtaining current NCBI " +
string(m_Firewall ? "firewall settings" : "service entries"));
EIO_Status status = x_GetFirewallConfiguration(net_info);
if (status == eIO_Interrupt)
temp = kCanceled;
else if (status == eIO_Success) {
if (!m_Fwd.empty()
|| (!m_FwdFB.empty()
&& m_Firewall && net_info->firewall == eFWMode_Fallback)) {
temp = "OK: ";
if (!m_Fwd.empty()) {
stable_sort(m_Fwd.begin(), m_Fwd.end());
temp += NStr::UInt8ToString(m_Fwd.size());
}
if (!m_FwdFB.empty()) {
stable_sort(m_FwdFB.begin(), m_FwdFB.end());
if (!m_Fwd.empty())
temp += " + ";
temp += NStr::UInt8ToString(m_FwdFB.size());
}
temp += m_Fwd.size() + m_FwdFB.size() == 1 ? " port" : " ports";
} else {
status = eIO_Unknown;
temp = "No connection ports found, please contact " + HELP_EMAIL;
}
} else if (status == eIO_Timeout) {
temp = x_TimeoutMsg();
if (m_Timeout > kTimeout)
temp += "You may want to contact " + HELP_EMAIL;
} else
temp = "Please contact " + HELP_EMAIL;
PostCheck(eFirewallConnPoints, 1/*sub*/, status, temp);
ConnNetInfo_Destroy(net_info);
if (status == eIO_Success) {
PreCheck(eFirewallConnPoints, 2/*sub*/,
"Verifying configuration for consistency");
bool firewall = true;
// Check primary ports only
ITERATE(vector<CConnTest::CFWConnPoint>, cp, m_Fwd) {
if (cp->port < CONN_FWD_PORT_MIN || CONN_FWD_PORT_MAX < cp->port)
firewall = false;
if (cp->status != eIO_Success) {
status = cp->status;
temp = CSocketAPI::HostPortToString(cp->host, cp->port);
temp += " is not operational, please contact " + HELP_EMAIL;
break;
}
}
if (status == eIO_Success) {
if (!m_Firewall && !m_FwdFB.empty()) {
status = eIO_Unknown;
temp = "Fallback ports found in non-firewall mode, please"
" contact " + HELP_EMAIL;
} else if (m_Firewall != firewall) {
status = eIO_Unknown;
temp = "Firewall ";
temp += firewall ? "wrongly" : "not";
temp += " acknowledged, please contact " + HELP_EMAIL;
} else
temp.resize(2);
}
PostCheck(eFirewallConnPoints, 2/*sub*/, status, temp);
}
