You are not logged in.

#1 2020-09-30 14:16:45

bjo
Member
Registered: 2011-09-10
Posts: 70

connection issues to cyberport.de

Hi,

I'm getting a strange issue while trying to visit cyberport.de. Firefox / Chromium tell me while connecting via https and after some hanging:

Access Denied
You don't have permission to access "http://www.cyberport.de/" on this server.

Reference #18.8f5e6cc1.1601474712.26472bca

First, I thought it's related to my WAN IP, so I did a reconnect - no change, same issue with different IP. When I use a Wireguard VPN to my server and visit the site with the same browsers: no issue, works fine. When I use the Ubuntu 20.04 Thinkpad used for work with Firefox/Ubuntu and with the same WAN connection as my other boxes: no issue.
And when I run "wget -O - https://www.cyberport.de"- no issue, but it does not load any js/css stuff which a browser would do. Also tried to use Midori, just hangs while getting "too big TCP headers" according to tcpdump. Switching to LTS kernel also did not help, I thought maybe something changed within the network stack which does not occur on Ubuntu.

tl;dr:
Using Firefox/Chromium on Arch fails to load https://www.cyberport.de, while on Ubuntu the site works using the same connection. Using Firefox/Chromium on Arch works when using a VPN.

Last edited by bjo (2020-09-30 14:17:29)

Offline

#2 2020-09-30 17:03:39

seth
Member
Registered: 2012-09-03
Posts: 16,575

Re: connection issues to cyberport.de

The error doesn't reference https, can you

openssl s_client -connect 184.24.22.165:443
links cyberport.de # console browser

Though it's weird that wget & VPN works.

timedatectl
ip a

Offline

#3 2020-09-30 17:21:15

2ion
Member
Registered: 2013-04-19
Posts: 105

Re: connection issues to cyberport.de

Change the user agent of the GUI browsers (if that's possible) or set the User-Agent header in wget to an Arch browser user agent and try again. If the server returns 403 it's the servers decision. You're looking for the factor that makes it do that. Perhaps also  try again on the same Arch box: install google-chrome, the real thing, from the AUR and see if the behaviour changes... Just hope the difference is not in HTTP2 handling or whatnot.

If you're testing, a complete request log (HAR archive) would probably help seeing what can be seen. Perhaps if there's something funky on the client side, FF/C might also print stuff to the console.

Last edited by 2ion (2020-09-30 17:22:38)

Offline

#4 2020-09-30 17:24:25

2ion
Member
Registered: 2013-04-19
Posts: 105

Re: connection issues to cyberport.de

Change the user agent of the GUI browsers (if that's possible) or set the User-Agent header in wget to an Arch browser user agent and try again. If the server returns 403 it's the servers decision. You're looking for the factor that makes it do that. Perhaps also  try again on the same Arch box: install google-chrome, the real thing, from the AUR and see if the behaviour changes... Just hope the difference is not in HTTP2 handling or whatnot.

If you're testing, a complete request log (HAR archive) would probably help seeing what can be seen. Perhaps if there's something funky on the client side, FF/C might also print stuff to the console.

BTW the domain resolves to an Akamai IP. If you would like, you could contact akamai with that reference and maybe they'll tell you the reason. CDNs have interesting heuristics sometimes.

Offline

#5 2020-09-30 17:43:49

bjo
Member
Registered: 2011-09-10
Posts: 70

Re: connection issues to cyberport.de

openssl_client (not the whole output):

openssl s_client -connect 184.24.22.165:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = US, O = DigiCert Inc, OU = [url=http://www.digicert.com]www.digicert.com[/url], CN = DigiCert Secure Site ECC CA-1
verify return:1
depth=0 C = DE, ST = Sachsen, L = Dresden, O = Cyberport GmbH, CN = *.cyberport.de
verify return:1
---
Certificate chain
 0 s:C = DE, ST = Sachsen, L = Dresden, O = Cyberport GmbH, CN = *.cyberport.de
   i:C = US, O = DigiCert Inc, OU = [url=http://www.digicert.com]www.digicert.com[/url], CN = DigiCert Secure Site ECC CA-1
 1 s:C = US, O = DigiCert Inc, OU = [url=http://www.digicert.com]www.digicert.com[/url], CN = DigiCert Secure Site ECC CA-1
   i:C = US, O = DigiCert Inc, OU = [url=http://www.digicert.com]www.digicert.com[/url], CN = DigiCert Global Root CA

links also works. timedatectl shows Local time: Mi 2020-09-30 19:32:55 CEST

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 54:e1:ad:b9:10:c6 brd ff:ff:ff:ff:ff:ff
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 58:00:e3:da:e4:7f brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.25/24 brd 192.168.20.255 scope global dynamic noprefixroute wlp3s0
       valid_lft 863770sec preferred_lft 863770sec
    inet6 2a0f:5707:aaa0:20:f58a:d28d:402e:cea8/64 scope global dynamic noprefixroute 
       valid_lft 6972sec preferred_lft 3372sec
    inet6 fe80::8b10:4a1d:bf10:8a9e/64 scope link noprefixroute 
       valid_lft forever preferred_lft foreve

So nothing special, no involvement of IPv6 for the site as it is IPv4 only, a FritzBox is natting the private IP to one from 85.212.0.0/15 from my ISP.

But the error message saying "http://cyberport.de" is also irritating me. Connecting via wget and http gives a 301 redirecting to https.


BTW, the issue appears on 2 Arch boxes here, one laptop and one desktop. The desktop has also no issue connecting to the site on Win10.

So, let's try to figure out what can't be the issue:
* the connection in general, Win10 and Ubuntu 20.04 with Firefox has no issue
* specific Firefox profile on both Arch boxes, as it appears also with Chromium
* specific network issue of one box

Last edited by bjo (2020-09-30 18:05:45)

Offline

#6 2020-09-30 17:59:45

seth
Member
Registered: 2012-09-03
Posts: 16,575

Re: connection issues to cyberport.de

Please use code tags, not quote tags and replace the image w/ a thumbnail/link  (200x200px maximum)

I was more concerned about an MTU relates SSL/TLS failure, but that's not it (openssl works and the MTU is default)

Maybe some adblocker/privacy extension? Does it work in the por… privacy or safe mode? (Ie. w/o custom extensions)

The access address is usually a remote local path, bt oc. the remote 403 page could just be that.
What happens if you try eg. https://www.cyberport.de/notebook-und-tablet.html ?

Offline

#7 2020-09-30 18:31:04

bjo
Member
Registered: 2011-09-10
Posts: 70

Re: connection issues to cyberport.de

@seth:
Sorry for using the wrong tags, I've edited the post.
Even in private mode the issue appears and the chromium instance used for testing is completely clean. The working FF on Ubuntu even uses the same extensions as the nonworking on Arch.
https://www.cyberport.de/notebook-und-tablet.html gives

You don't have permission to access "http://www.cyberport.de/notebook-und-tablet.html" on this server.

@2ion:
I already contacted somebody at Akamai and they are looking into it. I've tried now with google-chrome from AUR and even the HTTP connection hangs:
https://cloud.schafweide.org/s/JQ6Ykf4XFiQREW5
It seems we don't even get to the HTTPS connection.

Offline

#8 2020-09-30 18:44:45

seth
Member
Registered: 2012-09-03
Posts: 16,575

Re: connection issues to cyberport.de

This is actually 408, timeout.
Can you try the wired NIC?

Offline

#9 2020-10-04 11:31:15

bjo
Member
Registered: 2011-09-10
Posts: 70

Re: connection issues to cyberport.de

Sure, sorry for the late reply: https://cloud.schafweide.org/s/ARyJzLJdpd6aqxd

Offline

#10 2020-10-04 14:00:29

seth
Member
Registered: 2012-09-03
Posts: 16,575

Re: connection issues to cyberport.de

There's no hhtp error in that log - did it work on the wired connection?
If yes, it's tiem to inspect the WiFi NIC (hardware, driver, firmware, options - and maybe the AP config, connection stability in the logs, … stuff like that)

Offline

#11 2020-10-04 19:27:44

bjo
Member
Registered: 2011-09-10
Posts: 70

Re: connection issues to cyberport.de

Nope, http just hung and after some time https produced the same error. Had to use a VPN now to create an order.

Offline

#12 2020-10-04 19:36:38

frostschutz
Member
Registered: 2013-11-15
Posts: 988

Re: connection issues to cyberport.de

I have the same issue. But you have to ask cyberport.de what their problem is...

Offline

#13 2020-10-04 19:52:42

seth
Member
Registered: 2012-09-03
Posts: 16,575

Re: connection issues to cyberport.de

Since it's akamai, does cyberport.de resolve to cyberport.de 184.24.22.165 or a different IP?
What if you direct it to that IP in your /etc/hosts?

OP ISP is ecotel, do you use the same ISP?
(I've no issues whatsoever to resolve and access the domain and we're all in Germany…)

Offline

#14 2020-10-04 20:10:04

bjo
Member
Registered: 2011-09-10
Posts: 70

Re: connection issues to cyberport.de

frostschutz wrote:

I have the same issue. But you have to ask cyberport.de what their problem is...

I asked them and they suspected a ddos from the IP. But changing the IP (from within ISPs pool) did not help.

Offline

#15 2020-10-04 20:22:15

seth
Member
Registered: 2012-09-03
Posts: 16,575

Re: connection issues to cyberport.de

When I use the Ubuntu 20.04 Thinkpad used for work with Firefox/Ubuntu and with the same WAN connection as my other boxes: no issue.

Same WAN IP, right? It'd also be 4 days of continued (D)DOS…

Can you try a VM from inside an arch host?

Offline

#16 2020-10-04 21:23:54

bjo
Member
Registered: 2011-09-10
Posts: 70

Re: connection issues to cyberport.de

seth wrote:

Same WAN IP, right? It'd also be 4 days of continued (D)DOS…

Can you try a VM from inside an arch host?

Yep, same WAN IP.
WinXP VirtualBox VM with Firefox running on the same laptop which has the issues: no problem.

Offline

#17 2020-10-04 21:35:51

frostschutz
Member
Registered: 2013-11-15
Posts: 988

Re: connection issues to cyberport.de

seth wrote:

Since it's akamai, does cyberport.de resolve to cyberport.de 184.24.22.165 or a different IP?
What if you direct it to that IP in your /etc/hosts?

OP ISP is ecotel, do you use the same ISP?
(I've no issues whatsoever to resolve and access the domain and we're all in Germany…)

Yes, same IP and ISP...

I can reproduce it with Chromium browser in a Ubuntu 20.04 VM as well. Firefox browser inside the VM works.

It's difficult to tell what conditions the use exactly to deny access. Maybe just IP and User Agent, maybe something else.

But... in any case. This should not be related to ArchLinux... the browser works fine, the other end is refusing to cooperate.

Offline

#18 2020-10-04 22:25:34

bjo
Member
Registered: 2011-09-10
Posts: 70

Re: connection issues to cyberport.de

So you experience it with Firefox on Arch, but not with Firefox on Ubuntu?

Edit:

wget -U "Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0" -O - https://www.cyberport.de

hangs.

wget -U "Mozilla/5.0 (X11; Ubuntu; rv:81.0) Gecko/20100101 Firefox/81.0" -O - https://www.cyberport.de  

works.

Last edited by bjo (2020-10-05 09:39:16)

Offline

Board footer

Powered by FluxBB