Can not connect to proxy from a different machine than is running the proxy

[Shawn McCarthy]

I start the proxy on an AWS EC2 instance:
./zap.sh -daemon -host localhost -port 8090 -config api.disablekey=true

Than I try to go to the url of that instance, port 8090, in a web browser and nothing comes up. When I start the ZAP locally (exact same command), I am able to hit localhost:8090 and I see the "Welcome to the OWASP Zed Attack Proxy (ZAP)" page. I was hoping to see something similar when I start it on a remote machine (like in AWS EC2).

I even tried doing a wget <public_ip>:8090 while ssh'd into the EC2 instance running ZAP and am unable to do so.

I know that the Security Group is set up correctly (all ports open for my specific IP address, and I am able to access Jenkins running on the same EC2 instance).

Any ideas?

Thank you.

[Michael Courcy]

Hi 

I guess you already tried it, but to be sure  : 

1. On the EC2 machine $> wget http://127.0.0.1:8090 (not the public IP)
   
2. On the EC2 netstat -uta | grep 8090
3. From your laptop $> telnet IP_EC2 8090
4. Are the logs looking fine ?

What do you get ?

 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Michael Courcy

06 68 41 87 71

[Shawn McCarthy]

Hi Michael,

I took AWS EC2 out of the equation. I tried running ZAP locally, and can still only access it by localhost:8090 instead of my <public_ip_address>:8090 . When I start it using -host <public_ip_address> -port 8090 , I see this:
6444 [ZAP-daemon] ERROR org.parosproxy.paros.core.proxy.ProxyServer  - Failed to start the proxy server:
java.net.BindException: Can't assign requested address
    at java.net.PlainSocketImpl.socketBind(Native Method)
    at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:382)
    at java.net.ServerSocket.bind(ServerSocket.java:375)
    at java.net.ServerSocket.<init>(ServerSocket.java:237)
    at org.parosproxy.paros.core.proxy.ProxyServer.createServerSocket(Unknown Source)
    at org.parosproxy.paros.core.proxy.ProxyServer.startServer(Unknown Source)
    at org.parosproxy.paros.control.Proxy.startServer(Unknown Source)
    at org.parosproxy.paros.control.Control.init(Unknown Source)
    at org.parosproxy.paros.control.Control.initSingletonWithoutView(Unknown Source)
    at org.zaproxy.zap.ZAP$2.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:745)
An error occurred while starting the proxy:
Can't assign requested address

When I start it with -host localhost -port 8090 , it starts fine, but I can only access it via localhost:8090 , and not my public ip address.

For this test, I was using my own local machine.

Do I have to use a different parameter to be able to access it using my public ip?

Thanks!

[Michael Courcy]

It's why i ask you to "netstat -uta | grep 8090"  to check if a port on your public_ip_address is not already opened.

[Michael Courcy]

I mean an other process may already use this port on your public interface and not your loopback interface. 

[Shawn McCarthy]

Oh sorry. I ran that command locally, and it returned nothing. Should accessing the url by the public ip address work, if I start it with -host localhost -port 8090 ? Does the config.xml have anything to do with how I start it, if I use -host localhost -port 8090 ?

[Michael Courcy]

That's a good question I'm not completly sure but if you specify the host that could be a reason. 

Did you check if an other process is not using the ip_adress;8090 ? 

[Shawn McCarthy]

Yes I made sure there is nothing running locally on port 8090.

[kingthorin+owaspzap]

If ZAP is configured for 127.0.0.1 as the local proxy it only listens locally (loopback).

If you change the local proxy setting to 0.0.0.0 it will listen on all interfaces (including loopback). Or you can configure it to listen on a specific IP.

If you configure it for something other than loopback consider that others on the same subnet (or public network, or the internet) may have access to it and could use it maliciously against you or against others.

I just tested this with two windows machines with one running ZAP on 127.0.0.1:8080 a remote machine can't connect, with 0.0.0.0:8080 it can.

[Shawn McCarthy]

Thank you kingthorin+owaspzap ! That worked perfectly for me.

[Michael Courcy]

Yes kingthorin+owaspzap had the good answer ! I wonder now why public_ip_adress:8090 create an error on your EC2 ? 

--

You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[kingthorin+owaspzap]

If it was only bound to localhost or 127.0.0.1 then public_ip_adress:8090 would error because nothing was listening there :)

So switching to 0.0.0.0 makes it listen on all interfaces, the other alternative is specifying "public_ip_address" (or another applicable address assigned to one of your NICs) if you specifically don't want it listening locally or do want it only on a particular interface.

https://en.wikipedia.org/wiki/0.0.0.0
https://tools.ietf.org/html/rfc5735

[Michael Courcy]

Yes you're right but if I understood Shawn he was unable to start on public_ip_address:8090

""

When I start it using -host <public_ip_address> -port 8090 , I see this:
6444 [ZAP-daemon] ERROR org.parosproxy.paros.core.proxy.ProxyServer  - Failed to start the proxy server: 
java.net.BindException: Can't assign requested address
    at java.net.PlainSocketImpl.socketBind(Native Method)
    at java.net.AbstractPlainSocketImpl.bind(AbstractPlainSocketImpl.java:382)

""

To say it shortly 

• ./zap.sh -daemon -host localhost -port 8090 -config api.disablekey=true work but unreachable from outside the machine 
  
• ./zap.sh -daemon -host  public_ip_address -port 8090 -config api.disablekey=true fail to start
  
• ./zap.sh -daemon -host 0.0.0.0 -port 8090 -config api.disablekey=true work and is reachable, but security is weaker

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[AutomationGuy]

"Welcome to owasp screen is visible" but not able to proxy the same proxy URL  from firefox.

error is "We can’t connect to the server at www.google.com."

I am using a load balancer which is listening on 8080 and from 8080 i am forwarding request to zap listening on 8090.

[hauschu...@gmail.com]

Would you mind opening a new thread? It will be easier to keep track of that way, and easier to find the right answers when people google their way here!