[squid-users] PHP: failed to open stream: Cannot connect to HTTPS server through proxy
chiasa.men
chiasa.men at web.de
Sat Mar 10 13:32:40 UTC 2018
I tried to install a joomla-Plugin from behind squid. It didn't work. I could
reproduce the error using the following php-script:
> <?php
> $url="https://downloads.joomla.org/extensions/install-from-web/1-1-1/
plg_webinstaller_3.7v1.1.1.zip";
> $ctx = stream_context_create(['http' => ['proxy' => "tcp://$proxy:$port"],
> 'ssl' => ['capture_session_meta' => TRUE]]);
> $html = file_get_contents($url , FALSE, $ctx);
> $meta = stream_context_get_options($ctx)['ssl']['session_meta'];
> var_dump($meta);
> ?>
Results in:
> PHP Warning: file_get_contents(): Peer certificate CN=`*.s3-us-
west-2.amazonaws.com' did not match expected CN=`downloads.joomla.org' in /
tmp/test.php on line 5
> PHP Warning: file_get_contents(https://downloads.joomla.org/extensions/
install-from-web/1-1-1/plg_webinstaller_3.7v1.1.1.zip): failed to open stream:
Cannot connect to HTTPS server through proxy in /tmp/test.php on line 5
For $url="https://cdn.joomla.org/images/Joomla_logo.png" it works.
Squid produces the following log:
2018/03/10 13:19:48.252 kid1| 5,2| TcpAcceptor.cc(226) doAccept: New
connection on FD 17
2018/03/10 13:19:48.252 kid1| 5,2| TcpAcceptor.cc(317) acceptNext: connection
on local=localhost:localport remote=[::] FD 17 flags=9
2018/03/10 13:19:48.252 kid1| 17,2| QosConfig.cc(126) getNfmarkFromConnection:
QOS: Failed to retrieve connection mark: (-1) (1) Operation not permitted
(Destination localhost:localport, source localhost:47200)
2018/03/10 13:19:48.252 kid1| 11,2| client_side.cc(1329) parseHttpRequest:
HTTP Client local=localhost:localport remote=localhost:47200 FD 18 flags=1
2018/03/10 13:19:48.252 kid1| 11,2| client_side.cc(1333) parseHttpRequest:
HTTP Client REQUEST:
---------
CONNECT downloads.joomla.org:443 HTTP/1.0
----------
2018/03/10 13:19:48.253 kid1| 85,2| client_side_request.cc(755)
clientAccessCheckDone: The request CONNECT downloads.joomla.org:443 is
ALLOWED; last ACL checked: all
2018/03/10 13:19:48.253 kid1| 85,2| client_side_request.cc(731)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2018/03/10 13:19:48.253 kid1| 85,2| client_side_request.cc(755)
clientAccessCheckDone: The request CONNECT downloads.joomla.org:443 is
ALLOWED; last ACL checked: all
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(282) peerSelectDnsPaths:
Find IP destination for: downloads.joomla.org:443' via downloads.joomla.org
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(303) peerSelectDnsPaths:
Found sources for 'downloads.joomla.org:443'
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(304) peerSelectDnsPaths:
always_direct = DENIED
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(305) peerSelectDnsPaths:
never_direct = DENIED
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(309) peerSelectDnsPaths:
DIRECT = local=0.0.0.0 remote=72.29.124.146:443 flags=1
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(318) peerSelectDnsPaths:
timedout = 0
2018/03/10 13:19:48.925 kid1| 33,2| client_side.cc(585) swanSong:
local=localhost:localport remote=localhost:47200 flags=1
==> /var/log/squid/access.log <==
localhost - - [10/Mar/2018:13:19:48 +0000] "CONNECT downloads.joomla.org:443
HTTP/1.0" 200 5843 "-" "-" TCP_TUNNEL:HIER_DIRECT [] []
==> /var/log/squid/cache.log <==
2018/03/10 13:19:48.927 kid1| 5,2| TcpAcceptor.cc(226) doAccept: New
connection on FD 17
2018/03/10 13:19:48.928 kid1| 5,2| TcpAcceptor.cc(317) acceptNext: connection
on local=localhost:localport remote=[::] FD 17 flags=9
2018/03/10 13:19:48.928 kid1| 17,2| QosConfig.cc(126) getNfmarkFromConnection:
QOS: Failed to retrieve connection mark: (-1) (1) Operation not permitted
(Destination localhost:localport, source localhost:47206)
2018/03/10 13:19:48.972 kid1| 11,2| client_side.cc(1329) parseHttpRequest:
HTTP Client local=localhost:localport remote=localhost:47206 FD 18 flags=1
2018/03/10 13:19:48.972 kid1| 11,2| client_side.cc(1333) parseHttpRequest:
HTTP Client REQUEST:
---------
CONNECT s3-us-west-2.amazonaws.com:443 HTTP/1.0
----------
2018/03/10 13:19:48.973 kid1| 85,2| client_side_request.cc(755)
clientAccessCheckDone: The request CONNECT s3-us-west-2.amazonaws.com:443 is
ALLOWED; last ACL checked: all
2018/03/10 13:19:48.973 kid1| 85,2| client_side_request.cc(731)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2018/03/10 13:19:48.973 kid1| 85,2| client_side_request.cc(755)
clientAccessCheckDone: The request CONNECT s3-us-west-2.amazonaws.com:443 is
ALLOWED; last ACL checked: all
2018/03/10 13:19:48.973 kid1| 44,2| peer_select.cc(282) peerSelectDnsPaths:
Find IP destination for: s3-us-west-2.amazonaws.com:443' via s3-us-
west-2.amazonaws.com
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(303) peerSelectDnsPaths:
Found sources for 's3-us-west-2.amazonaws.com:443'
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(304) peerSelectDnsPaths:
always_direct = DENIED
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(305) peerSelectDnsPaths:
never_direct = DENIED
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(309) peerSelectDnsPaths:
DIRECT = local=0.0.0.0 remote=52.218.192.176:443 flags=1
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(318) peerSelectDnsPaths:
timedout = 0
2018/03/10 13:19:49.618 kid1| 33,2| client_side.cc(585) swanSong:
local=localhost:localport remote=localhost:47206 flags=1
==> /var/log/squid/cache.log <==
2018/03/10 13:19:49.619 kid1| ctx: enter level 0: 'https://example.com/tmp/
test.php'
2018/03/10 13:19:49.619 kid1| 11,2| http.cc(720) processReplyHeader: HTTP
Server local=intProxIp:35486 remote=intWebIp:443 FD 12 flags=1
2018/03/10 13:19:49.620 kid1| 11,2| http.cc(724) processReplyHeader: HTTP
Server RESPONSE:
---------
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2018 13:19:48 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 196
Keep-Alive: timeout=360, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
----------
==> /var/log/squid/access.log <==
localhost - - [10/Mar/2018:13:19:49 +0000] "CONNECT s3-us-
west-2.amazonaws.com:443 HTTP/1.0" 200 3237 "-" "-" TCP_TUNNEL:HIER_DIRECT []
[]
==> /var/log/squid/cache.log <==
2018/03/10 13:19:49.620 kid1| ctx: exit level 0
2018/03/10 13:19:49.620 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.620 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.620 kid1| 88,2| client_side_reply.cc(2083)
processReplyAccessResult: The reply for GET https://example.com/tmp/test.php
is ALLOWED, because it matched all
2018/03/10 13:19:49.620 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP
Client local=intProxIp:3128 remote=requestingIp:50115 FD 10 flags=1
2018/03/10 13:19:49.620 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2018 13:19:48 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 196
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from www.example.com
X-Cache-Lookup: MISS from www.example.com:3129
Via: 1.1 www.example.com (squid)
Connection: keep-alive
----------
2018/03/10 13:19:49.620 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.621 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.621 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.621 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
With wget, it works perfectly. Is that a PHP problem or squid related?
More information about the squid-users
mailing list