[squid-users] missing response body with https requests

Alex Rousskov rousskov at measurement-factory.com
Thu Dec 9 14:51:56 UTC 2021


On 12/9/21 8:18 AM, Mateusz Łoś wrote:

> While connecting to https site through parent proxy we can see 407
> response with Content-Length header but with empty body content which
> causes applications to fail as they are trying to read that body

Squid does not yet have the code to support multi-step HTTP CONNECT
authentication with parent proxies. Your options for going forward may
include:

A1) Adjust the parent proxy configuration so that it does not respond
with HTTP 407 Proxy Authentication Required responses to the child
CONNECT requests.

A2) Adjust the child proxy configuration so that the parent proxy does
not respond with HTTP 407 Proxy Authentication Required responses to the
child.

B) Adjust the child proxy configuration so that it goes direct (rather
than through the parent proxy) when tunneling TLS connections.

C) Add proper support for multi-step HTTP CONNECT authentication to
Squid. It is a difficult/serious project that would require significant
code refactoring, but it can (and should) be done:
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F

Options A1 and A2 may need to be combined for the desired effect.

I do not know enough about your environment to say which of the above
options are viable/applicable, and cannot recommend specific
configuration adjustments (but others on this list may be able to help
with that).


HTH,

Alex.
P.S. Squid also does not have the code to read (large) CONNECT error
response bodies, but that is not the root cause of your problems. Even
if Squid could read the entire HTTP 407 response body in this case, it
would not help.


> lHttpAsyncClient [exchange: 71] connection aborted||The problematic lines are:|...|Consume content|-1 bytes read
> 
> with squid 5 I can see missing body in logs
> 
> 2021/10/26 07:17:32.684 kid1| 11,2| src/clients/HttpTunneler.cc(324) handleResponse: Tunnel Server RESPONSE:
> ---------
> <HTML><HEAD>
> 
> <TITLE>Access Denied</TITLE>
> 
> <STYLE TYPE="text/css">
> 
> 	TABLE.DETAILS TD{
> 
> 	  font-family: Helvetica;
> 
> 	  font-size: 9pt;
> 
> 	}
> 
> </STYLE>
> 
> </HEAD>
> 
> <BODY>
> 
> <FONT face="Helvetica">
> 
> <big><strong></strong></big><BR>
> 
> </FON----------
> 2021/10/26 07:17:32.684 kid1| TCP connection to <parent_proxy_ip>/8080
> failed
>     current master transaction: master95
> 2021/10/26 07:17:32.684 kid1| Detected DEAD Parent: <parent_proxy_ip>
>     current master transaction: master95
> 
> Parent proxy configuration:
> cache_peer myparentproxy_ipaddress parent 8080 0 no-query no-digest
> no-netdb-exchange login=PASSTHRU
> 
> While connecting through parent proxy directly there is no issue and
> response can be parsed properly.
> 
> I was unable to find configuration options to change this, while
> connecting to http site there is no such issue and body is being send
> properly with 407 answer.
> 
> root at testvm:~# curl -x 192.168.3.19:3128 https://webhook.site
> <https://webhook.site> -Lv
> *   Trying 192.168.3.19:3128...
> * TCP_NODELAY set
> * Connected to 192.168.3.19 (192.168.3.19) port 3128 (#0)
> * allocate connect buffer!
> * Establish HTTP proxy tunnel to webhook.site:443 <http://webhook.site:443>
>> CONNECT webhook.site:443 <http://webhook.site:443> HTTP/1.1
>> Host: webhook.site:443 <http://webhook.site:443>
>> User-Agent: curl/7.68.0
>> Proxy-Connection: Keep-Alive
>>
> < HTTP/1.1 407 Proxy Authentication Required
> < Proxy-Authenticate: BASIC realm="LDAP"
> < Cache-Control: no-cache
> < Pragma: no-cache
> < X-XSS-Protection: 1
> < Content-Type: text/html; charset=utf-8
> < Proxy-Connection: close
> < Connection: close
> < Content-Length: 1590
> <
> * Ignore 1590 bytes of response-body
> * Proxy CONNECT connection closed
> * Closing connection 9
> * Hostname 192.168.3.19 was found in DNS cache
> *   Trying 192.168.3.19:3128...
> * TCP_NODELAY set
> * Connected to 192.168.3.19 (192.168.3.19) port 3128 (#10)
> * allocate connect buffer!
> * Establish HTTP proxy tunnel to webhook.site:443 <http://webhook.site:443>
>> CONNECT webhook.site:443 <http://webhook.site:443> HTTP/1.1
>> Host: webhook.site:443 <http://webhook.site:443>
>> User-Agent: curl/7.68.0
>> Proxy-Connection: Keep-Alive
>>
> < HTTP/1.1 500 Internal Server Error
> < Server: squid/5.2-VCS
> < Mime-Version: 1.0
> < Date: Tue, 26 Oct 2021 07:17:32 GMT
> < Content-Type: text/html;charset=utf-8
> < Content-Length: 3814
> < X-Squid-Error: ERR_CANNOT_FORWARD 0
> < Content-Language: en
> <
> * Received HTTP code 500 from proxy after CONNECT
> * CONNECT phase completed!
> * Closing connection 10
> curl: (56) Received HTTP code 500 from proxy after CONNECT
> 
> root at testvm:~# curl -x 192.168.3.19:3128 http://webhook.site
> <http://webhook.site> -Lv
> *   Trying 192.168.3.19:3128...
> * TCP_NODELAY set
> * Connected to 192.168.3.19 (192.168.3.19) port 3128 (#0)
>> GET http://webhook.site/ <http://webhook.site/> HTTP/1.1
>> Host: webhook.site <http://webhook.site>
>> User-Agent: curl/7.68.0
>> Accept: */*
>> Proxy-Connection: Keep-Alive
>>
> * Mark bundle as not supporting multiuse
> < HTTP/1.1 407 Proxy Authentication Required
> < Proxy-Authenticate: BASIC realm="LDAP"
> < Cache-Control: no-cache
> < Pragma: no-cache
> < X-XSS-Protection: 1
> < Content-Type: text/html; charset=utf-8
> < Set-Cookie: BCSI-CS-53409a6e5b6816df=2; Path=/
> < Content-Length: 1582
> < Date: Tue, 26 Oct 2021 07:17:01 GMT
> < X-Cache: MISS from testvm
> < Via: 1.1 testvm (squid/5.2-VCS)
> < Connection: keep-alive
> <
> <HTML><HEAD>
> 
> <TITLE>Access Denied</TITLE>
> 
> <STYLE TYPE="text/css">
> 
> 
> 
> 
> Is there anything that can be done on configuration level to make it work?
> 
> 
> Regards,
> Mateusz
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 



More information about the squid-users mailing list