Univention Bugzilla – Bug 35130
Using the App Center over a transparent UCS Squid proxy fails
Last modified: 2020-07-03 20:54:06 CEST
For the QA of Bug 35115 I also tried to use the Univention App Center over the transparent proxy setup as provided by UCS: When opening the App Center, the retrieval of the apps fails and a 502 status code is displayed. Dirk debugged the problem and it turned out that it failed due to downloading files over the proxy using HTTPS, e.g.: https://appcenter.software-univention.de/meta-inf/3.2/icinga_20140610.png: <urlopen error _ssl.c:475: The handshake operation timed out> If repository/app_center/server is set to http://appcenter.software-univention.de the App Center can be used again. HTTPS over a proxy is tricky beast: HTTPS is designed to avoid the kind of "man in the middle" a proxy strives to implement. Squid implements a feature called "ssl bump" which requires the configuration of the SSL certs used for the HTTPS connection. http://wiki.squid-cache.org/Features/SslBump SSL bump is enabled in Squid since UCS 3.0-1. But it's not part of the UCR templates and only intended for special setups. There are several angles to look at this bug: - The iptables snippet from univention-squid (etc/security/packetfilter.d/20squid) redirects all 443/TCP (i.e. HTTPS) traffic to the squid port, although SSL bump is not configured by default. This is rather a bug in univention-squid, which I'll file against it indepedently of this bug. - But since there might be other proxies (esp. appliances) which are using HTTPS there's the possibility to initiate a HTTP CONNECT tunnel: http://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_tunneling_without_using_CONNECT http://wiki.squid-cache.org/Features/HTTPS#CONNECT_tunnel That would need to be implemented in the App Center. - Another possibility would be to fall back to the HTTP connection in case the HTTPS connection fails (I guess there should at least be a note to the user, though)
(In reply to Moritz Muehlenhoff from comment #0) > - The iptables snippet from univention-squid > (etc/security/packetfilter.d/20squid) redirects all 443/TCP (i.e. HTTPS) > traffic to the squid port, although SSL bump is not configured by default. > This is rather a bug in univention-squid, which I'll file against it > indepedently of this bug. Bug 35131
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.