Univention Bugzilla – Bug 35130
Using the App Center over a transparent UCS Squid proxy fails
Last modified: 2017-04-07 11:18:39 CEST
For the QA of Bug 35115 I also tried to use the Univention App Center over the transparent proxy setup as provided by UCS:
When opening the App Center, the retrieval of the apps fails and a 502 status code is displayed.
Dirk debugged the problem and it turned out that it failed due to downloading files over the proxy using HTTPS, e.g.:
https://appcenter.software-univention.de/meta-inf/3.2/icinga_20140610.png: <urlopen error _ssl.c:475: The handshake operation timed out>
If repository/app_center/server is set to http://appcenter.software-univention.de the App Center can be used again.
HTTPS over a proxy is tricky beast: HTTPS is designed to avoid the kind of "man in the middle" a proxy strives to implement. Squid implements a feature called "ssl bump" which requires the configuration of the SSL certs used for the HTTPS connection. http://wiki.squid-cache.org/Features/SslBump
SSL bump is enabled in Squid since UCS 3.0-1. But it's not part of the UCR templates and only intended for special setups.
There are several angles to look at this bug:
- The iptables snippet from univention-squid (etc/security/packetfilter.d/20squid) redirects all 443/TCP (i.e. HTTPS) traffic to the squid port, although SSL bump is not configured by default. This is rather a bug in univention-squid, which I'll file against it indepedently of this bug.
- But since there might be other proxies (esp. appliances) which are using HTTPS there's the possibility to initiate a HTTP CONNECT tunnel:
That would need to be implemented in the App Center.
- Another possibility would be to fall back to the HTTP connection in case the HTTPS connection fails (I guess there should at least be a note to the user, though)
(In reply to Moritz Muehlenhoff from comment #0)
> - The iptables snippet from univention-squid
> (etc/security/packetfilter.d/20squid) redirects all 443/TCP (i.e. HTTPS)
> traffic to the squid port, although SSL bump is not configured by default.
> This is rather a bug in univention-squid, which I'll file against it
> indepedently of this bug.