Bug 35130 - Using the App Center over a transparent UCS Squid proxy fails
Using the App Center over a transparent UCS Squid proxy fails
Status: NEW
Product: UCS
Classification: Unclassified
Component: App Center
UCS 4.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: App Center maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-17 11:40 CEST by Moritz Muehlenhoff
Modified: 2017-04-07 11:18 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2014-06-17 11:40:16 CEST
For the QA of Bug 35115 I also tried to use the Univention App Center over the transparent proxy setup as provided by UCS:

When opening the App Center, the retrieval of the apps fails and a 502 status code is displayed.

Dirk debugged the problem and it turned out that it failed due to downloading files over the proxy using HTTPS, e.g.:

https://appcenter.software-univention.de/meta-inf/3.2/icinga_20140610.png: <urlopen error _ssl.c:475: The handshake operation timed out>

If repository/app_center/server is set to http://appcenter.software-univention.de the App Center can be used again.

HTTPS over a proxy is tricky beast: HTTPS is designed to avoid the kind of "man in the middle" a proxy strives to implement. Squid implements a feature called "ssl bump" which requires the configuration of the SSL certs used for the HTTPS connection. http://wiki.squid-cache.org/Features/SslBump

SSL bump is enabled in Squid since UCS 3.0-1. But it's not part of the UCR templates and only intended for special setups.

There are several angles to look at this bug:

- The iptables snippet from univention-squid (etc/security/packetfilter.d/20squid) redirects all 443/TCP (i.e. HTTPS) traffic to the squid port, although SSL bump is not configured by default. This is rather a bug in univention-squid, which I'll file against it indepedently of this bug.

- But since there might be other proxies (esp. appliances) which are using HTTPS there's the possibility to initiate a HTTP CONNECT tunnel:
http://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_tunneling_without_using_CONNECT
http://wiki.squid-cache.org/Features/HTTPS#CONNECT_tunnel
That would need to be implemented in the App Center.

- Another possibility would be to fall back to the HTTP connection in case the HTTPS connection fails (I guess there should at least be a note to the user, though)
Comment 1 Moritz Muehlenhoff univentionstaff 2014-06-17 11:44:29 CEST
(In reply to Moritz Muehlenhoff from comment #0)
> - The iptables snippet from univention-squid
> (etc/security/packetfilter.d/20squid) redirects all 443/TCP (i.e. HTTPS)
> traffic to the squid port, although SSL bump is not configured by default.
> This is rather a bug in univention-squid, which I'll file against it
> indepedently of this bug.

Bug 35131