Description Moritz Muehlenhoff 2014-06-17 11:40:16 CEST

For the QA of Bug 35115 I also tried to use the Univention App Center over the transparent proxy setup as provided by UCS:

When opening the App Center, the retrieval of the apps fails and a 502 status code is displayed.

Dirk debugged the problem and it turned out that it failed due to downloading files over the proxy using HTTPS, e.g.:

https://appcenter.software-univention.de/meta-inf/3.2/icinga_20140610.png: <urlopen error _ssl.c:475: The handshake operation timed out>

If repository/app_center/server is set to http://appcenter.software-univention.de the App Center can be used again.

HTTPS over a proxy is tricky beast: HTTPS is designed to avoid the kind of "man in the middle" a proxy strives to implement. Squid implements a feature called "ssl bump" which requires the configuration of the SSL certs used for the HTTPS connection. http://wiki.squid-cache.org/Features/SslBump

SSL bump is enabled in Squid since UCS 3.0-1. But it's not part of the UCR templates and only intended for special setups.

There are several angles to look at this bug:

- The iptables snippet from univention-squid (etc/security/packetfilter.d/20squid) redirects all 443/TCP (i.e. HTTPS) traffic to the squid port, although SSL bump is not configured by default. This is rather a bug in univention-squid, which I'll file against it indepedently of this bug.

- But since there might be other proxies (esp. appliances) which are using HTTPS there's the possibility to initiate a HTTP CONNECT tunnel:
http://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_tunneling_without_using_CONNECT
http://wiki.squid-cache.org/Features/HTTPS#CONNECT_tunnel
That would need to be implemented in the App Center.

- Another possibility would be to fall back to the HTTP connection in case the HTTPS connection fails (I guess there should at least be a note to the user, though)