Date: Mon, 20 Oct 2014 15:20:06 -0500 From: Alan Amesbury <amesbury@oitsec.umn.edu> To: freebsd-stable@freebsd.org Subject: Problem with libfetch, pkg, and proxying? Message-ID: <42CAA1B4-1DE8-4CA6-85A4-29773844B0E2@oitsec.umn.edu>
next in thread | raw e-mail | index | archive | help
Given FreeBSD-9.1-RELEASE, 'pkg' installed from ports, and a pkg.conf =
that points to a proxy, it appears 'pkg' is ignoring the proxy setting =
for HTTPS URLs.
The contents of /usr/local/etc/pkg.conf consists of:
pkg_env {
http_proxy: http://proxyhost.fqdn:3128/
}
'uname -srm' =3D "FreeBSD 9.1-RELEASE-p19 amd64". It's not running =
GENERIC, but I don't think that's relevant. :-)
Network traffic shows the host uses the proxy correctly for the initial =
HTTP callout to the local package repository, but tries to connect =
directly when it receives an HTTP redirect to HTTPS. This is borne out =
in output from 'truss', which shows (with some data redacted):
.
.
.
72869: connect(5,{ AF_INET [NAMESERVER]:53 },16) =3D 0 (0x0)
72869: sendto(5,"\M-)W\^A\0\0\^A\0\0\0\0\0\0\apro"...,44,0x0,NULL,0x0) =3D=
44 (0x2c)
72869: clock_gettime(0,{1413835372.386244672 }) =3D 0 (0x0)
72869: =
kevent(4,{0x5,EVFILT_READ,EV_ADD|EV_ONESHOT,0,0x0,0x0},1,{0x5,EVFILT_READ,=
EV_ONESHOT,0,0xcb,0x0},1,{5.000000000 }) =3D 1 (0x1)
72869: recvfrom(5,"\M-)W\M^A\M^@\0\^A\0\^A\0\^B\0"...,65536,0x0,{ =
AF_INET 128.101.101.101:53 },0x7fffffff77dc) =3D 203 (0xcb)
72869: close(5) =3D 0 (0x0)
72869: close(4) =3D 0 (0x0)
72869: =
kqueue(0x7e6bfa380,0x7e7496000,0x10000058,0x7e7486000,0x10000,0x1) =3D 4 =
(0x4)
72869: socket(PF_INET,SOCK_DGRAM,0) =3D 5 (0x5)
72869: connect(5,{ AF_INET [NAMESERVER]:53 },16) =3D 0 (0x0)
72869: sendto(5,"\M-)X\^A\0\0\^A\0\0\0\0\0\0\apro"...,44,0x0,NULL,0x0) =3D=
44 (0x2c)
72869: clock_gettime(0,{1413835372.388397497 }) =3D 0 (0x0)
72869: =
kevent(4,{0x5,EVFILT_READ,EV_ADD|EV_ONESHOT,0,0x0,0x0},1,{0x5,EVFILT_READ,=
EV_ONESHOT,0,0x69,0x0},1,{5.000000000 }) =3D 1 (0x1)
72869: recvfrom(5,"\M-)X\M^A\M^@\0\^A\0\0\0\^A\0\0"...,65536,0x0,{ =
AF_INET 128.101.101.101:53 },0x7fffffff77dc) =3D 105 (0x69)
72869: close(5) =3D 0 (0x0)
72869: close(4) =3D 0 (0x0)
72869: madvise(0x7e7496000,0x10000,0x5,0x95,0x7fffffff7830,0x62c1b0) =3D =
0 (0x0)
72869: madvise(0x7e7476000,0x10000,0x5,0x75,0x7fffffff7d10,0xffffffff) =3D=
0 (0x0)
72869: madvise(0x7e7486000,0x10000,0x5,0x85,0x7fffffff7d10,0x62c1b0) =3D =
0 (0x0)
72869: socket(PF_INET,SOCK_STREAM,6) =3D 4 (0x4)
72869: connect(4,{ AF_INET [PROXY]:3128 },16) =3D 0 (0x0)
72869: fcntl(4,F_SETFL,O_NONBLOCK) =3D 0 (0x0)
72869: fcntl(4,F_SETFD,FD_CLOEXEC) =3D 0 (0x0)
72869: setsockopt(0x4,0xffff,0x800,0x7fffffff9144,0x4,0x0) =3D 0 (0x0)
72869: setsockopt(0x4,0x6,0x4,0x7fffffff9458,0x4,0x0) =3D 0 (0x0)
.
.
.
72869: connect(5,{ AF_INET [NAMESERVER]:53 },16) =3D 0 (0x0)
72869: sendto(5,"\M-)Y\^A\0\0\^A\0\0\0\0\0\0\thor"...,42,0x0,NULL,0x0) =3D=
42 (0x2a)
72869: clock_gettime(0,{1413835372.458693385 }) =3D 0 (0x0)
72869: =
kevent(4,{0x5,EVFILT_READ,EV_ADD|EV_ONESHOT,0,0x0,0x0},1,{0x5,EVFILT_READ,=
EV_ONESHOT,0,0xc9,0x0},1,{5.000000000 }) =3D 1 (0x1)
72869: recvfrom(5,"\M-)Y\M^A\M^@\0\^A\0\^A\0\^B\0"...,65536,0x0,{ =
AF_INET 128.101.101.101:53 },0x7fffffff77dc) =3D 201 (0xc9)
72869: close(5) =3D 0 (0x0)
72869: close(4) =3D 0 (0x0)
72869: =
kqueue(0x7e6bfa380,0x7e7496000,0x10000058,0x7e7486000,0x10000,0x1) =3D 4 =
(0x4)
72869: socket(PF_INET,SOCK_DGRAM,0) =3D 5 (0x5)
72869: connect(5,{ AF_INET [NAMESERVER]:53 },16) =3D 0 (0x0)
72869: sendto(5,"\M-)Z\^A\0\0\^A\0\0\0\0\0\0\thor"...,42,0x0,NULL,0x0) =3D=
42 (0x2a)
72869: clock_gettime(0,{1413835372.461001593 }) =3D 0 (0x0)
72869: =
kevent(4,{0x5,EVFILT_READ,EV_ADD|EV_ONESHOT,0,0x0,0x0},1,{0x5,EVFILT_READ,=
EV_ONESHOT,0,0x67,0x0},1,{5.000000000 }) =3D 1 (0x1)
72869: recvfrom(5,"\M-)Z\M^A\M^@\0\^A\0\0\0\^A\0\0"...,65536,0x0,{ =
AF_INET 128.101.101.101:53 },0x7fffffff77dc) =3D 103 (0x67)
72869: close(5) =3D 0 (0x0)
72869: close(4) =3D 0 (0x0)
72869: madvise(0x7e7496000,0x10000,0x5,0x95,0x7fffffff7830,0x62c1b0) =3D =
0 (0x0)
72869: madvise(0x7e7476000,0x10000,0x5,0x75,0x7fffffff7d10,0xffffffff) =3D=
0 (0x0)
72869: madvise(0x7e7486000,0x10000,0x5,0x85,0x7fffffff7d10,0x62c1b0) =3D =
0 (0x0)
72869: socket(PF_INET,SOCK_STREAM,6) =3D 4 (0x4)
72869: connect(4,{ AF_INET [NOT_PROXY]:443 },16) ERR#60 'Operation timed =
out'
.
.
.
The connection timed out because connections to hosts other than the =
proxy aren't allowed. However, my reading of fetch(3) and fetch(1) =
suggests that the environment variable for http_proxy should cover HTTP =
and HTTPS URLs. Tests using lynx were different; lynx apparently uses =
${PROTOCOL}_PROXY where ${PROTOCOL} is the URL type, and HTTP and HTTPS =
are different.
Is this behavior correct? I don't think it is. Regardless, is there a =
way to get 'pkg' to use HTTPS URLs through a proxy?
Thanks in advance for any help/insights you can provide!
--=20
Alan Amesbury
University Information Security=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42CAA1B4-1DE8-4CA6-85A4-29773844B0E2>