Project

General

Profile

Actions

Bug #11383

closed

pfSense Proxy Authentication not working

Added by Viktor Gurov 8 months ago. Updated 6 months ago.

Status:
Closed
Priority:
High
Category:
Upgrade
Target version:
Start date:
02/08/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.4.5
Affected Architecture:

Description

Proxy Username/Password on the system_advanced_misc.php is being ignored

You can see them in `env`:

# env | grep PROXY
HTTP_PROXY=192.168.88.41:3128
HTTP_PROXY_AUTH=basic:*:test1:111

but not in packet capture.

System / Update sample capture:

Hypertext Transfer Protocol
    CONNECT files00.netgate.com:443 HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): CONNECT files00.netgate.com:443 HTTP/1.1\r\n]
        Request Method: CONNECT
        Request URI: files00.netgate.com:443
        Request Version: HTTP/1.1
    Host: files00.netgate.com:443\r\n
    \r\n
    [Full request URI: files00.netgate.com:443]
    [HTTP request 1/1]
    [Response in frame: 10]

pfBlockerNG-devel (uses php curl functions) update capture:

Hypertext Transfer Protocol
    CONNECT mirror1.malwaredomains.com:443 HTTP/1.1\r\n
    Host: mirror1.malwaredomains.com:443\r\n
    User-Agent: pfSense/pfBlockerNG cURL download agent\r\n
    Proxy-Connection: Keep-Alive\r\n
    \r\n
    [Full request URI: mirror1.malwaredomains.com:443]
    [HTTP request 1/1]
    [Response in frame: 8]

Successful Firefox browser authentication:

Hypertext Transfer Protocol
    CONNECT mail.ru:443 HTTP/1.1\r\n
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\r\n
    Proxy-Connection: keep-alive\r\n
    Connection: keep-alive\r\n
    Host: mail.ru:443\r\n
    Proxy-Authorization: Basic cGY1MjoxMjM=\r\n
        Credentials: pf52:123
    \r\n
    [Full request URI: mail.ru:443]
    [HTTP request 1/1]
    [Response in frame: 66]

tested on 2.4.5-p1 and 2.5.0.a.20210204.2250

see also #9478 #11128

Actions #1

Updated by Jim Pingle 8 months ago

  • Priority changed from Normal to High
  • Target version set to 2.5.0

Confirmed here as well, if I set a system to use a proxy that requires auth, it can't communicate with the package server.

Actions #2

Updated by Steve Beaver 8 months ago

  • Status changed from New to In Progress
  • Assignee set to Steve Beaver
Actions #3

Updated by Steve Beaver 8 months ago

  • Assignee changed from Steve Beaver to Renato Botelho

The values in the config.xml file appear to be correctly recorded:

<proxypass>Orange</proxypass>
<proxyuser>Mario</proxyuser>

Actions #4

Updated by Renato Botelho 8 months ago

  • Target version changed from 2.5.0 to CE-Next
  • Affected Version changed from 2.5.0 to 2.4.5

Not a regression, move to next release.

Actions #5

Updated by Jim Pingle 8 months ago

  • Target version changed from CE-Next to 2.5.0
  • Affected Version changed from 2.4.5 to 2.5.0

See also: #9029

Actions #6

Updated by Jim Pingle 8 months ago

  • Target version changed from 2.5.0 to CE-Next
  • Affected Version changed from 2.5.0 to 2.4.5
Actions #7

Updated by Michael Samer 8 months ago

Hi
the problem exists since my oldest existing installation (here) FW:2.4.4p1. It was tested OK in Mid 2018 on 2.4.2 or .3 (whatever), so since then something must have changed in the code. As Jim Pingle had proxy auth problems on some other version it was fixed once. (shell) curl is ignoring the variables as well as like it's being compiled with ignoring the proxy parameters.
The same syntax/parameters on a CentOS 7.8 machine is working as it should.
Hope this helps

Actions #8

Updated by Michael Spears 7 months ago

Renato Botelho wrote:

Not a regression, move to next release.

IMHO, shouldn't this technically be considering a regression as it did work at one point? Confirmed this is currently an issue on 2.5.

Actions #9

Updated by Jim Pingle 7 months ago

From a much older release, yes, but not from the last public release. It was broken in 2.4.5-p1 thus not a new regression from 2.4.5-p1 to 2.5.0.

Actions #10

Updated by Michael Samer 7 months ago

Jim Pingle wrote:

From a much older release, yes, but not from the last public release. It was broken in 2.4.5-p1 thus not a new regression from 2.4.5-p1 to 2.5.0.

Hi Jim
it isn't working surely since the Release: 2.4.4p1 as this is my oldest living installationen. As it was running in my first tests in 2018 it is a (code) bug since then.
More serious: with no working proxy function I'm unable to update any of the current installations as well. I'd downgrade via USB Stick to some 2.4.2 when I initially tested it, but that seems odd.

Actions #11

Updated by Michael Samer 7 months ago

Michael Samer wrote:

Jim Pingle wrote:

From a much older release, yes, but not from the last public release. It was broken in 2.4.5-p1 thus not a new regression from 2.4.5-p1 to 2.5.0.

Hi Jim
it isn't working surely since the Release: 2.4.4p1 as this is my oldest living installationen. As it was running in my first tests in 2018 it is a (code) bug since then.
More serious: with no working proxy function I'm unable to update any of the current installations as well. I'd downgrade via USB Stick to some 2.4.2 when I initially tested it, but that seems odd.

I just received today a new SG3100 for deployment and updated it to the newest stable release. The Proxy Auth problem is still present in the 21.02p1. Afaik the 21.02 should be on par with 2.5.0, so no proxy function in newer releases so far.
Any spark on the horizon?

Actions #12

Updated by Renato Botelho 6 months ago

  • Status changed from In Progress to Feedback
  • Target version changed from CE-Next to 2.5.1

Fix pushed on FreeBSD-src repository.

Upstream ticket - https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220468

Actions #13

Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF