Project

General

Profile

Actions

Regression #15094

open

Updates fail against an authenticated upstream proxy

Added by Steve Wheeler 11 months ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Package System
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
2.7.x
Affected Architecture:
All

Description

When an upstream authenticated proxy is defined pkg commands fail, appearing to use the defined proxy but not send login creds:

[23.09.1-RELEASE][admin@5100-2.stevew.lan]/root: pkg -d update
DBG(1)[63719]> pkg initialized
Updating pfSense-core repository catalogue...
DBG(1)[63719]> PkgRepo: verifying update for pfSense-core
DBG(1)[63719]> PkgRepo: need forced update of pfSense-core
DBG(1)[63719]> Pkgrepo, begin update of '/var/db/pkg/repo-pfSense-core.sqlite'
DBG(1)[63719]> Request to fetch pkg+https://pfsense-plus-pkg.netgate.com/pfSense_plus-v23_09_1_amd64-core/meta.conf
DBG(1)[63719]> curl_open
DBG(1)[63719]> Fetch: fetcher used: pkg+https
DBG(1)[63719]> curl> fetching https://pfsense-plus-pkg.netgate.com/pfSense_plus-v23_09_1_amd64-core/meta.conf

DBG(1)[63719]> CURL> attempting to fetch from , left retry 3

* Couldn't find host pfsense-plus-pkg01.atx.netgate.com in the .netrc file; using defaults
*   Trying 172.21.16.185:3128...
* Connected to 172.21.16.185 (172.21.16.185) port 3128
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to pfsense-plus-pkg01.atx.netgate.com:443
> CONNECT pfsense-plus-pkg01.atx.netgate.com:443 HTTP/1.1
Host: pfsense-plus-pkg01.atx.netgate.com:443
User-Agent: pkg/1.20.8
Proxy-Connection: Keep-Alive

< HTTP/1.1 407 Proxy Authentication Required
< Server: squid
< Mime-Version: 1.0
< Date: Thu, 14 Dec 2023 02:07:18 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3614
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
< Proxy-Authenticate: Basic realm="Please enter your credentials to access the proxy" 
< X-Cache: MISS from cuda.stevew.lan
< X-Cache-Lookup: NONE from cuda.stevew.lan:3128
< Via: 1.1 cuda.stevew.lan (squid)
< Connection: keep-alive
< 
* Ignore 3614 bytes of response-body
* CONNECT tunnel failed, response 407
* Closing connection

This appears to be due to newer pkg versions using curl which also fails where fetch still succeeds:

[23.09.1-RELEASE][admin@5100-2.stevew.lan]/root: fetch https://firmware.netgate.com/pkg/pfSense_factory-v2_3_0_amd64-core/meta.txz
meta.txz                                               944  B 4117 kBps    00s
[23.09.1-RELEASE][admin@5100-2.stevew.lan]/root: pfSense-repoc
Messages:
Your Netgate device has pfSense+ as part of your device purchase.

[23.09.1-RELEASE][admin@5100-2.stevew.lan]/root: curl -v https://firmware.netgate.com/pkg/pfSense_factory-v2_3_0_amd64-core/meta.txz
*   Trying 208.123.73.207:443...
*   Trying [2610:160:11:18::207]:443...
* Immediate connect fail for 2610:160:11:18::207: No route to host
*   Trying [2610:160:11:18::209]:443...
* Immediate connect fail for 2610:160:11:18::209: No route to host
^C

Curl not even trying to use the copmnfigured proxy when called directly

Actions #1

Updated by Jim Pingle 11 months ago

  • Target version changed from CE-Next to 2.8.0
  • Plus Target Version changed from Plus-Next to 24.03
Actions #2

Updated by Jim Pingle 8 months ago

  • Plus Target Version changed from 24.03 to 24.07
Actions #3

Updated by Brad Davis 6 months ago

  • Assignee set to Brad Davis

Fixed upstream, will be in the next pkg release

Actions #4

Updated by Kris Phillips 6 months ago

Tickets 2616976047 and 2698680909 both are regarding this issue.

Actions #5

Updated by Jim Pingle 6 months ago

  • Plus Target Version changed from 24.07 to 24.08
Actions #6

Updated by Steve Wheeler 5 months ago

  • Status changed from New to In Progress
Actions #7

Updated by Jim Pingle about 1 month ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

Has this been tested lately? The relevant commits to fix this have been in our pkg port for a couple months now.

The upstream PR was merged but it doesn't appear to be in an upstream release yet, but there is a patch in our ports tree that adds it.

Actions #8

Updated by Jim Pingle about 1 month ago

  • Plus Target Version changed from 24.08 to 24.11
Actions

Also available in: Atom PDF