Project

General

Profile

Actions

Bug #9029

closed

Proxy authentication is not working for HTTPS

Added by Jim Pingle about 3 years ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Category:
Operating System
Target version:
Start date:
10/09/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:
All

Description

When a user enters proxy details on system_advanced_misc.php it should trigger the firewall to use the proxy for things like pkg. This seems to work for HTTP URLs, but not HTTPS.

We are setting up the environment properly as far as I can see. Packet captures show the request going to the proxy, the proxy responds that authentication is required, but the client never sends the request with authentication details.

: set | grep http
http_proxy    198.51.100.23:3128
http_proxy_auth    basic:*:jimp:jimp
http_proxy_auth_pass    jimp
http_proxy_auth_user    jimp
http_proxy_port    3128
: env | grep HTTP
HTTP_PROXY=198.51.100.23:3128
HTTP_PROXY_AUTH=basic:*:jimp:jimp

Even on 2.4.5 snapshots this fails with an error such as:

pkg: https://beta.pfsense.org/packages/pfSense_master_amd64-core/packagesite.txz: Proxy Authentication Required

As a quick test, a fetch of an HTTPS URL also fails, but HTTP succeeds:

: fetch -o - https://files00.netgate.com/
fetch: https://files00.netgate.com/: Proxy Authentication Required
: fetch -o - http://files00.netgate.com/
[...]
-                                                     4872  B   14 kBps 00m00s

Last time this came up in #6949 there was a FreeBSD bug referenced at https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194483 that may or may not be related.

It was working at one time before 2.4-RELEASE but broke again at some point.

This also appears to affect stock FreeBSD 11.2, easy to replicate with fetch

env HTTP_PROXY="198.51.100.23:3128" HTTP_PROXY_AUTH="basic:*:jimp:jimp" fetch -o - https://files00.netgate.com/

Just substitute in a proxy IP address/user/pass that you can reach which is set to require auth.

Annoying but not critical, can be moved ahead if fixing is prohibitively difficult, but we did have it fixed before, so maybe a patch or two were not carried forward.

Actions

Also available in: Atom PDF