On 11 Jan 2014, at 02:54, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 11/01/2014 6:45 a.m., Simon Beale wrote:
>> Hi
>>
>> I'm trying to upgrade our squid proxies from 3.1.19 to 3.4.2, and have hit
>> a problem where I can no longer proxy ssh/sftp connections through after
>> the upgrade.
>>
>> For testing, I've heavily cut down my squid.conf, to the following
>> configuration on 3.1.19, 3.3.11 and 3.4.2:
>>
>> =============================
>> http_access allow all
>> http_port 3128
>> cache_mem 2 GB
>> maximum_object_size_in_memory 4 MB
>> cache_dir ufs /var/cache/squid 10240 16 256
>> maximum_object_size 1 MB
>> cache_swap_low 80
>> refresh_pattern . 0 20% 4320
>> =============================
>>
>> If I then try run the following ssh command:
>>
>> ssh -oProxyCommand='nc -v -X connect -x SQUIDHOST:3128 %h %p' github.com
>>
>> With squid 3.1.19, I log in straight away.
>> With squid 3.3.11 and 3.4.2, I get the error:
>>
>> nc: Proxy error: "HTTP/1.1 200 Connection established"
>> ssh_exchange_identification: Connection closed by remote host
>>
>> Looking in the logfiles, it's logged:
>>
>> 1389375458.633 89 10.147.82.2 TCP_MISS/200 0 CONNECT github.com:22 -
>> HIER_DIRECT/192.30.252.131 -
>>
>> Is there some option I'm overlooking to enable me to do these tunnelled
>> SSH/SFTP connections, that was introduced after 3.1.19?
>
> That "HTTP/1.1 200 Connection established" is the HTTP response produced
> by Squid after successfully opening the tunnel.
> Is nc tool getting confused over the HTTP/1.1 version? (3.1 would emit
> HTTP/1.0 label with the same message.)
>
Ahah! Yes, you’re right.
I’ve pulled down the source for nc and found that in HTTP proxy mode, it explicitly looks for the string "HTTP/1.0 200” in the response. Patching it to accept HTTP/1.1 as an alternative, it now will successfully make the ssh connection.
Cheers for that!
Simon
Received on Sat Jan 11 2014 - 12:53:15 MST
This archive was generated by hypermail 2.2.0 : Sat Jan 11 2014 - 12:00:04 MST