got a express based SSE server running behind an NGINX proxy. It keeps dropping connections every minute. Here is a curl session with much detail. Please help to diagnose.
curl -N -verbose --http2 -H "Accept:text/event-stream" https://umx.safuyi.com/api/rooms/960/events
* Trying 49.235.227.189:443...
* Connected to umx.safuyi.com (49.235.227.189) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=umx.safuyi.com
* start date: Jan 5 00:00:00 2023 GMT
* expire date: Jan 5 23:59:59 2024 GMT
* subjectAltName: host "umx.safuyi.com" matched cert's "umx.safuyi.com"
* issuer: C=CN; O=TrustAsia Technologies, Inc.; CN=TrustAsia RSA DV TLS CA G2
* SSL certificate verify ok.
> GET /api/rooms/960/events HTTP/1.1
> Host: umx.safuyi.com
> User-Agent: curl/7.79.1
> Referer: rbose
> Accept:text/event-stream
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.0 (Ubuntu)
< Date: Sun, 29 Jan 2023 12:31:33 GMT
< Content-Type: text/event-stream
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< Cache-Control: no-cache
<
data: [{"who":"0.36735210198439616/2023-01-29T12:30:25.938Z","did":"left room","room":"960"},{"who":"0.6205505230339852/2023-01-29T12:30:23.668Z","did":"left room","room":"960"},{"who":"0.10731778838068662/2023-01-29T12:31:26.900Z","did":"entered room","room":"960"}]
event: clientId
data: {"clientId": "0.9871521861164745/2023-01-29T12:31:33.839Z"}
* transfer closed with outstanding read data remaining
* Closing connection 0
I put some headers in the response to disable buffering on the NGINX part:
Content-Type: text/event-stream;
Cache-Control: no-cache;
X-Accel-Buffering: no;
did not seems to work
Try changing proxy_read_timeout by default it is 60 seconds.
Source
This is based on a question asked in the book "Computer Networking: Principles, Protocols and Practice" by Olivier Bonaventure. I've read the man pages of both dig and curl on my Linux terminal, but I can't seem to understand how it will help in finding out the physical host of a given website. Do we use both statements separately? Or do we pipe them into one statement?
I'm pretty sure what is meant here is finding out what IP is being used.
You would use dig to get the A record:
~ → dig www.info.ucl.ac.be
; <<>> DiG 9.10.6 <<>> www.info.ucl.ac.be
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58340
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.info.ucl.ac.be. IN A
;; ANSWER SECTION:
www.info.ucl.ac.be. 7200 IN A 130.104.228.160
;; Query time: 459 msec
;; SERVER: 2001:558:feed::1#53(2001:558:feed::1)
;; WHEN: Wed Oct 06 12:27:23 PDT 2021
;; MSG SIZE rcvd: 63
That would give you the physical host of: 130.104.228.160
You can do the same with curl:
~ → curl -svo /dev/null https://www.info.ucl.ac.be
* Trying 130.104.228.160...
* TCP_NODELAY set
* Connected to www.info.ucl.ac.be (130.104.228.160) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [232 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [6286 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=BE; postalCode=1348; ST=Brabant wallon; L=Louvain-la-Neuve; street=Place de l'Universit�, 1; O=Universit� catholique de Louvain; OU=INGI; CN=www.info.ucl.ac.be
* start date: Jul 13 00:00:00 2020 GMT
* expire date: Jul 13 23:59:59 2022 GMT
* subjectAltName: host "www.info.ucl.ac.be" matched cert's "www.info.ucl.ac.be"
* issuer: C=NL; O=GEANT Vereniging; CN=GEANT OV RSA CA 4
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.info.ucl.ac.be
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 06 Oct 2021 19:27:40 GMT
< Server: Apache/2.4.37 (centos) OpenSSL/1.1.1g
< X-Powered-By: PHP/7.2.24
< Location: http://www.uclouvain.be/ingi.html
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host www.info.ucl.ac.be left intact
* Closing connection 0
Pay special attention to the the output:
Connected to www. info. ucl. ac. be (130.104.228.160) port 443 (#0)
I am testing the API on a brand-new freemium account. It works as expected for a few examples but it returns 204 No Content for an area I am interested in.
Where can I look up if an area is covered or not?
curl -v \
-X GET \
-H 'Content-Type: *' \
--get 'https://traffic.ls.hereapi.com/traffic/6.1/flow.json' \
--data-urlencode 'bbox=35.8730,14.5108;35.8655,14.5189' \
--data-urlencode 'apiKey=RH2**************************ACis'
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 34.255.189.0:443...
* Connected to traffic.ls.hereapi.com (34.255.189.0) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=NL; ST=Noord-Brabant; L=Eindhoven; O=HERE Global BV; CN=traffic.ls.hereapi.com
* start date: May 5 08:29:46 2020 GMT
* expire date: May 6 08:29:46 2021 GMT
* subjectAltName: host "traffic.ls.hereapi.com" matched cert's "traffic.ls.hereapi.com"
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
* SSL certificate verify ok.
> GET /traffic/6.1/flow.json?bbox=35.8730%2C14.5108%3B35.8655%2C14.5189&apiKey=RH************s HTTP/1.1
> Host: traffic.ls.hereapi.com
> User-Agent: curl/7.71.1
> Accept: */*
> Content-Type: *
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Accept-Ranges: bytes
< Content-Type: application/json
< Date: Sat, 27 Feb 2021 15:10:20 GMT
< ServedItems: 0
< Server: openresty
< time: 233
< Vary: Accept-Charset, Accept-Language, Accept
< X-NLP-TID: ea69440d-5689-49af-89c9-a6c1538b4725
< X-REQ-MODE: flow-small
< X-Request-Id: REQ-c99544f8-7776-4bb4-9d25-8f148dec8fc9
< X-Served-By: i-04b5db781c349303a.eu-west-1a
< Connection: keep-alive
<
* Connection #0 to host traffic.ls.hereapi.com left intact
Let's say there's a form that you submit to using radio buttons and a standard "submit" button. I want to be able to submit a response to the form not from the website but from the command line with cURL.
When I submit the form on my browser and examine network traffic, here are the important details I see:
URL (sample): www.example.com/folder/ajax.php
Data: {big string of JSON stuff}
Here is the curl call I'm trying:
curl -X POST -H "Content-Type: application/json" -L -d '{big string of json stuff}' http://www.example.com/folder/ajax.php --verbose
The problem I'm experiencing is that my request isn't actually doing anything, namely, I'm not seeing the changes on the website I would expect after submitting the form. Help?
EDIT: I can see my request is failing. A successful call returns something like the line below, which is not appearing. So the question is what's wrong with my call.
{"success":true,"data":{website specific stuff}}
For reference here is what I get when I make the call:
Note: Unnecessary use of -X or --request, POST is already inferred.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 001.01.001.01:01...
* Connected to www.example.com (001.01.001.01) port 80 (#0)
> POST /example-admin/admin-ajax.php HTTP/1.1
> Host: www.example.com
> User-Agent: curl/7.70.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 273
>
} [273 bytes data]
* upload completely sent off: 273 out of 273 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 20 Jul 2020 20:10:06 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: max-age=3600
< Expires: Mon, 20 Jul 2020 21:10:06 GMT
< Location: https://www.example.com/example.php
< cf-request-id: 040f721ebb000056c7c49ef200000001
< Server: cloudflare
< CF-RAY: 5b5f52ddff2656c7-IAD
<
* Ignoring the response-body
{ [5 bytes data]
100 273 0 0 100 273 0 1560 --:--:-- --:--:-- --:--:-- 1578
* Connection #0 to host www.example.com left intact
* Issue another request to this URL: 'https://www.example.com/folder/admin-ajax.php'
* Switch from POST to GET
* Trying 001.01.01.01:001...
* Connected to www.example.com (001.01.01.01) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2218 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=[location]; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Jul 8 00:00:00 2020 GMT
* expire date: Jul 8 12:00:00 2021 GMT
* subjectAltName: host "www.example.com" matched cert's "www.example.com"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x2552070)
} [5 bytes data]
> POST /example.php HTTP/2
> Host: www.example.com
> user-agent: curl/7.70.0
> accept: */*
> content-type: application/json
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
} [5 bytes data]
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0< HTTP/2 400
< date: Mon, 20 Jul 2020 20:10:07 GMT
< content-type: text/html; charset=UTF-8
< set-cookie: __cfduid=dbb003aa8db90cc84daebeb59f5c0f40f1595275806; expires=Wed, 19-Aug-20 20:10:06 GMT; path=/; domain=.example.com; HttpOnly; SameSite=Lax; Secure
< x-robots-tag: noindex
< expires: Wed, 11 Jan 1984 05:00:00 GMT
< cache-control: no-cache, must-revalidate, max-age=0
< vary: User-Agent,Accept-Encoding
< cf-cache-status: DYNAMIC
< cf-request-id: 040f721f0c0000c1cf91808200000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5b5f52de7aedc1cf-IAD
<
{ [1 bytes data]
100 1 0 1 0 0 0 0 --:--:-- 0:00:01 --:--:-- 30
* Connection #1 to host www.example.com left intact
I am working on a Linux server RHEL6 and I installed anaconda.
I have the following setup
conda-env version : 4.3.13
conda-build version : 2.1.4
python version : 2.7.13.final.0
rpy2 : 2.8.5
I installed rpy2 to use R in python
> R.home()
[1] "/anaconda2/envs/py27CCA/lib/R"
> R.version
version.string R version 3.3.2 (2016-10-31)
I setup my proxy in the following way:
> Sys.getenv("https_proxy")
[1] "https://login:pwd#xxx.net:8080/"
But downloading R packages doesn't work
> options(internet.info = 0)
> install.packages("httr")
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
....
Warning: unable to access index for repository https://stat.ethz.ch/CRAN/src/contrib:
cannot download all files
Warning message:
package 'httr' is not available (for R version 3.3.2)
But If I installed the same standalone R version with the exact same proxy setup it works without any issue
> R.version
version.string R version 3.3.2 (2016-10-31)
> install.packages("httr")
...
** testing if installed package can be loaded
* DONE (httr)
Making 'packages.html' ... done
...
What is creating this issue ? I check the openssl version and I have the same version in the 2 environments!
This link explain the possible reason of such proxy issue link stackoverflow discussion.
I have the same issue and error messages if I do it inside python
>>> from rpy2.robjects.packages import importr
>>> utils = importr('utils')
>>> utils.install_packages('httr')
TL;DR:
Instead of setting https_proxy to...:
https://login:pwd#xxx.net:8080/
...try setting it to:
http://login:pwd#xxx.net:8080/
Also, by doing this, if someone sniffs packets of the initial connection you make with the proxy server, you will be leaking your credentials. Read further to know more.
IMO, this question has nothing to do with Conda. This is a very common mistake which I find quite prevalent on the internet.
The reason why this happens, is because of the confusion lying around the term "HTTPS Proxy".
IIUC, here is what the two environment variables mean:
http_proxy|HTTP_PROXY: The proxy server that you wish to use, for all
your HTTP requests to the outside world.
https_proxy|HTTPS_PROXY: The proxy server that you wish to use, for
all your HTTPS requests to the outside world.
http(s?)://proxy.mydomain.com:3128
^^^^^ ^^^^^ ^^^^
| | |
scheme proxy domain/IP proxy port
Now, ideally, the scheme specified in the value for these environment variables determines the protocol over which the client ought to connect to the proxy server.
Let's look at definition of an HTTPS proxy. Stealing from the man page for curl >= v7.53:
An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.
With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.
Let's try and see with examples (curl >= v7.53):
Here, I'll use a proxy which does not support client-proxy connection over SSL/TLS.
Make sure no proxy environment variables are set beforehand:
((curl-7_53_1))$ env | grep -i proxy
((curl-7_53_1))$
env: http_proxy, outer_scheme: http, inner_scheme: http
((curl-7_53_1))$ http_proxy="http://proxy.mydomain.com:3128" ./src/curl -s -vvv http://stackoverflow.com -o /dev/null
* Rebuilt URL to: http://stackoverflow.com/
* Trying 10.1.1.7...
* TCP_NODELAY set
* Connected to proxy.mydomain.com (10.1.1.7) port 3128 (#0)
> GET http://stackoverflow.com/ HTTP/1.1
> Host: stackoverflow.com
> User-Agent: curl/7.53.1-DEV
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Cache-Control: private
< Content-Type: text/html; charset=utf-8
< X-Frame-Options: SAMEORIGIN
< X-Request-Guid: 539728ee-a91d-4964-bc7e-1d21d91a6f1d
< Content-Length: 228257
< Accept-Ranges: bytes
< Date: Thu, 16 Mar 2017 05:19:31 GMT
< X-Served-By: cache-jfk8137-JFK
< X-Cache: MISS
< X-Cache-Hits: 0
< X-Timer: S1489641571.098286,VS0,VE7
< Vary: Fastly-SSL
< X-DNS-Prefetch-Control: off
< Set-Cookie: prov=b2e2dcb8-c5ff-21d9-5712-a0e012573aa6; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
< X-Cache: MISS from proxy.mydomain.com
< X-Cache-Lookup: MISS from proxy.mydomain.com:3128
< Via: 1.1 varnish, 1.0 proxy.mydomain.com (squid)
* HTTP/1.0 connection set to keep alive!
< Connection: keep-alive
<
{ [2816 bytes data]
* Connection #0 to host proxy.mydomain.com left intact
env: http_proxy, outer_scheme: https, inner_scheme: http
((curl-7_53_1))$ http_proxy="https://proxy.mydomain.com:3128" ./src/curl -s -vvv http://stackoverflow.com -o /dev/null
* Rebuilt URL to: http://stackoverflow.com/
* Trying 10.1.1.7...
* TCP_NODELAY set
* Connected to proxy.mydomain.com (10.1.1.7) port 3128 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
env: https_proxy, outer_scheme: http, inner_scheme: https
((curl-7_53_1))$ https_proxy="http://proxy.mydomain.com:3128" ./src/curl -s -vvv https://stackoverflow.com -o /dev/null
* Rebuilt URL to: https://stackoverflow.com/
* Trying 10.1.1.7...
* TCP_NODELAY set
* Connected to proxy.mydomain.com (10.1.1.7) port 3128 (#0)
* Establish HTTP proxy tunnel to stackoverflow.com:443
> CONNECT stackoverflow.com:443 HTTP/1.1
> Host: stackoverflow.com:443
> User-Agent: curl/7.53.1-DEV
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
<
* Proxy replied OK to CONNECT request
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3044 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=NY; L=New York; O=Stack Exchange, Inc.; CN=*.stackexchange.com
* start date: May 21 00:00:00 2016 GMT
* expire date: Aug 14 12:00:00 2019 GMT
* subjectAltName: host "stackoverflow.com" matched cert's "stackoverflow.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
} [5 bytes data]
> GET / HTTP/1.1
> Host: stackoverflow.com
> User-Agent: curl/7.53.1-DEV
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Cache-Control: private
< Content-Type: text/html; charset=utf-8
< X-Frame-Options: SAMEORIGIN
< X-Request-Guid: 96f8fe3c-058b-479e-8ef2-db6d09f485d3
< Content-Length: 226580
< Accept-Ranges: bytes
< Date: Thu, 16 Mar 2017 05:20:39 GMT
< Via: 1.1 varnish
< Connection: keep-alive
< X-Served-By: cache-jfk8135-JFK
< X-Cache: MISS
< X-Cache-Hits: 0
< X-Timer: S1489641639.425108,VS0,VE9
< Vary: Fastly-SSL
< X-DNS-Prefetch-Control: off
< Set-Cookie: prov=f1a401f1-f1a0-5f09-66ca-9a792543ee82; domain=.stackoverflow.com; expires=Fri, 01-Jan-2055 00:00:00 GMT; path=/; HttpOnly
<
{ [2181 bytes data]
* Connection #0 to host proxy.mydomain.com left intact
env: https_proxy, outer_scheme: https, inner_scheme: https
((curl-7_53_1))$ https_proxy="https://proxy.mydomain.com:3128" ./src/curl -s -vvv https://stackoverflow.com -o /dev/null
* Rebuilt URL to: https://stackoverflow.com/
* Trying 10.1.1.7...
* TCP_NODELAY set
* Connected to proxy.mydomain.com (10.1.1.7) port 3128 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
Now, I'll show the same outputs for a proxy which supports connection over SSL/TLS. To run a local https proxy, I have installed squid version 4.0.17. I have pointed proxy.mydomain.com to localhost by overriding it in /etc/hosts. And the relevant squid config line is:
https_port 3127 cert=/etc/squid/ssl_cert/myCA.pem
Please note that I am not using any explicitly specified (complicated?) modes right now (sslbump/intercept/accel/tproxy)
I have added the certificate to the trust store too:
sudo cp /etc/squid/ssl_cert/myCA.pem /etc/pki/ca-trust/source/anchors/mySquidCA.pem
sudo update-ca-trust
Now, for the real test:
env: http_proxy, outer_scheme: https, inner_scheme: http
/t/curl-curl-7_53_1 ❯❯❯ http_proxy=https://proxy.mydomain.com:3127 ./src/curl -s -vvv http://google.com -o /dev/null
* Rebuilt URL to: http://google.com/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to proxy.mydomain.com (127.0.0.1) port 3127 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [86 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1027 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* Proxy certificate:
* subject: C=IN; ST=SomeState; L=SomeLocation; O=Default Company Ltd; CN=proxy.mydomain.com; emailAddress=no-reply#gmail.com
* start date: Mar 16 06:43:35 2017 GMT
* expire date: Mar 16 06:43:35 2018 GMT
* common name: proxy.mydomain.com (matched)
* issuer: C=IN; ST=SomeState; L=SomeLocation; O=Default Company Ltd; CN=proxy.mydomain.com; emailAddress=no-reply#gmail.com
* SSL certificate verify ok.
} [5 bytes data]
> GET http://google.com/ HTTP/1.1
> Host: google.com
> User-Agent: curl/7.53.1-DEV
> Accept: */*
> Proxy-Connection: Keep-Alive
>
{ [5 bytes data]
< HTTP/1.1 302 Found
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Location: http://www.google.co.in/?gfe_rd=cr&ei=ejTKWLGzM-Ts8AepwJyQCg
< Content-Length: 261
< Date: Thu, 16 Mar 2017 06:45:14 GMT
< X-Cache: MISS from lenovo
< X-Cache-Lookup: MISS from lenovo:3128
< Via: 1.1 lenovo (squid/4.0.17)
< Connection: keep-alive
<
{ [5 bytes data]
* Connection #0 to host proxy.mydomain.com left intact
env: https_proxy, outer_scheme: https, inner_scheme: https
/t/curl-curl-7_53_1 ❯❯❯ https_proxy=https://proxy.mydomain.com:3127 ./src/curl -s -vvv https://google.com -o /dev/null
* Rebuilt URL to: https://google.com/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to proxy.mydomain.com (127.0.0.1) port 3127 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [86 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1027 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [262 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Proxy certificate:
* subject: C=IN; ST=SomeState; L=SomeLocation; O=Default Company Ltd; CN=proxy.mydomain.com; emailAddress=no-reply#gmail.com
* start date: Mar 16 06:43:35 2017 GMT
* expire date: Mar 16 06:43:35 2018 GMT
* common name: proxy.mydomain.com (matched)
* issuer: C=IN; ST=SomeState; L=SomeLocation; O=Default Company Ltd; CN=proxy.mydomain.com; emailAddress=no-reply#gmail.com
* SSL certificate verify ok.
* Establish HTTP proxy tunnel to google.com:443
} [5 bytes data]
> CONNECT google.com:443 HTTP/1.1
> Host: google.com:443
> User-Agent: curl/7.53.1-DEV
> Proxy-Connection: Keep-Alive
>
{ [5 bytes data]
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:#STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3757 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [148 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.google.com
* start date: Mar 9 02:43:31 2017 GMT
* expire date: Jun 1 02:20:00 2017 GMT
* subjectAltName: host "google.com" matched cert's "google.com"
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
} [5 bytes data]
> GET / HTTP/1.1
> Host: google.com
> User-Agent: curl/7.53.1-DEV
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 302 Found
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< Location: https://www.google.co.in/?gfe_rd=cr&ei=hDTKWJXlMubs8Aek-6WQAg
< Content-Length: 262
< Date: Thu, 16 Mar 2017 06:45:24 GMT
< Alt-Svc: quic=":443"; ma=2592000; v="36,35,34"
<
{ [262 bytes data]
* Connection #0 to host proxy.mydomain.com left intact
As is evident from the outputs, there is an SSL handshake with the proxy server first in both cases.
Now, I'll rant a little.
Many clients (e.g: curl = 7.51.0), don't support SSL/TLS connection with the proxy itself and throw an error of the sort:
$ https_proxy=https://proxy.mydomain.com:3128 curl -vvvv https://google.com
* Rebuilt URL to: https://google.com/
* Unsupported proxy scheme for 'https://proxy.mydomain.com:3128'
* Closing connection -1
curl: (7) Unsupported proxy scheme for 'https://proxy.mydomain.com:3128'
Then, there are clients (e.g. curl=7.47.0), which would just ignore non-supported schemes in the proxy URL and that would mislead people into believing things about what they accomplished. In general, they would never connect to proxy server over SSL/TLS, even if the variable explicitly specifies the scheme as 'https' and fallback to using unencrypted connection with the proxy server.
Then there are other clients (e.g wget v1.18), which would confuse us further:
In the following case, the error message is misleading, because the
scheme can hold the value https:// even for a HTTP request to the
outside world (as shown in the example above, using squid), since we want the connection to the proxy server to be over SSL/TLS.
http_proxy=https://proxy.mydomain.com:3128 wget http://google.com
Error in proxy URL https://proxy.mydomain.com:3128: Must be HTTP.
Not only this, but the confusion increases, when it falls back, make
us believe that it is probably connecting to the proxy server over
SSL/TLS, when actually it is not, and also making us think that
https:// in the scheme should only work when the inner protocol is
also https://
https_proxy=https://proxy.mydomain-research.com:3128 wget https://google.com
--2017-03-16 11:21:06-- https://google.com/
Resolving proxy.mydomain-research.com (proxy.mydomain-research.com)... 10.1.1.7
Connecting to proxy.mydomain-research.com (proxy.mydomain-research.com)|10.1.1.7|:3128... connected.
Proxy request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/ [following]
--2017-03-16 11:21:07-- https://www.google.com/
Connecting to proxy.mydomain-research.com (proxy.mydomain-research.com)|10.1.1.7|:3128... connected.
Proxy request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
For reading more about the security aspects of connecting(and not connecting) with the proxy server over TLS/SSL, visit: https://security.stackexchange.com/a/61336/114965