Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 2 subscribers
  • Views 20937 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP pipelining broken after upgrade to UTM 9.3

ondrej.holas
In 9.2, the HTTP pipelining works well on HTTP proxy:

telnet 192.168.1.22 8080
Trying 192.168.1.22...
Connected to 192.168.1.22.
Escape character is '^]'.
GET 192.168.1.2/.../1.1
Host: 192.168.1.2

GET 192.168.1.2/.../1.1
Host: 192.168.1.2

HTTP/1.1 200 OK
Date: Fri, 26 Dec 2014 19:59:05 GMT
Server: Apache
Last-Modified: Fri, 26 Dec 2014 19:24:08 GMT
Accept-Ranges: bytes
Content-Length: 6
X-Frame-Options: deny
Keep-Alive: timeout=5, max=100
Content-Type: text/plain
Proxy-Connection: Keep-Alive

test1
HTTP/1.1 200 OK
Date: Fri, 26 Dec 2014 19:59:05 GMT
Server: Apache
Last-Modified: Fri, 26 Dec 2014 19:24:12 GMT
Accept-Ranges: bytes
Content-Length: 6
X-Frame-Options: deny
Keep-Alive: timeout=5, max=99
Content-Type: text/plain
Proxy-Connection: Keep-Alive

test2
^]
telnet> q
Connection closed.


In 9.3 (tested on 9.304-9 and 9.305-4), HTTP proxy processes only the first request and times out after one minute:

telnet 192.168.1.22 8080
Trying 192.168.1.22...
Connected to 192.168.1.22.
Escape character is '^]'.
GET 192.168.1.2/.../1.1
Host: 192.168.1.2

GET 192.168.1.2/.../1.1
Host: 192.168.1.2

HTTP/1.1 200 OK
Date: Fri, 26 Dec 2014 20:11:57 GMT
Server: Apache
Last-Modified: Fri, 26 Dec 2014 19:24:08 GMT
Accept-Ranges: bytes
Content-Length: 6
X-Frame-Options: deny
Keep-Alive: timeout=5, max=100
Content-Type: text/plain
Proxy-Connection: keep-alive

test1
Connection closed by foreign host.


The second request is neither processed nor logged in /var/log/http.log.

Real world scenario affected by this bug is Debian apt configured to pipeline requests (by default in squeeze).

Maybe something to do with changes in ID31116.

Brgds,

Ondrej


This thread was automatically locked due to age.
Parents
  • 0
    usually with apt gets you setup an exception in http proxy so that gets bypassed as apt and yum and others tend to not like the http proxy interception at all.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Reply
  • 0
    usually with apt gets you setup an exception in http proxy so that gets bypassed as apt and yum and others tend to not like the http proxy interception at all.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Children
  • 0 in reply to William Warren
    usually with apt gets you setup an exception in http proxy so that gets bypassed as apt and yum and others tend to not like the http proxy interception at all.


    Proxy interception is different scenario, although it could be affected as well (I haven't tested it yet). The bug I've described above relates to "explicit proxy" scenario, i.e. the client is configured to use proxy, connects to the proxy and sends full URLs in requests.

    Nevertheless, this bug is not about particular apt problems; principally all apps using HTTP pipelining are affected.

    Brgds,

    Ondrej
Unfiltered HTML