This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP pipelining broken after upgrade to UTM 9.3

In 9.2, the HTTP pipelining works well on HTTP proxy:

$ telnet 192.168.1.22 8080
Trying 192.168.1.22...
Connected to 192.168.1.22.
Escape character is '^]'.
GET 192.168.1.2/.../1.1
Host: 192.168.1.2

GET 192.168.1.2/.../1.1
Host: 192.168.1.2

HTTP/1.1 200 OK
Date: Fri, 26 Dec 2014 19:59:05 GMT
Server: Apache
Last-Modified: Fri, 26 Dec 2014 19:24:08 GMT
Accept-Ranges: bytes
Content-Length: 6
X-Frame-Options: deny
Keep-Alive: timeout=5, max=100
Content-Type: text/plain
Proxy-Connection: Keep-Alive

test1
HTTP/1.1 200 OK
Date: Fri, 26 Dec 2014 19:59:05 GMT
Server: Apache
Last-Modified: Fri, 26 Dec 2014 19:24:12 GMT
Accept-Ranges: bytes
Content-Length: 6
X-Frame-Options: deny
Keep-Alive: timeout=5, max=99
Content-Type: text/plain
Proxy-Connection: Keep-Alive

test2
^]
telnet> q
Connection closed.

In 9.3 (tested on 9.304-9 and 9.305-4), HTTP proxy processes only the first request and times out after one minute:

$ telnet 192.168.1.22 8080
Trying 192.168.1.22...
Connected to 192.168.1.22.
Escape character is '^]'.
GET 192.168.1.2/.../1.1
Host: 192.168.1.2

GET 192.168.1.2/.../1.1
Host: 192.168.1.2

HTTP/1.1 200 OK
Date: Fri, 26 Dec 2014 20:11:57 GMT
Server: Apache
Last-Modified: Fri, 26 Dec 2014 19:24:08 GMT
Accept-Ranges: bytes
Content-Length: 6
X-Frame-Options: deny
Keep-Alive: timeout=5, max=100
Content-Type: text/plain
Proxy-Connection: keep-alive

test1
Connection closed by foreign host.

The second request is neither processed nor logged in /var/log/http.log.

Real world scenario affected by this bug is Debian apt configured to pipeline requests (by default in squeeze).

Maybe something to do with changes in ID31116.

Brgds,

Ondrej

This thread was automatically locked due to age.

Parents

0 packetwerks over 9 years ago

FWIW I am seeing this issue in two use cases:

1. Unable to run apt-get update on Ubuntu boxes with web proxy enabled.
2. Clients unable to install apps on iOS devices

Hopefully some paying customers will enjoy the same issue. [:)]
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 9 years ago in reply to packetwerks

FWIW I am seeing this issue in two use cases:

1. Unable to run apt-get update on Ubuntu boxes with web proxy enabled.
2. Clients unable to install apps on iOS devices

Hopefully some paying customers will enjoy the same issue. [:)]

apt-get not working is a long standing issue. It is one solved by putting the proper exceptions into the http proxy area. if it is a server i just put the server into the proxy bypass. if it is a desktop you jsut make a regex that excepts the appropriate domain. Some webserver d not like having anything intercepting them.

The ios exceptions placed into the current 9.3x utm installs alleviate ios downloads(unless you have https inspection on.) If you are having issues you need to put an https exception for ios into the proxy as apple can(and often does) properly detect the MITM functionality required for htps inspection and breaks.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 William Warren over 9 years ago in reply to packetwerks

FWIW I am seeing this issue in two use cases:

1. Unable to run apt-get update on Ubuntu boxes with web proxy enabled.
2. Clients unable to install apps on iOS devices

Hopefully some paying customers will enjoy the same issue. [:)]

apt-get not working is a long standing issue. It is one solved by putting the proper exceptions into the http proxy area. if it is a server i just put the server into the proxy bypass. if it is a desktop you jsut make a regex that excepts the appropriate domain. Some webserver d not like having anything intercepting them.

The ios exceptions placed into the current 9.3x utm installs alleviate ios downloads(unless you have https inspection on.) If you are having issues you need to put an https exception for ios into the proxy as apple can(and often does) properly detect the MITM functionality required for htps inspection and breaks.

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Andreas.Herzig over 9 years ago in reply to William Warren
I am able to reproduce this bug in Firefox with OpenStreetMap and the following settings:

about:config

network.http.max-persistent-connections-per-server 12
network.http.pipelining true
network.http.proxy.pipelining true

Browse on OSM with MapQuest layer (Akamai CDN)

The bug is triggered with HTTP pipelining enabled and having multiple simultaneous (at least 5) threads/connections.

I would really appreciate it if someone could try the above steps to confirm.

By the way, the .NET framework has pipelining enabled by default in the WebClient and WebRequest classes, so any program using those can be affected.
Cancel
Vote Up 0 Vote Down

Cancel