Package: approx Version: 5.7-3 Severity: normal Hi,
We have tested approx behind http_proxy and it works well. To make it work we have added the following override config: > # /etc/systemd/system/approx@.service.d/override.conf > [Service] > Environment=http_proxy=my-proxy.example.com:3129 > Environment=https_proxy=my-proxy.example.com:3129 Out proxy is a default Squid installation which supports the "HTTP CONNECT" method. When we tested connections via httpS_proxy we got 'apt' errors: > apt-get update ... > E: Failed to fetch localhost:9999/debian/dists/stretch/InRelease Clearsigned > file isn't valid, got 'NOSPLIT' (does the network require authentication?) The issue happens because the file 'InRelease' in the cache is corrupted (the file contains some proxy headers). Whenever approx is sending the request to the server, on reply approx strips the proxy headers before storing the content into the cache. See "iter_headers" code here https://salsa.debian.org/ocaml-team/approx/blob/master/url.ml#L64 > | Some header -> > let n = String.length header in > if n > 0 && header.[n - 1] = '\r' then > if n > 1 then begin > proc (String.sub header 0 (n - 1)); > loop () > end else () (* CRLF terminates headers *) > else error_message "Unexpected header: %s" header Unfortunately it doesn't strip httpS_proxy headers properly/fully. In case of httpS_proxy we have one more section of headers for the TCP connect to the proxy server (I have to create a curl wrapper to dump the reply from proxy server to approx): > root@myhost:~# https_proxy=my-proxy.example.com:3129 /usr/bin/curl --fail > --silent --header "Pragma: no-cache" --include --header "If-Modified-Since: > Thu, 15 Nov 2018 11:24:30 GMT" "myserver.com/debian/dists/stretch/InRelease" > > HTTP/1.1 200 Connection established > > HTTP/1.1 304 Not Modified > Date: Thu, 15 Nov 2018 11:48:25 GMT > Server: Apache/2.4.25 (Debian) > ETag: "99c-57a8d196e79ff" Later approx strips the header "HTTP/1.1 200 Connection established" and stores "304 Not Modified" as a payload into 'InRelease' file, which further confuses apt a lot as there is no GPG section => error "Clearsigned file isn't valid, got 'NOSPLIT'". The first header is the proper proxy reply in case of HTTP CONNECT: https://en.wikipedia.org/wiki/HTTP_tunnel In this case we need to strip both proxy headers. I am not sure about the proper fix here, as striping headers is a bit tricky already. Also I didn't find any 'curl' options to mute proxy headers into STDOUT. I am using Debian GNU/Linux 9.6 (stretch) with default approx 5.7-3 and curl 7.52.1-5+deb9u8. Thank you for the possible fix here! -- System Information: Debian Release: 9.6 Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages approx depends on: ii adduser 3.115 ii bzip2 1.0.6-8.1 ii curl 7.52.1-5+deb9u8 ii debconf [debconf-2.0] 1.5.61 ii init-system-helpers 1.48 ii libc6 2.24-11+deb9u3 ii libpcre3 2:8.39-3 ii rsyslog [system-log-daemon] 8.24.0-1 ii xz-utils 5.2.2-1.2+b1 approx recommends no packages. Versions of packages approx suggests: pn libconfig-model-approx-perl <none> -- no debconf information
