On 27/09/2013 1:31 a.m., Robert Fischer wrote:
Dear squid developers and users,
after upgrading our squid 2.7 setup to squid 3.3.8 we experience
problems with a custom Java applet connecting to a HTTPS server.
Both squid 2.7 and squid 3.3.8 are installed on the same machine and use
the same configuration except the 'http_port' directive. (squid 3.3.8
uses a copy of the squid 2.7 config file with configuration options
adapted to the new squid 3.x syntax where necessary).
With squid 2.7 *all* HTTP CONNECT requests from the applet (the applet
issues a bunch of HTTPS requests to a single server) work just fine.
With squid 3.3.8 however, the applet issues a couple of HTTPS requests
and then hangs. Switching the Java proxy settings to the squid 2.7 port
and starting the applet again solves the problem.
That seems very strange. It would not seem to be a Squid problem though
unless maybe the some.host.name resolved to a machine with IPv6
addresses and 3.3 was confusing the client by contacting one of those.
The behaviour changes in CONNECT request handling between 2.7 and 3.3
have only been in the areas of authentication and peer server relaying.
Given the request headers below those would seem extremely unlikely to
be relevant.
The only apparent difference between squid 2.7 and squid 3.3.8 from
clients perspective seems to be HTTP/1.0 vs. HTTP/1.1 in the proxy requests:
connect using squid 2.7:
CONNECT some.host.name:443 HTTP/1.1
User-Agent: Java/1.7.0_17
Host: some.host.name
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
HTTP/1.0 200 Connection established
connect using squid 3.3.8:
CONNECT some.host.name:443 HTTP/1.1
User-Agent: Java/1.7.0_17
Host: some.host.name
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
HTTP/1.1 200 Connection established
Looking at the packet dumps taken from the client and internet facing
NICs on the proxy there are no (at least according to my limited
knowledge) apparent errors.
So my question would be if there were any changes between the listed
squid versions in handling HTTP CONNECT requests that might cause the
above mentioned issue.
Two things here.
Firstly, keep-alive has no meaning on these CONNECT requests. They are a
request to open a tunnel to a given host:port and then *stop* HTTP on
those sockets. The proxy will setup the connection then keep shovelling
bytes back and forward between the client and server until one end
disconnects. Then it will close both server and client connections. End
of story.
Secondly, "Proxy-Connection:" is undefined in HTTP. It is a very old
experimental header created from a misunderstanding about what
Connection: header did in HTTP/1.0 and still happens to cause problems
all over the place with software written by people who think it has
useful meaning. If you have any say with the developers of that client
please try to get them to stop using it. They could also do with using a
proper User-Agent: header value, they are supposed to place the applet
software label/version.number either as the value or appended to the
relevant GUI U-A label(s).
Amos
