On 11 Jan 2014, at 02:54, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 11/01/2014 6:45 a.m., Simon Beale wrote: >> Hi >> >> I'm trying to upgrade our squid proxies from 3.1.19 to 3.4.2, and have hit >> a problem where I can no longer proxy ssh/sftp connections through after >> the upgrade. >> >> For testing, I've heavily cut down my squid.conf, to the following >> configuration on 3.1.19, 3.3.11 and 3.4.2: >> >> ============================= >> http_access allow all >> http_port 3128 >> cache_mem 2 GB >> maximum_object_size_in_memory 4 MB >> cache_dir ufs /var/cache/squid 10240 16 256 >> maximum_object_size 1 MB >> cache_swap_low 80 >> refresh_pattern . 0 20% 4320 >> ============================= >> >> If I then try run the following ssh command: >> >> ssh -oProxyCommand='nc -v -X connect -x SQUIDHOST:3128 %h %p' github.com >> >> With squid 3.1.19, I log in straight away. >> With squid 3.3.11 and 3.4.2, I get the error: >> >> nc: Proxy error: "HTTP/1.1 200 Connection established" >> ssh_exchange_identification: Connection closed by remote host >> >> Looking in the logfiles, it's logged: >> >> 1389375458.633 89 10.147.82.2 TCP_MISS/200 0 CONNECT github.com:22 - >> HIER_DIRECT/192.30.252.131 - >> >> Is there some option I'm overlooking to enable me to do these tunnelled >> SSH/SFTP connections, that was introduced after 3.1.19? > > That "HTTP/1.1 200 Connection established" is the HTTP response produced > by Squid after successfully opening the tunnel. > Is nc tool getting confused over the HTTP/1.1 version? (3.1 would emit > HTTP/1.0 label with the same message.) > Ahah! Yes, you’re right. I’ve pulled down the source for nc and found that in HTTP proxy mode, it explicitly looks for the string "HTTP/1.0 200” in the response. Patching it to accept HTTP/1.1 as an alternative, it now will successfully make the ssh connection. Cheers for that! Simon
