FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 05-17-2010, 09:42 PM
Robert Collins
 
Default APT do not work with Squid as a proxy because of pipelining default

Due to the widespread usage of intercepting proxies, its very hard, if
not impossible, to determine if a proxy is in use. Its unwise, at
best, to assume that no proxy configured == no proxy processing your
traffic .

-Rob


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTik5TeAAZBKfZgWoN2SwQtDR_tb_tG1PnaGtEuJ0@mail .gmail.com">http://lists.debian.org/AANLkTik5TeAAZBKfZgWoN2SwQtDR_tb_tG1PnaGtEuJ0@mail .gmail.com
 
Old 05-18-2010, 02:02 AM
Robert Collins
 
Default APT do not work with Squid as a proxy because of pipelining default

Given that pipelining is broken by design, that the HTTP WG has
increased the number of concurrent connections that are recommended,
and removed the upper limit - no. I don't think that disabling
pipelining hurts anyone - just use a couple more concurrent
connections.

-Rob


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTikNKCqq8kRQc9zupeLG9gQrglou3zeZgly7-EIe@mail.gmail.com">http://lists.debian.org/AANLkTikNKCqq8kRQc9zupeLG9gQrglou3zeZgly7-EIe@mail.gmail.com
 
Old 05-19-2010, 03:51 AM
Robert Collins
 
Default APT do not work with Squid as a proxy because of pipelining default

Well, I don't know why something has 'suddenly' become a problem: its
a known issue for years. The HTTP smuggling
[http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf]
attacks made that very obvious 5 years ago now.

http://en.wikipedia.org/wiki/HTTP_pipelining has a decent overview.

Its nice an interesting that some recent software has it on, but that
is generally because the authors don't realise how broken it is,
IMNSHO .

-Rob


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTikdEp4HoGhNs30kc-jRYXqBa9Fmudd9-dvjFMU0@mail.gmail.com">http://lists.debian.org/AANLkTikdEp4HoGhNs30kc-jRYXqBa9Fmudd9-dvjFMU0@mail.gmail.com
 
Old 05-19-2010, 04:05 AM
Brian May
 
Default APT do not work with Squid as a proxy because of pipelining default

On 19 May 2010 13:51, Robert Collins <robertc@robertcollins.net> wrote:
> Well, I don't know why something has 'suddenly' become a problem: its
> a known issue for years. The HTTP smuggling
> [http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf]
> attacks made that very obvious 5 years ago now.

>From my Internet connection, that link seems to be a redirect to
http://www-01.ibm.com/software/rational/offerings/websecurity/, which
doesn't say anything about http security issues.

> http://en.wikipedia.org/wiki/HTTP_pipelining has a decent overview.

I cannot see anything about brokenness of HTTP pipelining here... Did
I miss something?
--
Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTinCd4PaQGE1xZpwxwn3ILEnm1fzAnVA4QYG5D-v@mail.gmail.com">http://lists.debian.org/AANLkTinCd4PaQGE1xZpwxwn3ILEnm1fzAnVA4QYG5D-v@mail.gmail.com
 
Old 05-19-2010, 04:26 AM
Robert Collins
 
Default APT do not work with Squid as a proxy because of pipelining default

Bah, link staleness.

http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf just worked for me.

Also, I realise that there may be a disconnect here: squid *shouldn't*
break if a client attempts to pipeline through it - if it is, thats a
bug to be fixed, squid just will not read the second request until the
first one is completed.

-Rob


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTik7h4lPnXPYHPWb1x2QLyrv_c6d9fMIqybbg9mp@mail .gmail.com">http://lists.debian.org/AANLkTik7h4lPnXPYHPWb1x2QLyrv_c6d9fMIqybbg9mp@mail .gmail.com
 
Old 05-19-2010, 10:35 PM
David Kalnischkies
 
Default APT do not work with Squid as a proxy because of pipelining default

Hi all,

i don't want to interrupt your battles so feel free to ignore me,
but i want to raise some questions (for you and me) none the less:

The notice about the - in the eyes of the writer of this manpage
section - broken squid version 2.0.2 in the apt.conf manpage
was changed the last time in 2004, so the issue isn't "new".
The manpage at least claims that this squid version is broken
also in respect to other cache control settings.

I don't know a single bit about squid but a search for "squid pipeline"
turns up some documentation about a pipeline_prefetch setting:
> Available in: 3.1 2.7 3.HEAD 2.HEAD 3.0 2.6
>
> To boost the performance of pipelined requests to closer
> match that of a non-proxied environment Squid can try to fetch
> up to two requests in parallel from a pipeline.
http://www.squid-cache.org/Doc/config/pipeline_prefetch/

For somebody without knowledge this looks like as any
version in debian should be able to handle a pipeline -
otherwise this setting wouldn't make much sense…

The default value for the APT option above is btw 10 and in apt
#413324 we have a claim that squid works well with a value of 5
or even 8 -- so it is maybe "just" a bug in handling "too much"
pipelined requests? Or something comparable to what happened
in #541428 regarding lighttpd and pipelining (timeout)?
(i am just shooting into the dark)


Also, then we talk here about pipelines and her usage
keep in mind that APTs http usage is special compared to
an implementation and usage in a browser:
We have a trust chain available so we should be on the save
side security wise, the number of debian archives is limited
and most of them should be on a sane webserver
(if not i would not have much trust in the archive…) and
especially on "apt-get update" we have either a lot of cache
hits (file has not changed) or a lot of very small files (Release,
Index and maybe pdiff) to transfer. New package updates come
from the same archive most of time and most packages are
relatively small, too, but having an upgrade including at least
500 packages is relatively common…

On the other hand APTs http client isn't as nice as he could be in
terms that he could fallback to non-pipeline, retry or whatever.
(and i wouldn't be too surprised if this would turn out to be an APT bug)
As we all know APT is a debian native tool and the base of a whole
bunch of other stuff so beside ranting about his shortcomings we
could also work on patches as the people with enough knowledge
to do this seems to be already around in this thread.


Thanks in advance and best regards,

David Kalnischkies


P.S. Sry Luigi Gangitano for cc'ing, but i don't know if you follow
the thread and i included too often "squid" in the mail to not direct
the mail into your direction.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTinQ0J1fd78p200QihSq5ctV3qMBwD8srXgJeMlU@mail .gmail.com">http://lists.debian.org/AANLkTinQ0J1fd78p200QihSq5ctV3qMBwD8srXgJeMlU@mail .gmail.com
 

Thread Tools




All times are GMT. The time now is 05:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org