Proxy authentication problem using Zinc (issue from Pharo)

[kasperosterbye]

This issue was raised on Pharo, but I believe it belong here:
pharo-project/pharo#11867

[svenvc]

I can't see a path forward that I am confident of.

Let me explain.

An HTTP Proxy for outgoing HTTP traffic from an internal network to the outside world is something you do not see very often today, at least I haven't seen one in a very long time. Personally, I don't really see the use case: why would you do that ? You are basically locking and logging the surfing behaviour of all users. Is such a form of surveillance even legal ?

We have some basic support for HTTP Proxies, but not for every kind of proxy server. Especially proxy servers that require non basic authentication add much complexity. Furthermore, it looks from some casual googling that this is some weird Windows specific stuff.

It could be that adding support for this situation is not that hard, once you figure out what to do. However, that requires documentation and specification of the proxy server's authentication and mode of operation.

Furthermore, to work on this, you have to be in that internal network, or a similar situation (run that proxy yourself as test). That is really hard to do (for a non-Windows developer).

I certainly want to help anyone who would be willing to give this a try.

[kasperosterbye]

Notice @labordep, your issue was moved to the source of the code you mentioned

[labordep]

Hi,
Same problem with loading Toplo :

EpMonitor disableDuring: [ Author useAuthor: 'Load' during: [ [ Metacello new baseline: 'Toplo'; repository: 'github://plantec/Toplo/src'; onConflictUseIncoming; ignoreImage; load. ] on: MCMergeOrLoadWarning do: [ :warning | warning load ] ] ]

The loading stop with an error on a .ttf file :

How can we help for this problem ?

[svenvc]

The first thing we need is technical information on what kind of proxy you have, what kind of authentication protocol is being used, and so on.

Now, if this is Windows specific, that would be a big problem, unless they implement some open standard.

Just to get some insight into how things work at your site, you could maybe show the contents of curl's debugging output (https://curl.se). This is of course assuming that curl gets through your proxy, if not, that would be a huge problem.

$ curl -v http://zn.stfx.eu/zn/numbers.txt
*   Trying 146.185.177.20:80...
* Connected to zn.stfx.eu (146.185.177.20) port 80 (#0)
> GET /zn/numbers.txt HTTP/1.1
> Host: zn.stfx.eu
> User-Agent: curl/7.84.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.18.0 (Ubuntu)
< Date: Mon, 12 Dec 2022 14:39:37 GMT
< Content-Type: text/plain;charset=utf-8
< Content-Length: 71
< Connection: keep-alive
< Modification-Date: Tue, 11 Dec 2018 11:56:22 GMT
< X-Server: Pharo
< 
2
3
5
7
11
13
17
19
23
29
31
37
41
43
47
53
59
61
67
71
73
79
83
89
97
* Connection #0 to host zn.stfx.eu left intact


$ curl -v https://s3-eu-west-1.amazonaws.com/public-stfx-eu/test-2050.txt
*   Trying 52.218.92.83:443...
* Connected to s3-eu-west-1.amazonaws.com (52.218.92.83) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.s3-eu-west-1.amazonaws.com
*  start date: Sep 21 00:00:00 2022 GMT
*  expire date: Aug 30 23:59:59 2023 GMT
*  subjectAltName: host "s3-eu-west-1.amazonaws.com" matched cert's "s3-eu-west-1.amazonaws.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> GET /public-stfx-eu/test-2050.txt HTTP/1.1
> Host: s3-eu-west-1.amazonaws.com
> User-Agent: curl/7.84.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< x-amz-id-2: dkVr2KxrBsJVikIogjukdR1sEN9RE/tZ5enevis3boVGgWF3CUZzzO/g+izaL7XcS7yHKFJW2/E=
< x-amz-request-id: CKN2RWT0H0JJVR2G
< Date: Mon, 12 Dec 2022 14:45:54 GMT
< Last-Modified: Wed, 27 Jun 2012 11:31:13 GMT
< ETag: "ca9b1208f665b35bb64dd9c17f56bb8a"
< Accept-Ranges: bytes
< Content-Type: text/plain
< Server: AmazonS3
< Content-Length: 2050
< 
Transfer test file of size 2050 bytes.
Line 1
Line 2
Line 3
Line 4
Line 5
Line 6
Line 7
Line 8
Line 9
Line 10
Line 11
Line 12
Line 13
Line 14
Line 15
Line 16
Line 17
Line 18
Line 19
Line 20
Line 21
Line 22
Line 23
Line 24
Line 25
Line 26
Line 27
Line 28
Line 29
Line 30
Line 31
Line 32
Line 33
Line 34
Line 35
Line 36
Line 37
Line 38
Line 39
Line 40
Line 41
Line 42
Line 43
Line 44
Line 45
Line 46
Line 47
Line 48
Line 49
Line 50
Line 51
Line 52
Line 53
Line 54
Line 55
Line 56
Line 57
Line 58
Line 59
Line 60
Line 61
Line 62
Line 63
Line 64
Line 65
Line 66
Line 67
Line 68
Line 69
Line 70
Line 71
Line 72
Line 73
Line 74
Line 75
Line 76
Line 77
Line 78
Line 79
Line 80
Line 81
Line 82
Line 83
Line 84
Line 85
Line 86
Line 87
Line 88
Line 89
Line 90
Line 91
Line 92
Line 93
Line 94
Line 95
Line 96
Line 97
Line 98
Line 99
Line 100
Line 101
Line 102
Line 103
Line 104
Line 105
Line 106
Line 107
Line 108
Line 109
Line 110
Line 111
Line 112
Line 113
Line 114
Line 115
Line 116
Line 117
Line 118
Line 119
Line 120
Line 121
Line 122
Line 123
Line 124
Line 125
Line 126
Line 127
Line 128
Line 129
Line 130
Line 131
Line 132
Line 133
Line 134
Line 135
Line 136
Line 137
Line 138
Line 139
Line 140
Line 141
Line 142
Line 143
Line 144
Line 145
Line 146
Line 147
Line 148
Line 149
Line 150
Line 151
Line 152
Line 153
Line 154
Line 155
Line 156
Line 157
Line 158
Line 159
Line 160
Line 161
Line 162
Line 163
Line 164
Line 165
Line 166
Line 167
Line 168
Line 169
Line 170
Line 171
Line 172
Line 173
Line 174
Line 175
Line 176
Line 177
Line 178
Line 179
Line 180
Line 181
Line 182
Line 183
Line 184
Line 185
Line 186
Line 187
Line 188
Line 189
Line 190
Line 191
Line 192
Line 193
Line 194
Line 195
Line 196
Line 197
Line 198
Line 199
Line 200
Line 201
Line 202
Line 203
Line 204
Line 205
Line 206
Line 207
Line 208
Line 209
Line 210
Line 211
Line 212
Line 213
Line 214
Line 215
Line 216
Line 217
Line 218
Line 219
Line 220
Line 221
Line 222
Line 223
Line 224
Line 225
Line 226
Line 227
Line 228
Line 229
Line 230
Line 231
Line 232
Line 233
Line 234
Line 235
* Connection #0 to host s3-eu-west-1.amazonaws.com left intact

[ELePors]

Hi, i have the same issue as Pierre...

let's try the curl command :

curl -x "http://:@internal-proxy.local:8080" -v https://s3-eu-west-1.amazonaws.com/public-stfx-eu/test-2050.txt
*    Trying xxx.xxx.xxx.xxx
* TCP_NODELAY set
* Connected to internal-proxy.local (192.168.1.22) port 8080 (#0)
* Establish HTTP proxy tunnel to s3-eu-west-1.amazonaws.com:443
* Proxy auth using Basic with user ''
> CONNECT s3-eu-west-1.amazonaws.com:443 HTTP/1.1
> Host: s3-eu-west-1.amazonaws.com:443
> Proxy-Authorization: Basic Og==
> User-Agent: curl/7.50.3
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 authenticationrequired
< Date: Fri, 16 Dec 2022 07:54:08 GMT
< Content-Type: text/html
< Cache-Control: no-cache
< Content-Length: 5621
< X-Frame-Options: deny
< Proxy-Connection: Keep-Alive
< Proxy-Authenticate: Negotiate
<
* Ignore 5621 bytes of response-body
* Received HTTP code 407 from proxy after CONNECT
* Curl_http_done: called premature == 0
* Closing connection 0
curl: (56) Received HTTP code 407 from proxy after CONNECT

i don't know how to handle this...
git library and git bash allows to clone and push using the same proxy configuration...

Thanks
Eric.

[svenvc]

Hi Eric, Pierre,

This trace gives me less info than I would have expected. I am looking for curl to tell me how it is getting connected to the proxy (which authentication protocol/steps it takes). In the your trace, there is just one request (>) and one response (<), furthermore the request seems to try Proxy-Authorization: Basic which is what Pharo/Zinc already support, also, the response says 407 Authentication Required, which is a failure (as Pharo/Zinc also reports). I am not seeing any negotiating happening (which I would expect to be a back and forth conversation).

Are you sure the curl invocation worked (i.e. returned the lines) with a total size of 2050 bytes ?

Sven

[ELePors]

Hi !

Curl ask for a Basic authentication protocol and the proxy reject asking for a "negociate" protocol.
Git manages this kind of proxy authentication mecanism... maybe curl does not...
I have to take a look to "negociate" protocol

Edit : i have found this in squid wiki :
https://wiki.squid-cache.org/Features/NegotiateAuthentication

Eric