[squid-users] how to avoid use http/1.0 between squid and the target

2023-11-22 Thread David Komanek 

Hello,

I have a strange problem (definitely some kind of my own ignorance) :

If I try to access anything on the site https://www.samba.org WITHOUT 
proxy, my browser negotiate happily for http/2 protocol and receives all 
the data. For http://www.samba.org WITHOUT proxy it starts with http/1.1 
which is auto-redirected from http to https and continues with http/2. 
So far so good.


But WITH proxy, it happens that squid is using http/1.0. The remote site 
is blocking this protocol, requiring at least http/1.1 (confirmed by the 
samba.org website maintainer), so the site remains inaccessible. But 
this is the only site where I have been able to encounter this problem. 
If I connect WITH proxy to other sites, squid is using http/1.1 as expected.


So, I'm lost here, unable to find the reason, why http/1.1 couldn't be 
used by squid in some rare cases. What am I missing here? I am not aware 
of any configuration directives which could cause this.


browsers: chrome, firefox (both updated)
squid: freebsd package (now version 6.5, but the I had the same problem 
with 5.9 before)


Thanks in advance for some hints here.

Best regards,

  David Komanek
  Charles University in Prague
  Faculty of Science


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] how to avoid use http/1.0 between squid and the target

2023-11-22 Thread Amos Jeffries 

On 22/11/23 23:03, David Komanek wrote:

Hello,

I have a strange problem (definitely some kind of my own ignorance) :

If I try to access anything on the site https://www.samba.org WITHOUT 
proxy, my browser negotiate happily for http/2 protocol and receives all 
the data. For http://www.samba.org WITHOUT proxy it starts with http/1.1 
which is auto-redirected from http to https and continues with http/2. 
So far so good.


But WITH proxy, it happens that squid is using http/1.0.


That is odd. Squid should always be sending requests as HTTP/1.1.

Have a look at the debug level "11,2" cache.log records to see if Squid 
is actually sending 1.0 or if it is just relaying CONNECT requests with 
possibly HTTP/1.0 inside.



HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] how to avoid use http/1.0 between squid and the target

2023-11-27 Thread David Komanek 



Date: Thu, 23 Nov 2023 01:44:30 +1300
From: Amos Jeffries 
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] how to avoid use http/1.0 between squid and
the target
Message-ID: 
Content-Type: text/plain; charset=UTF-8; format=flowed

On 22/11/23 23:03, David Komanek wrote:

Hello,

I have a strange problem (definitely some kind of my own ignorance) :

If I try to access anything on the site https://www.samba.org WITHOUT
proxy, my browser negotiate happily for http/2 protocol and receives all
the data. For?http://www.samba.org WITHOUT proxy it starts with http/1.1
which is auto-redirected from http to https and continues with http/2.
So far so good.

But WITH proxy, it happens that squid is using http/1.0.

That is odd. Squid should always be sending requests as HTTP/1.1.

Have a look at the debug level "11,2" cache.log records to see if Squid
is actually sending 1.0 or if it is just relaying CONNECT requests with
possibly HTTP/1.0 inside.


Hello,

here are the debug logs (IP addresses redacted) after connection attempt 
to https://samba.org/ :


--
2023/11/27 09:58:07.345 kid1| 11,2| client_side.cc(1332) 
parseHttpRequest: HTTP Client conn21570 local=195.113.x.y:3128 
remote=10.10.a.b:53868 FD 666 flags=1
2023/11/27 09:58:07.345 kid1| 11,2| client_side.cc(1336) 
parseHttpRequest: HTTP Client REQUEST:

-
CONNECT samba.org:443 HTTP/1.1
Host: samba.org:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/119.0.0.0 Safari/537.36



--
2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(273) sendStartOfMessage: 
HTTP Client conn21576 local=195.113.x.y:3128 remote=10.10.a.b:16730 FD 
1267 flags=1
2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274) sendStartOfMessage: 
HTTP Client REPLY:

-
HTTP/1.1 400 Bad Request
Server: squid/6.5
Mime-Version: 1.0
Date: Mon, 27 Nov 2023 08:58:07 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3363
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Cache-Status: pteryx.natur.cuni.cz
Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
Connection: close

So, it seems it's not true that squid is using http/1.0, but the guy on 
the other side told me so. According to the log, do you think I can 
somehow make it working or is it definitely problem on the samba.org 
webserver?


Thanks again,

  David



HTH
Amos


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] how to avoid use http/1.0 between squid and the target

2023-11-27 Thread Amos Jeffries 

On 27/11/23 22:21, David Komanek wrote:
here are the debug logs (IP addresses redacted) after connection attempt 
to https://samba.org/ :



...
2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274) sendStartOfMessage: 
HTTP Client REPLY:

-
HTTP/1.1 400 Bad Request
Server: squid/6.5
Mime-Version: 1.0
Date: Mon, 27 Nov 2023 08:58:07 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3363
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Cache-Status: pteryx.natur.cuni.cz
Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
Connection: close

So, it seems it's not true that squid is using http/1.0, but the guy on 
the other side told me so. According to the log, do you think I can 
somehow make it working or is it definitely problem on the samba.org 
webserver?



That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to 
SSL-Bump the CONNECT tunnel and not understanding the protocol inside 
the TLS layer - which is expected if that protocol is HTTP/2.



For now you should be able to use 
 to 
allow these tunnels. Alternatively use the "splice" action to explicitly 
bypass the SSL-Bump process.



HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] how to avoid use http/1.0 between squid and the target

2023-11-27 Thread David Komanek 


On 11/27/23 10:40, Amos Jeffries wrote:

On 27/11/23 22:21, David Komanek wrote:
here are the debug logs (IP addresses redacted) after connection 
attempt to https://samba.org/ :



...
2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274) 
sendStartOfMessage: HTTP Client REPLY:

-
HTTP/1.1 400 Bad Request
Server: squid/6.5
Mime-Version: 1.0
Date: Mon, 27 Nov 2023 08:58:07 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3363
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Cache-Status: pteryx.natur.cuni.cz
Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
Connection: close

So, it seems it's not true that squid is using http/1.0, but the guy 
on the other side told me so. According to the log, do you think I 
can somehow make it working or is it definitely problem on the 
samba.org webserver?



That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to 
SSL-Bump the CONNECT tunnel and not understanding the protocol inside 
the TLS layer - which is expected if that protocol is HTTP/2.



For now you should be able to use 
 to 
allow these tunnels. Alternatively use the "splice" action to 
explicitly bypass the SSL-Bump process.



Thank you for the quick response. So I should add

acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN
on_unsupported_protocol tunnel foreignProtocol

to the squid.conf, right?


Still, I don't understand, why is this case handled by my browsers (or 
squid?) differently from usual HTTPS traffic to other sites. I suppose 
that plenty of sites are accepting HTTP/2 nowadays. A huge lack of 
knowledge on my side :-)



Sincerely,

  David


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] how to avoid use http/1.0 between squid and the target

2023-11-27 Thread Amos Jeffries 



On 27/11/23 23:05, David Komanek wrote:


On 11/27/23 10:40, Amos Jeffries wrote:

On 27/11/23 22:21, David Komanek wrote:
here are the debug logs (IP addresses redacted) after connection 
attempt to https://samba.org/ :



...
2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274) 
sendStartOfMessage: HTTP Client REPLY:

-
HTTP/1.1 400 Bad Request
Server: squid/6.5
Mime-Version: 1.0
Date: Mon, 27 Nov 2023 08:58:07 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3363
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Cache-Status: pteryx.natur.cuni.cz
Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
Connection: close

So, it seems it's not true that squid is using http/1.0, but the guy 
on the other side told me so. According to the log, do you think I 
can somehow make it working or is it definitely problem on the 
samba.org webserver?



That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to 
SSL-Bump the CONNECT tunnel and not understanding the protocol inside 
the TLS layer - which is expected if that protocol is HTTP/2.



For now you should be able to use 
 to 
allow these tunnels. Alternatively use the "splice" action to 
explicitly bypass the SSL-Bump process.



Thank you for the quick response. So I should add

acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN
on_unsupported_protocol tunnel foreignProtocol

to the squid.conf, right?


At the point the error exists is too late AFAIK.

I was thinking something like:
  acl foo dstdomain samba.org
  on_unsupported_protocol tunnel foo





Still, I don't understand, why is this case handled by my browsers (or 
squid?) differently from usual HTTPS traffic to other sites. I suppose 
that plenty of sites are accepting HTTP/2 nowadays. A huge lack of 
knowledge on my side :-)


I'm not clear exactly why you see this only now, and only with 
samba.org. Squid not supporting HTTP/2 yet is a big part of the problem 
though.



Cheers
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] how to avoid use http/1.0 between squid and the target

2023-11-27 Thread David Komanek 


On 11/27/23 11:36, Amos Jeffries wrote:


On 27/11/23 23:05, David Komanek wrote:


On 11/27/23 10:40, Amos Jeffries wrote:

On 27/11/23 22:21, David Komanek wrote:
here are the debug logs (IP addresses redacted) after connection 
attempt to https://samba.org/ :



...
2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274) 
sendStartOfMessage: HTTP Client REPLY:

-
HTTP/1.1 400 Bad Request
Server: squid/6.5
Mime-Version: 1.0
Date: Mon, 27 Nov 2023 08:58:07 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3363
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Cache-Status: pteryx.natur.cuni.cz
Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
Connection: close

So, it seems it's not true that squid is using http/1.0, but the 
guy on the other side told me so. According to the log, do you 
think I can somehow make it working or is it definitely problem on 
the samba.org webserver?



That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to 
SSL-Bump the CONNECT tunnel and not understanding the protocol 
inside the TLS layer - which is expected if that protocol is HTTP/2.



For now you should be able to use 
 to 
allow these tunnels. Alternatively use the "splice" action to 
explicitly bypass the SSL-Bump process.



Thank you for the quick response. So I should add

acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN
on_unsupported_protocol tunnel foreignProtocol

to the squid.conf, right?


doesn't work


At the point the error exists is too late AFAIK.

I was thinking something like:
  acl foo dstdomain samba.org
  on_unsupported_protocol tunnel foo


doesn't work either


Redards,
David





Still, I don't understand, why is this case handled by my browsers 
(or squid?) differently from usual HTTPS traffic to other sites. I 
suppose that plenty of sites are accepting HTTP/2 nowadays. A huge 
lack of knowledge on my side :-)


I'm not clear exactly why you see this only now, and only with 
samba.org. Squid not supporting HTTP/2 yet is a big part of the 
problem though.



Cheers
Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] how to avoid use http/1.0 between squid and the target

2023-11-27 Thread David Komanek 


On 11/27/23 11:36, Amos Jeffries wrote:


On 27/11/23 23:05, David Komanek wrote:


On 11/27/23 10:40, Amos Jeffries wrote:

On 27/11/23 22:21, David Komanek wrote:
here are the debug logs (IP addresses redacted) after connection 
attempt to https://samba.org/ :



...
2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274) 
sendStartOfMessage: HTTP Client REPLY:

-
HTTP/1.1 400 Bad Request
Server: squid/6.5
Mime-Version: 1.0
Date: Mon, 27 Nov 2023 08:58:07 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3363
X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
Cache-Status: pteryx.natur.cuni.cz
Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
Connection: close

So, it seems it's not true that squid is using http/1.0, but the 
guy on the other side told me so. According to the log, do you 
think I can somehow make it working or is it definitely problem on 
the samba.org webserver?



That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to 
SSL-Bump the CONNECT tunnel and not understanding the protocol 
inside the TLS layer - which is expected if that protocol is HTTP/2.



For now you should be able to use 
 to 
allow these tunnels. Alternatively use the "splice" action to 
explicitly bypass the SSL-Bump process.



Thank you for the quick response. So I should add

acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN
on_unsupported_protocol tunnel foreignProtocol

to the squid.conf, right?


At the point the error exists is too late AFAIK.

I was thinking something like:
  acl foo dstdomain samba.org
  on_unsupported_protocol tunnel foo





Still, I don't understand, why is this case handled by my browsers 
(or squid?) differently from usual HTTPS traffic to other sites. I 
suppose that plenty of sites are accepting HTTP/2 nowadays. A huge 
lack of knowledge on my side :-)


I'm not clear exactly why you see this only now, and only with 
samba.org. Squid not supporting HTTP/2 yet is a big part of the 
problem though.



Cheers
Amos



Hello,

I managed to google some options for curl useful in this context, and it 
is quite interesting:


working: curl - --http2 -x cache.my.domain:3128 https://www.samba.org/

working: curl - --http1.1 -x cache.my.domain:3128 https://www.samba.org/

rejected by samba.org: curl - --http1.0 -x cache.my.domain:3128 
https://www.samba.org/

    this returns a simple html page with code 403:
  403 Forbidden
  Request forbidden by administrative rules.
 

not working: chrome, firefox via proxy
   chrome returns "ERR_CONNECTION_CLOSED"
   firefox returns "PR_END_OF_FILE_ERROR"

So, it seems to me, there squid doesn't like something with the 
heavy-duty browsers in this case. Even if I disable http/2 in firefox, 
it makes no difference for me. I'm really confused.


Best regards,
David


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users