** Description changed: [Impact] Currently CONNECT requests use the name of the proxy as Host value, instead of the origin server's name. According to RFC 2616 "The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL." The current implementation causes problems with some proxy vendors. This commit[0] fixes this. [0] - https://salsa.debian.org/apt- team/apt/commit/86d4d98060f36c7e71c34af20a1193a75496ef72#54d3193c5d10a0032c80c3a6d3f069507265547f [Test Case] + Here's one reproducer an impacted user brought to my attention: + + # /etc/environment + http_proxy="http://internal:8080"; + https_proxy="http://interal:8080"; + + To support application development activities in-house, I had to + configure Azure CLI APT repository following the instructions from + "https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt?view + =azure-cli-latest": + + $ sudo apt-get update + $ sudo apt-get install curl apt-transport-https lsb-release gnupg + $ curl -sL https://packages.microsoft.com/keys/microsoft.asc | \ + $ gpg --dearmor | \ + $ sudo tee /etc/apt/trusted.gpg.d/microsoft.asc.gpg > /dev/null + $ AZ_REPO=$(lsb_release -cs) + $ echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $ $ AZ_REPO main" | \ + $ sudo tee /etc/apt/sources.list.d/azure-cli.list + $ sudo apt update + + In the final "apt update" command, APT respects system-wide network + proxy variables and successfully fetched Canonical repository data over + HTTP. + + However, it was unable to fetch the newly added Microsoft packages + repository served via HTTPS. + + By using Wireshark to examine the HTTPS request made by APT, the request + body reveals as: + + CONNECT packages.microsoft.com:443 HTTP/1.1\r\n + Host: internal:8080\r\n + User-Agent: Debian APT-HTTP/1.3 (1.6.11)\r\n + ... + ... + + [Regression Potential] + + * Fix already in debian, and Eoan + * Has been reviewed/approved by juliank + * A test package (pre-sru) has been provided to an impacted user, and he confirms it solves the situation. [Other Info] # salsa $ git describe --contains 86d4d98060f36c7e71c34af20a1193a75496ef72 1.9.0~8 # rmadison apt => apt | 1.6.11 | bionic-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x => apt | 1.8.1 | disco-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x apt | 1.9.1 | eoan | source, amd64, arm64, armhf, i386, ppc64el, s390x
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1838771 Title: http:Fix Host header in proxied https connections Status in apt package in Ubuntu: Fix Released Status in apt source package in Bionic: In Progress Status in apt source package in Disco: In Progress Bug description: [Impact] Currently CONNECT requests use the name of the proxy as Host value, instead of the origin server's name. According to RFC 2616 "The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL." The current implementation causes problems with some proxy vendors. This commit[0] fixes this. [0] - https://salsa.debian.org/apt- team/apt/commit/86d4d98060f36c7e71c34af20a1193a75496ef72#54d3193c5d10a0032c80c3a6d3f069507265547f [Test Case] Here's one reproducer an impacted user brought to my attention: # /etc/environment http_proxy="http://internal:8080"; https_proxy="http://interal:8080"; To support application development activities in-house, I had to configure Azure CLI APT repository following the instructions from "https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt?view =azure-cli-latest": $ sudo apt-get update $ sudo apt-get install curl apt-transport-https lsb-release gnupg $ curl -sL https://packages.microsoft.com/keys/microsoft.asc | \ $ gpg --dearmor | \ $ sudo tee /etc/apt/trusted.gpg.d/microsoft.asc.gpg > /dev/null $ AZ_REPO=$(lsb_release -cs) $ echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $ $ AZ_REPO main" | \ $ sudo tee /etc/apt/sources.list.d/azure-cli.list $ sudo apt update In the final "apt update" command, APT respects system-wide network proxy variables and successfully fetched Canonical repository data over HTTP. However, it was unable to fetch the newly added Microsoft packages repository served via HTTPS. By using Wireshark to examine the HTTPS request made by APT, the request body reveals as: CONNECT packages.microsoft.com:443 HTTP/1.1\r\n Host: internal:8080\r\n User-Agent: Debian APT-HTTP/1.3 (1.6.11)\r\n ... ... [Regression Potential] * Fix already in debian, and Eoan * Has been reviewed/approved by juliank * A test package (pre-sru) has been provided to an impacted user, and he confirms it solves the situation. [Other Info] # salsa $ git describe --contains 86d4d98060f36c7e71c34af20a1193a75496ef72 1.9.0~8 # rmadison apt => apt | 1.6.11 | bionic-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x => apt | 1.8.1 | disco-updates | source, amd64, arm64, armhf, i386, ppc64el, s390x apt | 1.9.1 | eoan | source, amd64, arm64, armhf, i386, ppc64el, s390x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1838771/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
