Re: [squid-users] squid upgrade issue and tunnelled ssh connections

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 11 Jan 2014 15:54:39 +1300

On 11/01/2014 6:45 a.m., Simon Beale wrote:
> Hi
>
> I'm trying to upgrade our squid proxies from 3.1.19 to 3.4.2, and have hit
> a problem where I can no longer proxy ssh/sftp connections through after
> the upgrade.
>
> For testing, I've heavily cut down my squid.conf, to the following
> configuration on 3.1.19, 3.3.11 and 3.4.2:
>
> =============================
> http_access allow all
> http_port 3128
> cache_mem 2 GB
> maximum_object_size_in_memory 4 MB
> cache_dir ufs /var/cache/squid 10240 16 256
> maximum_object_size 1 MB
> cache_swap_low 80
> refresh_pattern . 0 20% 4320
> =============================
>
> If I then try run the following ssh command:
>
> ssh -oProxyCommand='nc -v -X connect -x SQUIDHOST:3128 %h %p' github.com
>
> With squid 3.1.19, I log in straight away.
> With squid 3.3.11 and 3.4.2, I get the error:
>
> nc: Proxy error: "HTTP/1.1 200 Connection established"
> ssh_exchange_identification: Connection closed by remote host
>
> Looking in the logfiles, it's logged:
>
> 1389375458.633 89 10.147.82.2 TCP_MISS/200 0 CONNECT github.com:22 -
> HIER_DIRECT/192.30.252.131 -
>
> Is there some option I'm overlooking to enable me to do these tunnelled
> SSH/SFTP connections, that was introduced after 3.1.19?

That "HTTP/1.1 200 Connection established" is the HTTP response produced
by Squid after successfully opening the tunnel.
Is nc tool getting confused over the HTTP/1.1 version? (3.1 would emit
HTTP/1.0 label with the same message.)

The "ssh_exchange_identification: Connection closed by remote host"
seems to be the issue.

Amos
Received on Sat Jan 11 2014 - 02:55:02 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 11 2014 - 12:00:04 MST