PHP: failed to open stream: Cannot connect to HTTPS server through proxy

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PHP: failed to open stream: Cannot connect to HTTPS server through proxy

chiasa.men
I tried to install a joomla-Plugin from behind squid. It didn't work. I could
reproduce the error using the following php-script:


> <?php
> $url="https://downloads.joomla.org/extensions/install-from-web/1-1-1/
plg_webinstaller_3.7v1.1.1.zip";
> $ctx = stream_context_create(['http' => ['proxy' => "tcp://$proxy:$port"],
> 'ssl' => ['capture_session_meta' => TRUE]]);
> $html = file_get_contents($url , FALSE, $ctx);
> $meta = stream_context_get_options($ctx)['ssl']['session_meta'];
> var_dump($meta);
> ?>


Results in:

> PHP Warning:  file_get_contents(): Peer certificate CN=`*.s3-us-
west-2.amazonaws.com' did not match expected CN=`downloads.joomla.org' in /
tmp/test.php on line 5
> PHP Warning:  file_get_contents(https://downloads.joomla.org/extensions/
install-from-web/1-1-1/plg_webinstaller_3.7v1.1.1.zip): failed to open stream:
Cannot connect to HTTPS server through proxy in /tmp/test.php on line 5

For $url="https://cdn.joomla.org/images/Joomla_logo.png" it works.

Squid produces the following log:

2018/03/10 13:19:48.252 kid1| 5,2| TcpAcceptor.cc(226) doAccept: New
connection on FD 17
2018/03/10 13:19:48.252 kid1| 5,2| TcpAcceptor.cc(317) acceptNext: connection
on local=localhost:localport remote=[::] FD 17 flags=9
2018/03/10 13:19:48.252 kid1| 17,2| QosConfig.cc(126) getNfmarkFromConnection:
QOS: Failed to retrieve connection mark: (-1) (1) Operation not permitted
(Destination localhost:localport, source localhost:47200)
2018/03/10 13:19:48.252 kid1| 11,2| client_side.cc(1329) parseHttpRequest:
HTTP Client local=localhost:localport remote=localhost:47200 FD 18 flags=1
2018/03/10 13:19:48.252 kid1| 11,2| client_side.cc(1333) parseHttpRequest:
HTTP Client REQUEST:
---------
CONNECT downloads.joomla.org:443 HTTP/1.0


----------
2018/03/10 13:19:48.253 kid1| 85,2| client_side_request.cc(755)
clientAccessCheckDone: The request CONNECT downloads.joomla.org:443 is
ALLOWED; last ACL checked: all
2018/03/10 13:19:48.253 kid1| 85,2| client_side_request.cc(731)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2018/03/10 13:19:48.253 kid1| 85,2| client_side_request.cc(755)
clientAccessCheckDone: The request CONNECT downloads.joomla.org:443 is
ALLOWED; last ACL checked: all
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(282) peerSelectDnsPaths:
Find IP destination for: downloads.joomla.org:443' via downloads.joomla.org
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(303) peerSelectDnsPaths:
Found sources for 'downloads.joomla.org:443'
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(304) peerSelectDnsPaths:  
always_direct = DENIED
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(305) peerSelectDnsPaths:    
never_direct = DENIED
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(309) peerSelectDnsPaths:          
DIRECT = local=0.0.0.0 remote=72.29.124.146:443 flags=1
2018/03/10 13:19:48.253 kid1| 44,2| peer_select.cc(318) peerSelectDnsPaths:        
timedout = 0
2018/03/10 13:19:48.925 kid1| 33,2| client_side.cc(585) swanSong:
local=localhost:localport remote=localhost:47200 flags=1

==> /var/log/squid/access.log <==
localhost - - [10/Mar/2018:13:19:48 +0000] "CONNECT downloads.joomla.org:443
HTTP/1.0" 200 5843 "-" "-" TCP_TUNNEL:HIER_DIRECT [] []

==> /var/log/squid/cache.log <==
2018/03/10 13:19:48.927 kid1| 5,2| TcpAcceptor.cc(226) doAccept: New
connection on FD 17
2018/03/10 13:19:48.928 kid1| 5,2| TcpAcceptor.cc(317) acceptNext: connection
on local=localhost:localport remote=[::] FD 17 flags=9
2018/03/10 13:19:48.928 kid1| 17,2| QosConfig.cc(126) getNfmarkFromConnection:
QOS: Failed to retrieve connection mark: (-1) (1) Operation not permitted
(Destination localhost:localport, source localhost:47206)
2018/03/10 13:19:48.972 kid1| 11,2| client_side.cc(1329) parseHttpRequest:
HTTP Client local=localhost:localport remote=localhost:47206 FD 18 flags=1
2018/03/10 13:19:48.972 kid1| 11,2| client_side.cc(1333) parseHttpRequest:
HTTP Client REQUEST:
---------
CONNECT s3-us-west-2.amazonaws.com:443 HTTP/1.0


----------
2018/03/10 13:19:48.973 kid1| 85,2| client_side_request.cc(755)
clientAccessCheckDone: The request CONNECT s3-us-west-2.amazonaws.com:443 is
ALLOWED; last ACL checked: all
2018/03/10 13:19:48.973 kid1| 85,2| client_side_request.cc(731)
clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2018/03/10 13:19:48.973 kid1| 85,2| client_side_request.cc(755)
clientAccessCheckDone: The request CONNECT s3-us-west-2.amazonaws.com:443 is
ALLOWED; last ACL checked: all
2018/03/10 13:19:48.973 kid1| 44,2| peer_select.cc(282) peerSelectDnsPaths:
Find IP destination for: s3-us-west-2.amazonaws.com:443' via s3-us-
west-2.amazonaws.com
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(303) peerSelectDnsPaths:
Found sources for 's3-us-west-2.amazonaws.com:443'
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(304) peerSelectDnsPaths:  
always_direct = DENIED
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(305) peerSelectDnsPaths:    
never_direct = DENIED
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(309) peerSelectDnsPaths:          
DIRECT = local=0.0.0.0 remote=52.218.192.176:443 flags=1
2018/03/10 13:19:49.006 kid1| 44,2| peer_select.cc(318) peerSelectDnsPaths:        
timedout = 0
2018/03/10 13:19:49.618 kid1| 33,2| client_side.cc(585) swanSong:
local=localhost:localport remote=localhost:47206 flags=1


==> /var/log/squid/cache.log <==
2018/03/10 13:19:49.619 kid1| ctx: enter level  0: 'https://example.com/tmp/
test.php'
2018/03/10 13:19:49.619 kid1| 11,2| http.cc(720) processReplyHeader: HTTP
Server local=intProxIp:35486 remote=intWebIp:443 FD 12 flags=1
2018/03/10 13:19:49.620 kid1| 11,2| http.cc(724) processReplyHeader: HTTP
Server RESPONSE:
---------
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2018 13:19:48 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 196
Keep-Alive: timeout=360, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

----------

==> /var/log/squid/access.log <==
localhost - - [10/Mar/2018:13:19:49 +0000] "CONNECT s3-us-
west-2.amazonaws.com:443 HTTP/1.0" 200 3237 "-" "-" TCP_TUNNEL:HIER_DIRECT []
[]

==> /var/log/squid/cache.log <==
2018/03/10 13:19:49.620 kid1| ctx: exit level  0
2018/03/10 13:19:49.620 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.620 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.620 kid1| 88,2| client_side_reply.cc(2083)
processReplyAccessResult: The reply for GET https://example.com/tmp/test.php 
is ALLOWED, because it matched all
2018/03/10 13:19:49.620 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP
Client local=intProxIp:3128 remote=requestingIp:50115 FD 10 flags=1
2018/03/10 13:19:49.620 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2018 13:19:48 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 196
Content-Type: text/html; charset=UTF-8
X-Cache: MISS from www.example.com
X-Cache-Lookup: MISS from www.example.com:3129
Via: 1.1 www.example.com (squid)
Connection: keep-alive


----------
2018/03/10 13:19:49.620 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.621 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.621 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2018/03/10 13:19:49.621 kid1| 20,2| store.cc(991) checkCachable:
StoreEntry::checkCachable: NO: not cachable




With wget, it works perfectly. Is that a PHP problem or squid related?


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PHP: failed to open stream: Cannot connect to HTTPS server through proxy

Amos Jeffries
Administrator

On 11/03/18 02:32, chiasa.men wrote:

> I tried to install a joomla-Plugin from behind squid. It didn't work. I could
> reproduce the error using the following php-script:
>
>
>> <?php
>> $url="https://downloads.joomla.org/extensions/install-from-web/1-1-1/
> plg_webinstaller_3.7v1.1.1.zip";
>> $ctx = stream_context_create(['http' => ['proxy' => "tcp://$proxy:$port"],
>> 'ssl' => ['capture_session_meta' => TRUE]]);
>> $html = file_get_contents($url , FALSE, $ctx);
>> $meta = stream_context_get_options($ctx)['ssl']['session_meta'];
>> var_dump($meta);
>> ?>
>
>
> Results in:
>
>> PHP Warning:  file_get_contents(): Peer certificate CN=`*.s3-us-
> west-2.amazonaws.com' did not match expected CN=`downloads.joomla.org' in /
> tmp/test.php on line 5

Please read that error message.
 downloads.joomla.org is not a part of *.s3-us-west-2.amazonaws.com

This "CN=" is a TLS certificate error and has nothing to do with the proxy.

Why the proxy is being asked to connect to s3-us-west-2.amazonaws.com is
not clear, but the proxy is only doing exactly what is asked of it. Any
issues like this which occur with the data inside the CONNECT tunnel are
purely a problem between client and server.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users