Preferred proxy authentication methods removed #296
Conversation
|
Took me some time, but managed to build and test directly from branch. And learned some things on the way :-)
I checked the traffic with Wireshark to confirm that in both cases actually happened what was expected (i.e. CONNECT -> 407 -> CONNECT with BASIC credentials -> Connection esatblished in the first case and CONNECT -> Connection established in the second case). |
|
As the Mina documentation of ProxyIOSession.getPreferedOrder() points out, the order is only used for http proxies (and you can confirm that by looking into their source code). However, for good measure, I also tried against an authenticating Socks 5 Proxy (some badly misused variant of jsocks), and this also works. |
|
@the-thing @curdreinert Great, thanks guys! |
|
@curdreinert Good work and thanks for the suggestion with the unit test - I've changed it. SOCKS proxy handshake seems to be different. According to RFC https://tools.ietf.org/html/rfc1928 for SOCKS proxy client advertises available methods and the server chooses which one to use. Current MINA version advertises NO_AUTH, GSSAPI_AUTH, BASIC_AUTH statically, order does not matter for the client (but I assume it might be configured withing the proxy server itself). For HTTP proxy, server returns available methods and client chooses how to authenticate. org.apache.mina.proxy.handlers.socks.Socks5LogicHandler#writeRequest |
* preferred proxy auth methods removed * changed proxy type and version in unit test
|
Can you please provide more details with some sample of configurations you tried with Squid ? What the values used at QFJ end? Can we do same with Apache proxy ? |
Can you please provide more details with some sample of configurations you tried with Squid ? What the values used at QFJ end? Can we do same with Apache proxy ? |
|
@sachin681 Please don't use the bug tracker for help requests. See https://github.com/quickfix-j/quickfixj#questions |
|
Sorry for posting it here. I will post the question on the right forum. |
|
Hi,
coming from a working squid configuration, we added more or less the
following lines:
auth_param basic program /usr/lib64/squid/basic_ncsa_auth
/etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
So we set up an access control list (acl) called ncsa_users for which
proxy authentication was required, and allowed access only for that acl.
The authentication parameters say that we use a basic authentication, that
the user id and password are stored in a file called /etc/quid/passwd and
that the tool basic_ncsa_auth (see
https://manpages.debian.org/testing/squid/basic_ncsa_auth.8.en.html) is
used to verify against that file. I'm not sure what the "children" and
"realm" parameters are for, I guess the guy who set it up copied it from
some online how to. TTL for the credentials and casesensitiveness should
be obvious.
On the Quickfix side, we set ProxyType to http, ProxyHost and ProxyPort to
point to the Squid proxy, and ProxyUser and ProxyPassword as needed by
Squid.
My guess would be that you set up an authenticating web proxy with Apaches
mod_proxy module, but I've never done it and can't tell you how to do it.
Best regards
Curd
Von: "sachin681" <notifications@github.com>
An: "quickfix-j/quickfixj" <quickfixj@noreply.github.com>
Kopie: "curdreinert" <curd.reinert@ppi.de>, "Mention"
<mention@noreply.github.com>
Datum: 29.09.2020 19:17
Betreff: Re: [quickfix-j/quickfixj] Preferred proxy authentication
methods removed (#296)
Can you please provide more details with some sample of configurations you
tried with Squid ? What the values used at QFJ end? Can we do same with
Apache proxy ?
?
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
Thanks a lot for your detailed response.
We will try out following steps.
…On Wed, 30 Sep, 2020, 1:36 pm curdreinert, ***@***.***> wrote:
Hi,
coming from a working squid configuration, we added more or less the
following lines:
auth_param basic program /usr/lib64/squid/basic_ncsa_auth
/etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
So we set up an access control list (acl) called ncsa_users for which
proxy authentication was required, and allowed access only for that acl.
The authentication parameters say that we use a basic authentication, that
the user id and password are stored in a file called /etc/quid/passwd and
that the tool basic_ncsa_auth (see
https://manpages.debian.org/testing/squid/basic_ncsa_auth.8.en.html) is
used to verify against that file. I'm not sure what the "children" and
"realm" parameters are for, I guess the guy who set it up copied it from
some online how to. TTL for the credentials and casesensitiveness should
be obvious.
On the Quickfix side, we set ProxyType to http, ProxyHost and ProxyPort to
point to the Squid proxy, and ProxyUser and ProxyPassword as needed by
Squid.
My guess would be that you set up an authenticating web proxy with Apaches
mod_proxy module, but I've never done it and can't tell you how to do it.
Best regards
Curd
Von: "sachin681" ***@***.***>
An: "quickfix-j/quickfixj" ***@***.***>
Kopie: "curdreinert" ***@***.***>, "Mention"
***@***.***>
Datum: 29.09.2020 19:17
Betreff: Re: [quickfix-j/quickfixj] Preferred proxy authentication
methods removed (#296)
Can you please provide more details with some sample of configurations you
tried with Squid ? What the values used at QFJ end? Can we do same with
Apache proxy ?
?
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#296 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACZ2J2V6UFZEBH5NNPJ37HTSILRIVANCNFSM4NTU335Q>
.
|
Fixes #295
Opening as a DRAFT before we gather the test evidence.
@curdreinert
Would you be able to build or test directly from branch? At the moment I'm using CCProxy for Windows, but I struggle to get either SOCKS or HTTP method to work (most likely a setup issue). Also, what OS and proxy software are you using? I will have a look again in the evening/tomorrow.