Bug#447033: apt-cacher: fails to fetch files when use_proxy is in effect

Ralph Rößner Wed, 17 Oct 2007 08:52:07 -0700

Package: apt-cacher
Version: 1.5.5
Severity: important
Tags: patch

Apt-cacher failed to fetch any files from the mirrors after upgrading to
1.5.5. We tracked down the reason for this to /usr/sbin/apt-cacher lines
528 and the following where apt-cacher tries to distinguish between
requests targeted at itself ("host mode") and those targeted at other servers
("proxy mode"). To this end, apt-cacher tries to connect to the target host
and then compares the normalized address as read from the connected socket
against its configuration settings. It also tries to take a short cut there
and refuse the entire request if this connection attempt fails.


Unfortunately, the proxy settings (use_proxy, http_proxy) are ignored at
this stage. So every client request for "proxy mode" must fail if the use
of an http proxy is required to complete it.

I have created a workaround (see the patch included below) that is based
on the following rules:
 - Assume that the use of an http proxy is not required to connect to any
   address that apt-cacher recognizes as its own.
 - If use_proxy is set and the connection fails then treat it as an
   indication that "proxy mode" is to be used, and do not refuse the
   request at this point.


Relevant information:


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.21-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages apt-cacher depends on:
ii  bzip2                         1.0.3-7    high-quality block-sorting file co
ii  libwww-perl                   5.805-1    WWW client/server library for Perl
ii  perl                          5.8.8-7    Larry Wall's Practical Extraction

apt-cacher recommends no packages.

-- no debconf information


Excerpt from an apt-cacher/error.log written by the debug enabled,
unpatched version:

Wed Oct 17 14:16:34 2007|local|debug [5806]: Apt-Cacher started with Debug 
output enabled, accepting connections...
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5806]: Connection from 
146.140.220.150
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: New HTTP connection open
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: testing allowed_hosts
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: checking against 
146.140.220.0/23
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5806]: registred child process: 
5807
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: testing denied_hosts
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: Client 146.140.220.150 
passed access control rules
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: Processing a new request 
line
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: got: GET 
http://security.debian.org/dists/stable/updates/Release.gpg HTTP/1.1
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: Processing a new request 
line
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: got: Host:
+security.debian.org
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: Processing a new request 
line
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: got: Cache-Control: 
max-age=0
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: Processing a new request 
line
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: got: User-Agent: Debian 
APT-HTTP/1.3 (0.7.6)
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: Processing a new request 
line
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: got:
Wed Oct 17 14:16:39 2007|146.140.220.150|debug [5807]: Checking host 
security.debian.org in absolute URI
Wed Oct 17 14:16:39 2007|146.140.220.150|info [5807]: Unable to connect to 
security.debian.org

The log is not particularly helpful as to the cause but it shows where the
refusal originates: The last log message is written in apt-cacher,
line 537, and the child sends a 404 back to the client and exits at that
point.


Now for the indicated workaround. In the presence of the use_proxy option,
a possible failed connect is ignored in line 536, and taken as an
indication of a non-local address in line 544. We also have to guard
$sock being undef'd, or the child will silently die. (Might consider
logging non-zero exit codes from child processes.)

The diff:

pluto:~# diff -c /usr/sbin/apt-cacher.orig /usr/sbin/apt-cacher
*** /usr/sbin/apt-cacher.orig   2007-10-17 14:40:42.000000000 +0200
--- /usr/sbin/apt-cacher        2007-10-17 14:47:36.000000000 +0200
***************
*** 533,539 ****
                                                              # overridden if 
port
                                                              # also in PeerAddr
                                             Proto   => "tcp");
!           if (!defined $sock) {
                info_message("Unable to connect to $1");
                &sendrsp(404, "Unable to connect to $1");
                exit(4);
--- 533,539 ----
                                                              # overridden if 
port
                                                              # also in PeerAddr
                                             Proto   => "tcp");
!           if ( (!defined $sock) && (!$$cfg{use_proxy}) ) {
                info_message("Unable to connect to $1");
                &sendrsp(404, "Unable to connect to $1");
                exit(4);
***************
*** 541,548 ****
            # Both host and port need to be matched.  In inetd mode daemon_port
            # is read from inetd.conf by get_inetd_port(). CGI mode shouldn't
            # get absolute URLs.
!           if ($sock->sockhost =~ $sock->peerhost &&
!               $sock->peerport == $$cfg{daemon_port}) { # Host is this host
                debug_message("Host in Absolute URI is this server");
                $path =~ s!^http://[^/]+!!; # Remove prefix and hostname
            }
--- 541,548 ----
            # Both host and port need to be matched.  In inetd mode daemon_port
            # is read from inetd.conf by get_inetd_port(). CGI mode shouldn't
            # get absolute URLs.
!           if ((defined $sock) && ($sock->sockhost =~ $sock->peerhost &&
!               $sock->peerport == $$cfg{daemon_port})) { # Host is this host
                debug_message("Host in Absolute URI is this server");
                $path =~ s!^http://[^/]+!!; # Remove prefix and hostname
            }
***************
*** 550,556 ****
                debug_message("Host in Absolute URI is not this server");
                $path =~ s!^http:/!!; # Remove absolute prefix
            }
!           $sock->shutdown(2); # Close
        }
        debug_message("Resolved request is $path");

--- 550,556 ----
                debug_message("Host in Absolute URI is not this server");
                $path =~ s!^http:/!!; # Remove absolute prefix
            }
!           defined($sock) and $sock->shutdown(2); # Close
        }
        debug_message("Resolved request is $path");

End of diff.


Sincerely,
   Ralph Rößner


-- 
Ralph Rößner
CAPCom AG < http://www.capcom.de >
Rundeturmstr. 10, 64283 Darmstadt, Germany
Phone +49 6151 155 900, Fax +49 6151 155 909

Vorstand: Luc Neumann (Vorsitzender)
Vorsitzender des Aufsichtsrats: Prof. Dr.-Ing. José L. Encarnação
Sitz der Gesellschaft: Darmstadt, Registergericht: Darmstadt HRB 8090



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#447033: apt-cacher: fails to fetch files when use_proxy is in effect

Reply via email to