search

rpm-software-management / dnf5

Next-generation RPM package management system
Other
239 stars 81 forks source link

Problem Using Proxy With DNF5 (works with curl client) #1681

Closed nobozo closed 1 month ago

nobozo commented 1 month ago

I'm on Fedora 40 (Linux fedora 6.10.6-200.fc40.x86_64). I've installed dnf5 (dnf5 version 5.1.17, dnf5 plugin API version 1.0, libdnf5 version 5.1.17, libdnf5 plugin API version 1.0).

I've built the web proxy shown in https://medium.com/@mlowicki/http-s-proxy-in-golang-in-less-than-100-lines-of-code-6a51c2f2c38c and the client shown in https://medium.com/@mlowicki/https-proxies-support-in-go-1-10-b956fb501d6b.

I've built a cert and private key using the mkcert command.

When I run curl -Lv --proxy https://localhost:8888 --proxy-cacert server.pem https://google.com everything works. I get the google home page. This means that my certficate is valid. However, when I add the line

proxy=http://localhost:8888

to /etc/dnf/dnf.conf and then run

dnf5 update --refresh

I see

Updating and loading repositories: Fedora 40 - x86_64 - Updates ???% | 0.0 B/s | 0.0 B | 00m00s

Curl error (56): Failure when receiving data from the peer for https://mirrors.fedoraproject.org/metalink?repo [... a bunch more of the line above] Librepo error: Cannot prepare internal mirrorlist: Curl error (56): Failure when receiving data from the peer Error checking if metalink "https://mirrors.fedoraproject.org/metalink?repo=updates-released-f40&arch=x86_64" is in sync for repository "updates" Librepo error: Cannot prepare internal mirrorlist: Curl error (56): Failure when receiving data from the peer for https://mirrors.fedoraproject.org/metalink?repo=updates-released-f40&arch=x86_64 [Proxy CONNECT aborted]

Also, the proxy server prints a bunch of

2024/09/06 11:40:37 http: TLS handshake error from 127.0.0.1:36324: tls: first record does not look like a TLS handshake

This is all very puzzling to me. I would think that if the curl command works has no TLS problems neither should dnf5

My goal is to create a caching web proxy for dnf5 but until I can resolve this issue I'm dead in the water.

Thanks for any help

Update - I did some research and I learned about the proxy_sslverify and proxy_sslcacert configuration options. I set the following:

proxy_sslverify=False proxy_sslcacert=/tmp/server.pem

and now I get

2024/09/06 15:45:12 http: TLS handshake error from 127.0.0.1:36270: tls: first record does not look like a TLS handshake

from the server, and the same messages from dnf5.

I'm still struggling.

nobozo commented 1 month ago

I think I've found a solution but I'm not sure. In any case, I'm closing this issue.

ppisar commented 1 month ago

For curl command you reaches the proxy over TLS ("--proxy https://"), but for DNF you reaches the proxy over plain TCP ("proxy=http://").