Launchpad itself

Launchpad backend scripts and services access https urls outside the datacentre without using squid

Bug #133880 reported by James Troup
16
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
Low
Unassigned

Bug Description

Several of Launchpad's cronscripts require https access. Currently we punch a hole in the firewall, but it'd be better if Launchpad could be modified to use the squid proxy even for https requests.

17:02 < SteveA> we can make HTTPS work via a proxy
17:02 < SteveA> provided it is the proxy that has the SSL connection
17:03 < SteveA> so, not allowing the CONNECT HTTP verb
17:03 < SteveA> but instead, having the script talk to the proxy and say get HTTPS://... etc

Revision history for this message
Marc Tardif (cr3) wrote :

A workaround is to have Squid proxy requests made on http://launchpad.net made to a local running instance of stunnel. First, add the following cache peer to the squid configuration:

  acl insecureLaunchpad dstdomain launchpad.net
  acl HTTP proto HTTP

  cache_peer localhost parent 3129 0 no-query
  cache_peer_access localhost allow insecureLaunchpad
  cache_peer_access localhost deny !insecureLaunchpad
  never_direct deny HTTP insecureLaunchpad

Second, run stunnel to redirect http requests from localhost:3129 to https on launchpad.net:443:

  stunnel -c -d localhost:3129 -r launchpad.net:443

Enjoy!

Revision history for this message
Björn Tillenius (bjornt) wrote : Re: [Bug 133880] Re: https should use the squid proxy rather than relying on firewall holes

On Tue, Sep 16, 2008 at 10:30:18PM -0000, Marc Tardif wrote:
> A workaround is to have Squid proxy requests made on
> http://launchpad.net made to a local running instance of stunnel. First,
> add the following cache peer to the squid configuration:

This doesn't seem to help with this bug report, does it? We don't want
to talk to launchpad.net, we want to talk to the rest of the world using
https through a proxy.

    subscribe bjornt

Curtis Hovey (sinzui)
Changed in launchpad-foundations:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Robert Collins (lifeless) wrote :

squid with ssl compiled in can act as a SSL client; we -may- need squid 3 for this, but I'm not sure if thats the case.

summary: - https should use the squid proxy rather than relying on firewall holes
+ Launchpad backend scripts and services access https urls outside the
+ datacentre without using squid
Robert Collins (lifeless)
Changed in launchpad:
importance: Low → High
Revision history for this message
Robert Collins (lifeless) wrote :

08:23 < lifeless> elmo: is https://bugs.launchpad.net/launchpad/+bug/133880 still factually correct, and still something you would like addressed?
08:38 < elmo> lifeless: factually correct> yes. like addressed> sure. but it's not in any way a priority

Note for folk wanting to do this - squid3 is such a proxy, we'd need a small code change in LP to issue https:// requests via the proxy rather than issueing CONNECT requests.

Changed in launchpad:
importance: High → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.