tickets #32407
closedProblem with provo-mirror.opensuse.org
100%
Description
I'm trying to update some Shibboleth packages on a RHEL server, and the
downloads keep hanging. After some investigation, I figured out that
the problem appears to be that provo-mirror.opensuse.org won't serve
requests with certain user agent strings. For example, this request
works fine:
GET /repositories/security:/shibboleth/CentOS_7/x86_64/liblog4shib1-1.0.9-3.2.x86_64.rpm HTTP/1.1
User-Agent: Wget/1.14 (linux-gnu)
Accept: /
Host: provo-mirror.opensuse.org
Connection: Close
But this one hangs indefinitely:
GET /repositories/security:/shibboleth/CentOS_7/x86_64/liblog4shib1-1.0.9-3.2.x86_64.rpm HTTP/1.0
User-Agent: urlgrabber/3.10 yum/3.4.3
Host: provo-mirror.opensuse.org
Accept: /
Removing the space between "urlgrabber/3.10" and "yum/3.4.3" is
sufficient to make the request work. Per RFC 2616, this is a valid user
agent.
--
Elliot Kendall - (920) 786-8649
Information Security Specialist
Library & Information Technology Services
Emory University
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
Updated by pjessen about 6 years ago
- Category set to Mirrors
- Private changed from Yes to No
Updated by tampakrap over 5 years ago
- Assignee changed from tampakrap to pjessen
Updated by pjessen about 5 years ago
Sorry about taking so long with this. I can confirm the behaviour - using wget with a user-agent of "urlgrabber/3.10 yum/3.4.3" does indeed just end up hanging. Remove the blank in the middle and it works fine. Remarkably, using e.g. "urlgrabber/3.10 yux/3.4.3" it works fine.
Updated by bmwiedemann about 5 years ago
Made a minimal reproducer from it:
curl --user-agent "urlgrabber/ yum/3." -v http://provo-mirror.opensuse.org/
Client-side tcpdump shows that the IP packet containing the GET request never gets ACKed, so the client does multiple retransmits of it.
and I found that the same command works from internal NUE or PRV nodes, so it might not be the nginx itself, but some magic DPI firewall in the middle that tries to protect the server from the evil Internets.
Updated by bmwiedemann about 5 years ago
- % Done changed from 0 to 30
Filed internal ticket REQ_195613
Investigating with tcpdump on both client and server side shows that the 3-way TCP-handshake works fine, but the IP packet containing the GET request and the user-agent string is never arriving at the server, thus the client never receives an ACK for it and re-transmits the packet several times.
This indicates a mis-behaving network filter software in the middle.
I also checked on provo-mirror with
iptables -L -n -v -x|grep DROP
and could see that none of the DROP counters increased while a 'bad' request was sent.
Updated by pjessen about 5 years ago
- Assignee deleted (
pjessen)
I'm de-assigning from myself, I don't have the access to do anything about this.
Updated by lrupp over 4 years ago
- Status changed from New to Rejected
- % Done changed from 30 to 100
So it looks like there is "something" in between, we're the heroes do not have any influence on.
I'm sorry, but in this case I just can ask to either use a different mirror or use your hack.
We can sadly not fix the whole Internet ;-)
Regards,
Lars