To: feedback@ml.delegate.org Date: 21 Jul 2014 14:47:36 GMT Subject: DeleGate/9.9.10 (STABLE) -- fixes around chained HTTP and HTTPS proxy From: feedback@delegate.org (Yutaka Sato) Reply-To: feedback@delegate.org Lines: 83 X-Seqno: 5097 (via ml.delegate.org) MIME-Version: 1.0 (generated by vin4.0.2) Content-Type: text/plain; charset=US-ASCII X-Mailer: Vin 4.0.2/070321 on Linux/2.4.2-2 Organization: The DeleGate Project Message-Id: <1JpFTo.feedback@delegate.org> References: <_A5062@delegate-en.ML_> <_A5063@delegate-en.ML_> <_A5084@delegate-en.ML_> <_A5089@delegate-en.ML_> X-Forwarded: by - (DeleGate/10.0.0-pre1) Dear DeleGate users, I inform you of the new release of DeleGate available as follows: -------------------------------------------------------------------------- DeleGate/9.9.10 (STABLE) -- fixes around chained HTTP and HTTPS proxy July 21, 2014 -------------------------------------------------------------------------- This release includes a fix to enable a HTTP-DeleGate proxy, chained to upstream proxy, can forward non-HTTP protocols (HTTPS/SSL, FTP, NNTP, etc) as well as HTTP. HTTP (proxy chaining for multiple protocols) - Fixed relaying arbitrary protocols to upstream HTTP proxy (in HTTP protocol). DeleGate as an HTTP proxy can be chained to upstream HTTP proxy(ies) with the PROXY (or FORWARD) parameter(s). With the PROXY parameter, it forward any protocol to the specified upstream proxy. But, unfortunately, since 9.9.8-pre21 (released Jan. 2013), only HTTP protocol is relayed in HTTP protocol, while other protocols were relayed in the DeleGate-specific protocol. Thus if the upstream proxy is not DeleGate, the relay fails. - A workaround in older versions to escape the problem is using not PROXY but FORWARD like FORWARD="http-proxy://Host:Port" HTTPS (SSL-tunneling with non-SSL blocker) - Disabled non-half-duplex communication blocker over SSL-tunnel by default. (It can be enabled with HTTPCONF="halfdup") - Relaxed the threshold for non-SSL detection and blocking, not to break normal SSL communications with long latency. The default has become HTTPCONF="tout-pack-intvl:10.0" (which was "3.0" seconds in older versions). - Excluded several HTTPS server domains (google and facebook) from the subjects of non-SSL blocker. It is equivalent to CMAP="thru-CONNECT:HTTPCONF:https:*.google.com,*.facebook.com". - In older versions, especially when DeleGate as a HTTPS proxy is chained to the upstream proxy, the blocker can be so bad that makes connection to HTTPS server, for example Google Mail, frozen at the start. - This blocker can be bypassed totally by the "-Dst" option in any version of DeleGate. SOCKS (core dump with CONNECT=socks option) - It hits a stale area on the stack to cause segmentation violation where both FORWARD=socks://host:port and CONNECT=socks is specified. The situation occurs after secondary SOCKS connection. yysh (remote login shell of DeleGate) - Re-enabled the yysh server on Windows which was disabled in 9.9.7-pre23 (Feb. 2010) due to the bug in the the supplementary program for Windows, "dgforkpty.exe". - Periodic sending of packets toward the yysh server to keep the connection alive. A connection of yysh has been dropped often after no communication over it for several minutes. It was so bad especially when logging into a remote host on a cloud service. - The interval of keep-alive packets can be specified with -tiT opther where T is 60 (seconds) by default. SSL/Cygwin (dynamic linking of SSL libraries) - Made Cygwin version DeleGate use dynamic library of SSL for Cygwin named as "cygXXX.dll". - It is equivalent to specifying DYLIB="cyg%s-0.9.8.dll,+" - Cygwin version of DeleGate and SSL libraries is necessary for "yysh", the remote login shell of DeleGate, with STLS=fsv or "-ys" option. -------------------------------------------------------------------------- SITE: FILE: delegate9.9.10.tar.gz DATE: Jul 21 22:10 JST 2014 TAR-SIZE: 8396800 bytes TAR-MD5: 0715ac4ac671f7e618cac7677370bf24 PUBLIC-KEY: http://www.delegate.org/rsa-pubkey.pem SRCSIGN=9.9.10:20140721221012+0900:68d4c88072823f5b TAR-MD5-SIGN: r02Q53AMOC8SvONO6DzdiR9mXcFOuXsjKPtfZVg8Cw7QM7u66rRQ6uUlp07WapYvP//YRxdk HdKVb0Zt0z8tnxJ6vFeKmBvPHQGLwuapMQ6c9VqNlH5Z/uzbcbn6wqzWh6jfSxPHglaijtOA HiNJzBVAdbnvT/C5dXGRKzM5kqs= Cheers from Japan, Yutaka -- 9 9 Yutaka Sato { Do the more with the less -- B. Fuller } ( ~ ) National Institute of Advanced Industrial Science and Technology _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan