About Archive Tags RSS Feed

 

Looks like me an Vincent caught you boys at breakfast

27 September 2009 21:50

It is interesting that Fran├žois Marier recently posted a brief "howto" document on debugging problems caused by overly-agressive filtering with privoxy, as I've recently been having problems with that tool.

My home network frequently changes configuration depending on what I'm concentrating upon, but every few months I'll start/cease using the following tools:

  • squid - The caching proxy server.
  • tor - The onion router.
  • privoxy - The filtering cache.

Recently I was experimenting with XSS attacks against various browsers, which meant using them for real. As not all browsers have the same anti-advert setups I was running privoxy to filter out web-annoyances, and I spotted a major flaw with it.

Unfortunately I can only describe the problem, not reproduce it, or track it down. I'm 80% certain the bug is in privoxy, but the stack is suitably high that determining that for sure is problematic.

In short the issue is that HTTP requests would end up being sent to the wrong host:

  • I load my start page in one tab: http://www.steve.org.uk/start/
  • I click to open the following URL in another tab: http://www.perlmonks.org/?node=Newest Nodes.
  • The request gets sent to http://steve.org.uk/?node=...

After that clicking around consistently sends requests to the first HTTP host which was accessed succesfully. So, for example, attempting to visit http://foo.com/bar/ will send the request to http://steve.org.uk/bar - which then gives a 404.

In terms of setup I use a dnsmasq DNS cache, privoxy and iceweasel from Debian unstable. From the symptoms I'm not sure if iceweasel's "KeepAlive" system is to blame, or if privoxy has a bad cache of hosts. Perhaps it is dnsmasq returning bogus DNS data, or my cable connection itself having DNS issues.

Anyway once the symptoms present themselves closing the browser and restarting the cache fixes it. Until the next time which might be hours or days later.

I'd report it as a bug - but I don't know where it should be. Privoxy caching things it shouldn't? iceweasel having keepalive issues? dnsmasq returning wrong DNS entries?

I'd ask "Have you seen this before, internet world?" but I guess if you have tracked it down it'd be fixed by now, and it clearly isn't!

Anyway for the moment I've uninstalled privoxy.

ObFilm: Pulp Fiction

| 4 comments

 

Comments on this entry

icon Steve Kemp at 22:54 on 27 September 2009

That does look promising, thanks for the pointers.


icon Francois Marier at 21:05 on 27 September 2009
http://feeding.cloud.geek.nz

Funny you mention my name here, because I think I have the same problem.

My setup is simpler: just privoxy, no squid or tor.

Restarting the privoxy daemon (but not the browser or clearing the cache) seems to fix it (temporarily) for me.

I initially thought it was due to a dodgy DNS server, but it happens both at work and at home. Was thinking about researching this problem further, but I couldn't find a googleable way of describing the problem...

icon Steve Kemp at 21:12 on 27 September 2009

That's great news! (Well not great obviously as we're both seeing the bug, but great that it seems to suggest privoxy alone is at fault.)

With that in mind I'll reinstall it, and see if I can narrow it down over the next few days.

Maybe a few wgets, or similar can trick the problem into manifesting itself? I know that it didn't seem to happen too often, but once the problem showed itself it didn't go away.

icon Francois Marier at 22:06 on 27 September 2009
http://feeding.cloud.geek.nz

Based on the comments on these bugs, it sounds like this issue might be resolved in privoxy 3.0.14 or 3.0.15:

http://sourceforge.net/tracker/?func=detail&aid=2838716&group_id=11118&atid=111118
http://sourceforge.net/tracker/?func=detail&aid=2831227&group_id=11118&atid=111118
http://sourceforge.net/tracker/?func=detail&aid=2826947&group_id=11118&atid=111118
http://sourceforge.net/tracker/?func=detail&aid=2827004&group_id=11118&atid=211118

I have just commented out the "keep-alive-timeout" and "connection-sharing" lines in my /etc/privoxy/config to see if it changes anything...