Bug 1216290 - opensuse-welcome indefinitely retries proxy without interval
Summary: opensuse-welcome indefinitely retries proxy without interval
Status: NEW
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: KDE Applications (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Major (vote)
Target Milestone: ---
Assignee: E-Mail List
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-16 18:37 UTC by Luiz Angelo Daros de Luca
Modified: 2023-10-17 16:52 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Luiz Angelo Daros de Luca 2023-10-16 18:37:36 UTC 
Hello,

opensuse-welcome tries to load news.opensuse.org:443 using system proxy settings. However, when the proxy asks for auth, it does not work with kerberos auth (negotiate). It would be harmless if it stops there but it retries pretty fast it again and again with dozens of request per second. It can easily fill gigabytes of the server log partition in minutes.

I already implemented a fail2ban but it is better to fix it at the source.

Please, limit the amount of retries, probably desist on http 407 and, if possible, make it work with negotiate auth.
Comment 1 Fabian Vogt 2023-10-16 18:41:06 UTC 
Might be a bug in Qt WebEngine. Are falkon or konqueror also affected?

In any case, please run QT_LOGGING_RULES=*.debug=true opensuse-welcome. Are there any relevant messages?
Comment 2 Luiz Angelo Daros de Luca 2023-10-16 21:03:41 UTC 
(In reply to Fabian Vogt from comment #1)
> Might be a bug in Qt WebEngine. Are falkon or konqueror also affected?

I have not used konqueror in years. Yes, it is also affected.
 
> In any case, please run QT_LOGGING_RULES=*.debug=true opensuse-welcome. Are
> there any relevant messages?

No. There is no mention to http, proxy, news and other similar terms.
Comment 3 Fabian Vogt 2023-10-17 06:18:09 UTC 
(In reply to Luiz Angelo Daros de Luca from comment #2)
> (In reply to Fabian Vogt from comment #1)
> > Might be a bug in Qt WebEngine. Are falkon or konqueror also affected?
> 
> I have not used konqueror in years. Yes, it is also affected.

In that case, can you provide simple instructions for reproducing the issue? It's most likely a bug in upstream Qt.
Comment 4 Luiz Angelo Daros de Luca 2023-10-17 16:52:44 UTC 
(In reply to Fabian Vogt from comment #3)
> (In reply to Luiz Angelo Daros de Luca from comment #2)
> > (In reply to Fabian Vogt from comment #1)
> > > Might be a bug in Qt WebEngine. Are falkon or konqueror also affected?
> > 
> > I have not used konqueror in years. Yes, it is also affected.
> 
> In that case, can you provide simple instructions for reproducing the issue?
> It's most likely a bug in upstream Qt.

You just need an HTTPS proxy (squid, for example) that uses kerberos (NEGOTIATE) authentication:

$ https_proxy=http://myproxy.com:3128 curl -I --proxy-negotiate --proxy-user : https://news.opensuse.org
HTTP/1.1 200 Connection established

HTTP/2 200 
date: Tue, 17 Oct 2023 16:47:06 GMT
content-type: text/html
content-length: 25842
last-modified: Tue, 17 Oct 2023 16:01:29 GMT
vary: Accept-Encoding
etag: "652eafd9-64f2"
expires: Wed, 18 Oct 2023 16:47:06 GMT
cache-control: max-age=86400
accept-ranges: bytes
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=15768000

$ https_proxy=http://myproxy.com:3128 opensuse-welcome