Community
Participate
Working Groups
Build Identifier: 20100917-0705 I configured Eclipse for using proxies for HTTP and HTTPS (manual configuration). I'm no trying to clone a git repo using ssh as access method. For example I use ssh://a.server/srv/repos/git/repo.git as URI. As EGit tries to connect the remote repository I get the following error message: ssh://a.server/srv/repos/git/repo.git: ProxyHTTP: java.io.IOException: proxy error: Gateway Timeout Using Wireshark I figured out that EGit actually tries to establish the ssh connection through the HTTP proxy and performs a HTTP CONNECT request to it. Afaik this isn't possible with ssh??? Why does EGit want to use the proxy? After disabling Eclipse' proxy configuration the clone works. Reproducible: Always Steps to Reproduce: See details
ssh can proxy using a CONNECT request which basically just streams the data via the proxy but encryption is still end to end. You can specify your git repository in the "dont proxy" list or use GIT_SSH to use an external ssh client.
I wonder if this is a platform issue. I'm seeing the same problem with RSE when doing an ssh connection to a remote target. What I mean is that if I set my http/https proxy, I cannot make ssh connections to remote machines using RSE: "Failed to connect sshd on "REMOTE-LINUX32:22": ProxyHTTP: java.io.IOException: proxy error: Service Unavailable"
What's the conclusion here?. EGit bug or not?
we had the very same "error" reported from our (openshift) users: https://issues.jboss.org/browse/JBIDE-14304 Apparently there are quite some proxies which dont support/allow cloning via them. In our usecase (we're a PaaS), where a user creates new hosts frequently putting the new git-hosts to the "bypass" list is possible but annoying. Couldn't we just have git falling back to non-proxy mode if things fail via proxy? Or allow the user to globally choose if he wants to use a proxy or not?
I just found out that the "Proxy bypass" allows expressions of this kind: *.rhcloud.com. So for us there's no enahncement/fix required here.
*** Bug 328147 has been marked as a duplicate of this bug. ***
*** Bug 329874 has been marked as a duplicate of this bug. ***
(In reply to Andre Dietisheim from comment #5) > I just found out that the "Proxy bypass" allows expressions of this kind: > *.rhcloud.com. So for us there's no enahncement/fix required here. When using a "native" proxy (so bypasses defined at the OS level), I don't think you can always configure the bypass properly. For example, we use bitbucket.org, which requires an http proxy for http in a browser, but not for ssh/git (ssh://git@bitbucket.org).
While looking for the cause of this issue, I found out this: org.eclipse.jsch.internal.core.Utils.createSession() calls setProxy(), which sets any available SOCKS or HTTPS proxy. So if you have configured an HTTPS proxy in Eclipse, jsch will happily use that for an ssh connection. I can't imagine how one would create an ssh connection through an HTTPS proxy, so I assume that this is the part that should be fixed.
The same problem seems to occur when using the new Apache MINA sshd client instead of JSch.
(In reply to Pierre-Yves B. from comment #10) > The same problem seems to occur when using the new Apache MINA sshd client > instead of JSch. The Apache MINA implementation uses either a SOCKS5 proxy (if a SOCKS proxy is configured), or the configured HTTP proxy otherwise (with a HTTP CONNECT command). It does not try HTTPS. I can only guess that you have configured only an HTTP proxy, and that doesn't support the CONNECT command?
If you have configured - no SOCKS proxy - an HTTP proxy that doesn't do HTTP CONNECT then you should add the hosts you want to ssh to to the proxy bypass list. Or should EGit provide an additional preference setting that determines whether the built-in SSH should use the HTTP proxy, if configured, at all?
Thank you for your response Thomas. As per you advice, I have tried the following: - configuring the SOCKS proxy. This does allow EGit to connect to remote hosts via ssh, however, other parts of Eclipse are now failing with exceptions similar to "java.net.SocketException: SOCKS: Connection not allowed by ruleset" (Oomph synchronization, Maven dependency updates, etc.). - removing the SOCKS proxy but adding hosts I want to ssh to the proxy bypass list in Eclipse (github.com in particular). Unfortunately this does not seem to work as the connection to GitHub times out after 30 seconds. Any ideas as to why?
(In reply to Pierre-Yves B. from comment #13) > Thank you for your response Thomas. As per you advice, I have tried the > following: > - configuring the SOCKS proxy. This does allow EGit to connect to remote > hosts via ssh, however, other parts of Eclipse are now failing with > exceptions similar to "java.net.SocketException: SOCKS: Connection not > allowed by ruleset" (Oomph synchronization, Maven dependency updates, etc.). So you had both the HTTP and the SOCKS proxy configured? That should work. EGit's ssh client would use the SOCKS proxy, and HTTP(S) requests should not use the SOCKS proxy but the HTTP or HTTPS proxy. If you had only a SOCKS proxy configured, then HTTP requests might indeed fail. > - removing the SOCKS proxy but adding hosts I want to ssh to the proxy > bypass list in Eclipse (github.com in particular). Unfortunately this does > not seem to work as the connection to GitHub times out after 30 seconds. Seems my idea about the proxy bypass wasn't so good :-) Of course that bypasses all proxies, so normal HTTP(S) requests also wouldn't use the HTTP(S) proxy anymore. > Any ideas as to why? So it seems we have the following cases with proxies involved: 1. User has an HTTP proxy that does allow HTTP CONNECT for ssh: only a HTTP proxy needs to be configured. Both HTTP and SSH traffic go through that proxy fine. 2. User has an HTTP proxy that does not allow HTTP CONNECT: 2.1. User can configure a SOCKS proxy in addition to the HTTP proxy: HTTP traffic goes through the HTTP proxy; SSH traffic through the SOCKS proxy: fine. 2.2. User cannot configure a SOCKS proxy: 2.2.1. If the system forbids direct ssh though the firewall: user cannot use ssh; should use HTTPS URIs for git repos (which would go through the HTTP proxy normally, not via HTTP CONNECT) 2.2.2. If the system allows direct ssh though the firewall: EGit would need an extra preference (otherwise it will unconditionally try the HTTP proxy), alternatively as in 2.2.1, i.e., don't use ssh. 3. User has no HTTP proxy but only a SOCKS proxy: no problem for EGit's built-in SSH, it'll use the SOCKS proxy. HTTP(S) traffic won't use the SOCKS proxy, and will be blocked by the firewall.
(In reply to Thomas Wolf from comment #14) > (In reply to Pierre-Yves B. from comment #13) > > Thank you for your response Thomas. As per you advice, I have tried the > > following: > > - configuring the SOCKS proxy. This does allow EGit to connect to remote > > hosts via ssh, however, other parts of Eclipse are now failing with > > exceptions similar to "java.net.SocketException: SOCKS: Connection not > > allowed by ruleset" (Oomph synchronization, Maven dependency updates, etc.). > > So you had both the HTTP and the SOCKS proxy configured? That should work. > EGit's ssh client would use the SOCKS proxy, and HTTP(S) requests should not > use the SOCKS proxy but the HTTP or HTTPS proxy. If you had only a SOCKS > proxy configured, then HTTP requests might indeed fail. > I believe I'm in case 2.1 in your listing. Yes, I do have HTTP, HTTPS and SOCKS proxies configured and enabled as "manual" in Eclipse's preferences. As soon as the SOCKS one was configured, ssh started working but all other HTTP/HTTPS connections started failing due to "SOCKS: Connection not allowed by ruleset". The SOCKS proxy settings seems to have "taken over" all requests. May this be related to Bug 331184?
(In reply to Pierre-Yves B. from comment #15) > I believe I'm in case 2.1 in your listing. Yes, I do have HTTP, HTTPS and > SOCKS proxies configured and enabled as "manual" in Eclipse's preferences. > As soon as the SOCKS one was configured, ssh started working but all other > HTTP/HTTPS connections started failing due to "SOCKS: Connection not allowed > by ruleset". The SOCKS proxy settings seems to have "taken over" all > requests. May this be related to Bug 331184? Seems likely. I don't have a HTTP proxy available right now; will have to test this (i.e. bug 331184) on another machine next week. In any case it looks as if HTTP connections are attempted through the SOCKS proxy, and your SOCKS proxy is configured to not allow proxying HTTP requests. If there is an HTTP proxy, I think it should be preferred for HTTP requests.
(In reply to Thomas Wolf from comment #16) > If there is an HTTP proxy, I think it should be preferred for HTTP > requests. Makes sense to me. If you come up with a patch following your investigation, let me know, I'm happy to give it a try and provide feedback. For a bit of context, we're increasingly moving away from our SVN servers to GitHub at my company, and unfortunately it's really a challenge to get Eclipse working correctly. There is the workaround you stated in 2.2.1., namely going through HTTPS URLs, however, as we've got a policy that requires enabling two factor authentication on our accounts, this also requires creating and configuring GitHub access tokens. This seems rather simple for experienced users, but in reality obscure for most others, I've observed that people tend to be more comfortable with setting up SSH. Quite a few Eclipse users have switched to competitor IDEs partly due to this. As often with open-source, a lot of people complain, few take the time to report issues and interact with the community. :-)
I cannot reproduce bug 331184. Tested on Mac OS using 3proxy as HTTP(S) proxy, and ssh -vvv -D localhost as socks proxy. Configured a HTTP, HTTPS and SOCKS proxy in Eclipse. (3 proxy entries, HTTP and HTTPS both 3proxy on localhost:8888, SOCKS proxy localhost:7020.) Then fetched from two different git repos, one using a HTTPS URI and one an SSH URI. HTTPS fetch goes, as it should, through the HTTPS proxy. SSH fetch goes through the SOCKS proxy. Opening a HTTPS link in the Eclipse built-in web browser also works and goes through the HTTPS proxy. Then I removed the HTTPS proxy, so I only had an HTTP and SSH proxy config. Then the HTTPS requests went through the SOCKS proxy. (And worked; the ssh SOCKS proxy does allow HTTPS traffic.) I'd say that's all as expected. Maybe it's a Window-specific problem? I notice that both this bug and 331184 were reported against Windows. I'll see if I can try this on Windows later.
I'm using OS X 10.11.6 on my side. Maybe it depends on specific properties of the proxies? Is there any way to gather any more useful debug information from Eclipse?
(In reply to Pierre-Yves B. from comment #19) > I'm using OS X 10.11.6 on my side. Maybe it depends on specific properties > of the proxies? Is there any way to gather any more useful debug information > from Eclipse? You could try doing this in a runtime Eclipse and setting breakpoints. But maybe try something else first: bug 331184 claims Eclipse was using a SOCKS proxy trying to connect to the HTTP proxy. Maybe just add the *proxy* addresses or hosts in the proxy bypass list? I ran my test proxies on localhost, and localhost is in the proxy bypass list...
Good idea, I'll try adding to the proxy bypass list on Monday. Will keep you posted.
Unfortunately, that didn't seem to do the trick. By the way, this might be expected, by I noticed the two following info messages in Eclipse's logs when I enable the SOCKS proxy: System property socksProxyHost is not set but should be ******. System property socksProxyPort is not set but should be 1085. And when I disable it: System property socksProxyPort is set to 1085 but should not be set. System property socksProxyHost is set to ****** but should not be set.
I am not using Egit, but I can attest to what appears to be an identical problem when attempting to use an Eclipse SSH connection to establish a connection to a remote target on which I wish to copy, launch and debug a C/C++ application that has been built locally. In my case I have defined an SSH connection and am referencing that connection from a remote C/C++ launch and debug configuration. In this instance the local machine and the remote machine are both running Ubuntu, so this is not a Windows-specific problem. BTW -- ssh works just fine from the command-line with the identical proxy settings. However, it is not clear to me if my local ssh is being used or if there is an ssh built into Eclipse, so not sure if that piece of information is of value. As has been stated in prior posts on this thread, setting the HTTPS proxy causes the SSH connection to fail (timeout). Clearing the HTTPS proxy allows the SSH connection to work. Unfortunately, those features that require HTTPS then fail. Likewise, our experience is that setting a SOCKS proxy causes various other features within Eclipse to fail, so that is not a viable option. I have configured proxy bypass settings using this format: 10/8 as well as simply specifying the full IP address of the target device, in this case 10.7.188.74. Neither works. The only way I am able to make my SSH connection work is by disabling the HTTPS proxy setting. p.s. I've confirmed this using a fresh copy of Eclipse for C/C++ version 2019-12. If there are some logs that would be useful, please let me know where to look for them and I can provide those details.
