CFHTTP Not Sending Proxy Information


#1

I am currently running Lucee in a container (lucee/lucee52:latest (5.2.9.31)) and I am trying to call a site via a CFHTTP call. As I am behind an enterprise proxy I am required to send my proxy information so I am including proxyserver, proxyport, proxyuser and proxypassword. However, it does not appear that Lucee is providing this information.

CFHTTP is working as I can get a handful of internal and external sites that are excluded by the proxy and thus don’t require authentication, but I get “407 Proxy Authentication Required” for all calls that do. When dumping the http object and GetHttpRequestData I do not see any proxy information sent. Strangely enough I have found if I put in improper information in any of the proxy attributes I get a Connection Failure rather than an Access Denied message, so it seems like there is something or parts of the proxy attributes in play.

The same code is working in ACF 11 without issue.

Is the proxy functions of CFHTTP broken in Lucee 5.2 or is there some sort of trick to set this up? Is there anything specific to running Lucee in a container that might be affecting this?

I appreciate the help!

Thank you!


#2

This was apparently related to some specifics to our Proxy server. Our Proxy does a man-in-the-middle, SSL reverse proxy to inject its own certificates. Complicated in the fact that some resources are except and either don’t require authentication or don’t reverse proxy the SSL cert.

There is enough difference between ACF and Lucee to make some of Lucee symptoms confuse the issue.

At core was untrusted certificates, but it seemed I was only getting the “sun.security.validator.ValidatorException: PKIX path building failed:” error when my username was configured a certain way (i.e. when no domain was used - ex. user vs domain/user). I assume this was related to how the proxy responded in either case. Although ACF seemed to allow either and did not complain about the certificate.

Once I determined it was certificate related I had to manually add the cert to the keystore. I was unable to use the Lucee admin as it, rightly, knew this was not a valid certificate. Once I saved off the cert from the browser I just added it to my dockerfile:

COPY ./local/lucee/conf/proxy.cer /opt/lucee/proxy.cer
RUN keytool -import -keystore /opt/lucee/server/lucee-server/context/security/cacerts -alias proxy -file /opt/lucee/proxy.cer -storepass changeit -noprompt

This seemed to resolve the issue.