Proxy servers play a crucial role in enterprise environments, especially when accessing external network resources or enhancing security policies. However, configuring a proxy on a Linux server and making it work with system package managers like <span>dnf</span> can sometimes lead to some “minor troubles.” This article will explore a common proxy configuration issue and its elegant solution.
Proxy Configuration “Pitfalls”:<span>dnf install</span> Encounters SSL Connection Error
Suppose you are a Linux system administrator configuring a proxy for a Rocky Linux 9 server to ensure it can access the internet smoothly. As usual, you specify the proxy server by setting environment variables:
export http_proxy=http://192.168.31.219:10809
export https_proxy=https://192.168.31.219:10809After the configuration, you confidently execute the <span>dnf install wget</span> command, expecting <span>wget</span> to install successfully. However, the following error message appears on the screen:
Rocky Linux 9 - BaseOS 0.0 B/s | 0 B 00:02
Errors during downloading metadata for repository 'baseos':
- Curl error (35): SSL connect error for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9 [OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to 192.168.31.219:10809 ]
Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (35): SSL connect error for https://mirrors.rockylinux.org/mirrorlist?arch=x86_64&repo=BaseOS-9 [OpenSSL SSL_connect: SSL_ERROR_ZERO_RETURN in connection to 192.168.31.219:10809 ]This error message clearly indicates that <span>dnf</span> encountered an SSL connection error while trying to connect to <span>mirrors.rockylinux.org</span> via the <span>https</span> protocol, and the issue lies with the proxy server <span>192.168.31.219:10809</span>. Specifically, <span>SSL_ERROR_ZERO_RETURN</span> usually indicates that the SSL/TLS connection was unexpectedly closed before it was expected to complete, which may be due to the proxy server not supporting SSL tunneling, a configuration issue with the proxy server, or the proxy server itself being an HTTP proxy but being asked to handle HTTPS requests.
Unveiling the Error:<span>http_proxy</span> and <span>https_proxy</span> “Incompatibility”
Where does the problem lie? Let’s take a closer look at the proxy variables we set:<span>http_proxy</span> and <span>https_proxy</span>. Although it seems we have configured proxies for both HTTP and HTTPS, typically, these two variables point to a single HTTP proxy server.
When <span>dnf</span> attempts to download metadata via HTTPS, it uses the proxy specified by <span>https_proxy</span>. If this proxy server is merely a pure HTTP proxy, it cannot properly handle the SSL/TLS handshake and tunneling for HTTPS traffic, leading to the <span>SSL_ERROR_ZERO_RETURN</span> error. In simple terms, it’s like asking someone who only understands Chinese to translate a document in Japanese; the outcome is predictable.
Solution: The “Wizard” <span>proxychains-ng</span> Comes to the Rescue
Faced with this “incompatibility,” we need a tool that can flexibly handle different protocol traffic. This is where <span>proxychains-ng</span> comes into play.
What is <span>proxychains-ng</span>?
<span>proxychains-ng</span> is a powerful tool that allows you to prepend the command <span>proxychains4</span> before command-line tools, forcing their traffic through the configured proxy server. Its advantage lies in its ability to transparently hijack network connections at the application layer and redirect them to the specified proxy chain, supporting SOCKS5, SOCKS4, HTTP proxies, and effectively handling DNS requests.
Deploying <span>proxychains-ng</span>
Step 1: Install <span>proxychains-ng</span>
First, we need to install <span>proxychains-ng</span> on the Rocky Linux 9 server.
dnf install proxychains-ng -yStep 2: Configure <span>proxychains-ng</span>
After installation, the configuration file for <span>proxychains-ng</span> is usually located at <span>/etc/proxychains.conf</span>. We need to edit this file to specify our proxy server.
vi /etc/proxychains.confFind the <span>[ProxyList]</span> section and add your proxy server information. Depending on your proxy type, the configuration method varies slightly:
If the proxy is of SOCKS5 type (recommended):
# Add your proxy server information
# type ip port [username] [password]
socks5 192.168.31.219 10809Step 3: Run Commands via <span>proxychains4</span>
After configuration, you can now use the <span>proxychains4</span> command to run <span>dnf</span>.
proxychains4 dnf install wget -yAt this point, <span>proxychains-ng</span> will hijack the network requests of <span>dnf</span> and forward them through the proxy server specified in your configuration file. If your proxy server can correctly handle HTTPS traffic (for example, if it is a SOCKS5 proxy or an HTTP proxy that supports HTTPS tunneling), then <span>dnf</span> will successfully download the required package metadata and complete the installation.
Conclusion
In Linux system administration, proxy configuration is a common task, but it can also bring unexpected challenges. When encountering SSL connection errors with tools like <span>dnf</span> while accessing HTTPS resources via <span>https_proxy</span>, it is often due to a mismatch between the proxy server type and the protocol.
By introducing <span>proxychains-ng</span>, which can transparently manage network traffic at the application layer and forward it through the specified proxy server, we not only resolve the SSL connection issues with <span>dnf</span>, but also provide a universal solution for other command-line tools that need to access the network through a proxy.
#Linux #Rocky #Network
— End —
Click here👇 to follow me, and remember to star it~
One-click three connections [Like👍], [Share ⤴︎ ], [Recommend ♡ ] Stay updated on related technology hotspots…
You might also like
-
Did you choose the right alternative to CentOS? A deep dive into who is more popular: Rocky vs. AlmaLinux!
-
Stop misunderstanding PostgreSQL! Discover how [connection pooling] can help it “fight back” in high concurrency scenarios!