Re: Error when connecting to Duo through two proxies

rjohnston3 · ‎06-09-2017

We are implementing Duo on some Linux systems that do not have internet access, and that work through a gateway that also does not have internet access. I’ve set up a proxy on the gateway and on another machine that does have internet access. The gateway machine has a proxy that then proxies to the second machine.

We are using pam_duo, and it is failing. I tried the trick of configuring login_duo and then trying “login_duo -d”, and it gives the error:

[4] Failsafe Duo login for ‘’: Couldn’t connect to api-.duosecurity.com: wrong version number

I’ve tried the double-proxy setup by setting https_proxy, and I’m able to curl https websites just fine, so the proxies are working. I temporarily allowed internet access for the gateway, and when I do that, duo_login works fine.

Does anyone know what the “wrong version number” error is from?

Thanks!

DuoKristina · ‎06-13-2017

Just want to confirm that you set http_proxy in the Duo cfg file, not just as an environment variable.

If so, then it may be failing because of the consecutive proxy setup. Duo Unix issues an HTTP Connect to the configured proxy server. Duo Unix does not issue a second HTTP Connect request when a configured proxy then attempts to proxy to another proxy.

Please contact Duo Support if you’d like to submit a feature request to support your use case. Alternatively, since Duo Unix is https://github.com/duosecurity/duo_unix you can branch off that to implement your own fix.

Thanks for using Duo!

Duo, not DUO.

rjohnston3 · ‎06-13-2017

Yup, I configured http_proxy in the config file.

https proxies are half magic to me… I wasn’t aware that the client needed to do multiple CONNECTs, since I have the first proxy configured to use the second proxy. I thought that the first proxy would tunnel through the second proxy without needing to involve the client.

I’ll see what we can do with the code, although my C is a bit rusty.

Thanks for the info!