Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CONNECT proxy is not working with downstream proxy enabled #300

Open
savely-krasovsky opened this issue Aug 30, 2019 · 9 comments
Open

CONNECT proxy is not working with downstream proxy enabled #300

savely-krasovsky opened this issue Aug 30, 2019 · 9 comments

Comments

@savely-krasovsky
Copy link

It works ok with HTTP-only sites.

Curl output:

*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to (nil) (127.0.0.1) port 8080 (#0)
* Establish HTTP proxy tunnel to yandex.ru:443
> CONNECT yandex.ru:443 HTTP/1.1
> Host: yandex.ru:443
> User-Agent: curl/7.52.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
< Connection: close
<
* Proxy replied OK to CONNECT request
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Operation timed out after 300007 milliseconds with 0 out of 0 bytes received
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (28) Operation timed out after 300007 milliseconds with 0 out of 0 bytes received

I tried different proxies (own squid, mcafee web gateway, etc).
@savely-krasovsky
Copy link
Author

savely-krasovsky commented Aug 30, 2019
edited
Loading

After hours of debugging, I found sort of solution:
savely-krasovsky@354563d

I really don't understand what I did, but now it works. But I am sure that this is not proper fix.

@savely-krasovsky
Copy link
Author

savely-krasovsky commented Aug 30, 2019
edited
Loading

I guess that this bug is related to reading net.Conn twice.

@savely-krasovsky savely-krasovsky mentioned this issue Aug 30, 2019
Open
@savely-krasovsky
Copy link
Author

savely-krasovsky commented Aug 30, 2019
edited
Loading

Well, seems the problem was caused by deadlock. Content-Length is undefined, so it writes response infinitely long until client's timeout. As far as I got it, we need to write body in dedicated goroutine. I used res.Write(w) instead of just cbr because response was already consumed from connection in connect function.

@savely-krasovsky
Copy link
Author

savely-krasovsky commented Aug 30, 2019
edited
Loading

I've provided more proper fix, but now there is some mysterious deadlock in tests. I gave up 😞

@AltFreq07
Copy link

I've been having the same issue and thought that MITM setup with a CA was the only way around this. I'll try to apply your fixes and see if it helps for now

@savely-krasovsky
Copy link
Author

savely-krasovsky commented Feb 2, 2020
edited
Loading

@AltFreq07 as a result I wrote from scratch my own solution.
(which works perfectly in my case by the way).

@AltFreq07
Copy link

Do you have the code hosted anywhere? I would like to see how you forwarded the tunnels for an HTTP Connection method @L11r

@savely-krasovsky
Copy link
Author

@AltFreq07 yes: https://github.com/L11R/escobar

@ned-lambdatest
Copy link

ned-lambdatest commented Jul 20, 2021
edited
Loading

I'm also facing the same issue.
Any update on this issue?

mmatczuk added a commit to mmatczuk/martian that referenced this issue Nov 18, 2022
@mmatczuk
Fix CONNECT with downstream HTTP proxy
66f9d95 
This patch fixes and extends connectHTTP() implementation.
We make separate CONNECT request to the downstream proxy to avoid copying everything we read from the wire.
It may contain "per-proxy-hop" headers and other information we do not want to send as well as body.
We send Proxy-Authorization header if UserInfo is provided.
We do TLS handshake with HTTPS proxies.
We fix the Content-Length -1 in CONNECT response issues.

Fixes google#300
mmatczuk added a commit to mmatczuk/martian that referenced this issue Nov 21, 2022
@mmatczuk
Fix CONNECT with downstream HTTP proxy
ddc8332 
This patch fixes and extends connectHTTP() implementation.
We make separate CONNECT request to the downstream proxy to avoid copying everything we read from the wire.
It may contain "per-proxy-hop" headers and other information we do not want to send as well as body.
We send Proxy-Authorization header if UserInfo is provided.
We do TLS handshake with HTTPS proxies.
We fix the Content-Length -1 in CONNECT response issues.

Fixes google#300
mmatczuk added a commit to mmatczuk/martian that referenced this issue Nov 21, 2022
@mmatczuk
Fix CONNECT with downstream HTTP proxy
b86e1e1 
This patch fixes and extends connectHTTP() implementation.
We make separate CONNECT request to the downstream proxy to avoid copying everything we read from the wire.
It may contain "per-proxy-hop" headers and other information we do not want to send as well as body.
We send Proxy-Authorization header if UserInfo is provided.
We do TLS handshake with HTTPS proxies.
We fix the Content-Length -1 in CONNECT response issues.

Fixes google#300
mmatczuk added a commit to saucelabs/martian that referenced this issue Nov 22, 2022
@mmatczuk
Fix CONNECT with downstream HTTP proxy
1c56749 
This patch fixes and extends connectHTTP() implementation.
We make separate CONNECT request to the downstream proxy to avoid copying everything we read from the wire.
It may contain "per-proxy-hop" headers and other information we do not want to send as well as body.
We send Proxy-Authorization header if UserInfo is provided.
We do TLS handshake with HTTPS proxies.
We fix the Content-Length -1 in CONNECT response issues.

Fixes google#300
mmatczuk added a commit to saucelabs/martian that referenced this issue Nov 30, 2022
@mmatczuk
Fix CONNECT with downstream HTTP proxy
1b09b04 
This patch fixes and extends connectHTTP() implementation.
We make separate CONNECT request to the downstream proxy to avoid copying everything we read from the wire.
It may contain "per-proxy-hop" headers and other information we do not want to send as well as body.
We send Proxy-Authorization header if UserInfo is provided.
We do TLS handshake with HTTPS proxies.
We fix the Content-Length -1 in CONNECT response issues.

Fixes google#300
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@savely-krasovsky @AltFreq07 @ned-lambdatest