martian icon indicating copy to clipboard operation
martian copied to clipboard

Published 20 hours ago verified publisher icon google

CONNECT proxy is not working with downstream proxy enabled

Open savely-krasovsky opened this issue 6 years ago • 9 comments

It works ok with HTTP-only sites.

Curl output:

*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to (nil) (127.0.0.1) port 8080 (#0)
* Establish HTTP proxy tunnel to yandex.ru:443
> CONNECT yandex.ru:443 HTTP/1.1
> Host: yandex.ru:443
> User-Agent: curl/7.52.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.0 200 Connection established
< Connection: close
<
* Proxy replied OK to CONNECT request
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Operation timed out after 300007 milliseconds with 0 out of 0 bytes received
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (28) Operation timed out after 300007 milliseconds with 0 out of 0 bytes received

I tried different proxies (own squid, mcafee web gateway, etc).

savely-krasovsky avatar Aug 30 '19 18:08 savely-krasovsky

After hours of debugging, I found sort of solution: https://github.com/L11R/martian/commit/354563dac6198333bc52c5e5c091822aded6a6b9

I really don't understand what I did, but now it works. But I am sure that this is not proper fix.

savely-krasovsky avatar Aug 30 '19 19:08 savely-krasovsky

I guess that this bug is related to reading net.Conn twice.

savely-krasovsky avatar Aug 30 '19 19:08 savely-krasovsky

Well, seems the problem was caused by deadlock. Content-Length is undefined, so it writes response infinitely long until client's timeout. As far as I got it, we need to write body in dedicated goroutine. I used res.Write(w) instead of just cbr because response was already consumed from connection in connect function.

savely-krasovsky avatar Aug 30 '19 22:08 savely-krasovsky

I've provided more proper fix, but now there is some mysterious deadlock in tests. I gave up 😞

savely-krasovsky avatar Aug 30 '19 22:08 savely-krasovsky

I've been having the same issue and thought that MITM setup with a CA was the only way around this. I'll try to apply your fixes and see if it helps for now

AltFreq07 avatar Feb 02 '20 02:02 AltFreq07

@AltFreq07 as a result I wrote from scratch my own solution. (which works perfectly in my case by the way).

savely-krasovsky avatar Feb 02 '20 12:02 savely-krasovsky

Do you have the code hosted anywhere? I would like to see how you forwarded the tunnels for an HTTP Connection method @L11R

AltFreq07 avatar Feb 03 '20 00:02 AltFreq07

@AltFreq07 yes: https://github.com/L11R/escobar

savely-krasovsky avatar Feb 03 '20 08:02 savely-krasovsky

I'm also facing the same issue. Any update on this issue?

ned-lambdatest avatar Jul 20 '21 11:07 ned-lambdatest