-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hoverfly hangs with Netty HttpProxyHandler #650
Comments
@ttiurani, as I mentioned in your original issue, the Netty proxy always uses CONNECT method even it is an HTTP request, hence the error from Go: |
If I understand correctly, it seems to me that Hoverfly (via Go) here is in the wrong and shouldn't mandate TLS after CONNECT? Is this fixable in Hoverfly? |
The issue at: was closed with info about this. Netty's proxy handler does CONNECT always and is not wrong to do so. I ran into this when using Spring Webflux, which is a big part of Spring 5.0.0, which is now at the last RC before release. So I would guess that a significant number of Spring users will run into this problem when using Hoverfly. If Hoverfly wants to support Spring, I would guess this should be fixed here? |
You are right, Netty proxy does the right thing according to this: https://tools.ietf.org/html/rfc7231#section-4.3.6. A proxy should be able to handle |
The RFC also says:
There are implications to changing this that we need to understand. |
@JohnFDavenport At least for my use case this could be a configuration setting or startup parameter in Hoverfly, and the current behaviour the default? In fact, I could live with having a switch in Hoverfly to just turn off all TLS handling, as I can configure the endpoint addresses in my app. |
@tommysitu How are you able to produce this error?:
I've tried this which reproduces the timeout (I think), but the logs are empty when I check:
|
@mogronalol you can have a look at the original reactor/reactor-netty#159, and run the test from the reactor-netty project, but it is not straight forward. I will try sharing what I've got with you later. |
Any progress to report? Would a better Hoverfly-specific test case speed this up? I'd be happy to try to hack some "skipSslForConnect=true" thingy together myself, as this is blocking quite a lot of things for me. Spring 5.0.0 has been released and v0.7.0 of reactor-netty that comes with this, has this problem. |
For some reason GitHub isn't showing the link to the other issue: I've isolated the problem in an upstream library (GoProxy), but it has made me more skeptical about Netty's CONNECT only approach to using a proxy. As a CONNECT request is the same regardless of HTTP or HTTPS there is no way of a proxy knowing what to do. The only way of figuring it out is to peek the first few bytes of the request and figure out whether they are encrypted or not. Whilst this is possible I personally feel that this approach is very hacky. Until this every other client I have worked with used CONNECT for HTTPS only meaning it is simple for a Proxy to know whether the traffic is TLS or not. Curl is a good candidate for testing this. The other option is for the client (Hoverctl) to instruct Hoverfly whether it should do HTTP or HTTPS with CONNECT on a specific port, again feeling brittle. |
I think a byte peeking solution is probably the best route over changing the client, but this will need to be a contribution to the GoProxy library. I'm not sure when we will be able to implement this, but PR's will be welcome if you want to try and do it. |
"The other option is for the client (Hoverctl) to instruct Hoverfly whether it should do HTTP or HTTPS with CONNECT on a specific port" I would be delighted about something like this. Anything that allows me to use Hoverfly any which way is better than the current. Could there be even in the simulation.json some sort of "disableTlsOnConnect" custom flag, next to Hoverfly version? Even just "disableTls" would work for me? |
That is: the goproxy peek byte route is of course "better", but if it will be slow to get merged and still unsatisfactory even if it does work, having at least some way to get netty support, is better than nothing. Also a "tlsOnlyForPort443" would be just fine for me. |
Unfortunately I haven't had time to look at this further, any news? It might be a good idea to change the heading of this to something like "Hoverfly hangs with Netty HttpProxyHandler", so that other Netty users find this issue. |
@ttiurani I have added the |
@tommysitu awesome, thank you! I'll try my best to find time to test this asap (also I can try to do a PR for hoverfly-java for this). |
I can verify that using the -plain-http-tunneling patch I can, with the latest reactor-netty, get my test to work, whereas without it or with using an older hoverfly version, the test fails. |
Nice, we will do a minor release at some point. |
@tommysitu Unfortunately with better debugging I found out, that although I can get around the ssl problem with
when Now for hoverfly to be useful, it of course shouldn't be mandatory that the host that is simulated, needs to actually resolve before the mocking? Am I missing something here? |
I did some digging, and the problem is that the https://github.com/elazarl/goproxy/blob/master/https.go#L130 which then fails, because it does a normal go Transport.Dial. But it might be possible to override that functionality by implementing a custom ConnectDial function, as is specified here: https://github.com/elazarl/goproxy/blob/master/proxy.go#L27 Would it be possible to create such a dummy ConnectDial override in hoverfly for this |
@ttiurani When I ran your test with this new flag, it passed. So I don't quite understand what the new problem is. Could you let me know how to reproduce the error using this example: ttiurani/reactor-netty@790b82d |
@tommysitu The problem is that my test works only if it can actually connect to Now as I'm using Hoverfly as a mock server to debug Kubernetes paths, such as If I understand the codebase correctly, this could possible be fixed by creating a new Line 42 in aa3655e
for Disclaimer: I've never written even one line of go so might be just plain wrong. |
@ttiurani, this PR SpectoLabs/goproxy#1 should fix your problem. The |
Nice, thanks! Is that change testable with some hoverfly @tommysitu ? Do you need to upstream the PR before you can create a new hoverfly version? |
@tommysitu I can verify that now the gradle test works after building from the I'll try to get the Spring 5 Java test also verified soon. But looks good now! |
@tommysitu I'm not completely sure that everything is working as it should, but I now got a
when trying to use the same binary through Spring and hoverfly-java. Any ideas as to what might be wrong? This is a new error. I'm running in simulation mode, and this only happens with |
It works for me when I have updated |
You're right, it was the wrong binary, sorry for the noise. My Spring 5 webflux test now passes, so a release is more than welcome. Thank you! |
The fix is now released in v0.15.0. What a long thread! Thank you for your patience @ttiurani |
We hit that issue today and we struggled a little bit because of an issue on our side: We did:
which actually should be:
Would be nice if the hoverfly command could return an error if it doesn't recognised a parameter or just say it is ignoring it. Anyway, the main idea of my comment was if someone else is stuck and hit that thread, remember to verify you put '-plain-http-tunneling' after the 'hoverfly' command. |
Cross-referencing issue raised by @ttiurani here
The text was updated successfully, but these errors were encountered: