New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP proxy support #2112

Closed
snej opened this Issue Mar 21, 2018 · 6 comments

Comments

Projects
None yet
4 participants
@snej
Member

snej commented Mar 21, 2018

The replicator almost certainly doesn't work with HTTP proxies -- it does use NSURLSession, but via the low-level StreamSessionTask, which is just a raw TCP connection. So the system has no knowledge that we're making an HTTP connection.

In that case, we have to use the CFProxy API to find the current proxy, and talk HTTP proxy talk to it, which means putting the full URL in the first line, and using different headers and status codes for auth.

@snej snej self-assigned this Mar 21, 2018

@snej snej added the f: Replication label Mar 21, 2018

@snej snej changed the title from Proxy support to HTTP proxy support Mar 21, 2018

@raghusarangapani

This comment has been minimized.

raghusarangapani commented Mar 21, 2018

Library Version

2.0.0-721

Expected behavior

CBL .ios should use system proxy if configured

Actual behavior

CBL .ios is not using system proxy.
The same test works fine with Android

Steps To Reproduce

  • Set up nginx as a proxy (192.168.33.21) to forward requests to SG (192.168.33.22)
  • Set 192.168.33.21 as the system proxy - port 4984 in the iOS Settings -> WiFi -> -> More Info (!) -> HTTP Proxy -> Manual.
  • Add an iptables rule at the SG node to drop all incoming requests from 192.168.33.24 (iOS client).
  • Run any replication test case, LiteCore seems to be trying to talk directly to SG and fails:
2018-03-21 10:45:54.241998-0700 CBLTestServer-iOS[999:304174] CouchbaseLite WS Verbose: CBLWebSocket Sent HTTP request...
2018-03-21 10:45:54.250899-0700 CBLTestServer-iOS[999:304174] CouchbaseLite WS Info: CBLWebSocket CLOSED WITH ERROR: NSPOSIXError[60, "Operation timed out"]
2018-03-21 10:45:54.251445-0700 CBLTestServer-iOS[999:304174] CouchbaseLite WS WARNING: {C4SocketImpl#1}==> litecore::websocket::C4SocketImpl ws:10.17.4.140:4984/db/_blipsync
2018-03-21 10:45:54.251701-0700 CBLTestServer-iOS[999:304174] CouchbaseLite WS WARNING: {C4SocketImpl#1} Unexpected or unclean socket disconnect! (reason=errno, code=60)
2018-03-21 10:45:54.252535-0700 CBLTestServer-iOS[999:304174] CouchbaseLite WS Info: {C4SocketImpl#1} sent 0 bytes, rcvd 0, in 0.000 sec (nan/sec, nan/sec)
2018-03-21 10:45:54.253384-0700 CBLTestServer-iOS[999:304172] CouchbaseLite BLIP Info: {Connection#1} Closed with errno 60: Operation timed out

Test will pass if I flush the iptables rule on the SG node.

@snej

This comment has been minimized.

Member

snej commented Mar 21, 2018

Set up nginx as a proxy (192.168.33.21) to forward requests to SG (192.168.33.22)

If it's forwarding to a specific host, it doesn't sound like it's configured as a regular HTTP proxy, the kind that's used on end-user networks. Those allow connections to multiple hosts by taking the full URL on the initial HTTP request line.

@djpongh djpongh added the known-issue label Mar 21, 2018

@djpongh djpongh added this to the 2.0.0 milestone Mar 21, 2018

@djpongh djpongh added the backlog label Mar 21, 2018

@snej

This comment has been minimized.

Member

snej commented Mar 21, 2018

@snej

This comment has been minimized.

Member

snej commented Mar 21, 2018

I have basic proxy support working. I wrote down some implementation notes on the LiteCore wiki, to help @borrrden and @hideki.

snej added a commit that referenced this issue Mar 22, 2018

HTTP proxy support (incomplete)
Added support for HTTP proxies. CBLWebSocket uses the CONNECT method
to open a tunnel to the remote server, which is necessary for
WebSockets.

Proxy authentication isn’t implemented yet.

For #2112
@snej

This comment has been minimized.

Member

snej commented Mar 22, 2018

The branch feature/proxies_2112 should work for regular HTTP (and HTTPS?) proxies. The known missing feature is authentication. It hasn't been tested yet, though.

The replication unit tests now support setting environment variables CBL_TEST_PROXY_HOST and CBL_TEST_PROXY_PORT to force use of a proxy, regardless of the system proxy settings.

@snej

This comment has been minimized.

Member

snej commented Mar 22, 2018

I am unclear on the rules for how SSL and proxies combine -- how you know whether to make an HTTPS connection to the proxy, and whether you have to do another TLS handshake after the CONNECT. That definitely needs to be sorted out.

@djpongh djpongh added the P2: medium label Mar 27, 2018

@djpongh djpongh removed the P2: medium label Apr 4, 2018

@djpongh djpongh modified the milestones: 2.0.0, 2.2.0 Apr 11, 2018

@djpongh djpongh added icebox and removed backlog labels Apr 11, 2018

@djpongh djpongh modified the milestones: 2.5.0, 2.1.0 Jul 10, 2018

@djpongh djpongh unassigned snej Aug 9, 2018

@djpongh djpongh modified the milestones: 2.1.0, Iridium Sep 4, 2018

@djpongh djpongh added P1: high backlog and removed icebox labels Sep 4, 2018

@djpongh djpongh removed the known-issue label Oct 29, 2018

@djpongh djpongh added ready and removed backlog labels Nov 16, 2018

@djpongh djpongh closed this Nov 16, 2018

@djpongh djpongh removed the ready label Nov 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment