-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: proxy returns 503 response but http client returns error #30560
Comments
@nnathan can you please provide a sample program that someone else can use to reproduce the problem you are having. Thank you. |
Sure. The program kind of relies on squid running that responds with a 503 and returns an X-Squid-Error header.
main.go:
To run: (change the https above to http to observe the different behaviours, whereby https will return a error on the GET and http will return a proper response) With http://www.google.com:
With https://www.google.com:
And with https://www.google.com/ bypassing the healthcheck and using the proxy directly:
|
Thank you for your reply. Can you please try to reduce the program. I suggest removing the http server by moving the logic from the anonymous |
Yep sure. So here is a condensed version without http server cruft from earlier:
Here is the output when running using the proxy:
|
I think the problem is the mechanisms between http proxying, which issues a GET with the full URL and https proxying which uses the connect verb. Can you confirm the problem only occurs when you proxy https connections via squid?
… On 4 Mar 2019, at 17:05, Naveen Nathan ***@***.***> wrote:
Yep sure.
So here is a condensed version with the http server:
package main
import (
"log"
"net/http"
)
func try(url string) {
log.Printf("trying url: %s", url)
resp, err := http.Get(url)
if err != nil {
log.Printf("error: %v", err)
return
}
if resp.StatusCode == 503 {
resp.Body.Close()
squidErr := resp.Header.Get("X-Squid-Error")
if squidErr != "" {
log.Printf("squid failure error detected, X-Squid-Error: %s", squidErr)
return
}
}
log.Printf("Everything OK - no squid errors")
}
func main() {
try("http://www.google.com")
try("https://www.google.com")
}
Here is the output when running using the proxy:
$ http_proxy=http://127.0.0.1:3128 https_proxy=http://127.0.0.1:3128 ./cc
2019/03/04 06:02:44 trying url: http://www.google.com
2019/03/04 06:03:19 squid failure error detected, X-Squid-Error: ERR_DNS_FAIL 0
2019/03/04 06:03:19 trying url: https://www.google.com
2019/03/04 06:03:19 error: Get https://www.google.com: Service Unavailable
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
This problem occurs specifically when proxying https connections which uses the CONNECT verb. What I've learned is that there are two responses: a response for the CONNECT, and a response for the (tunnelled) proxy request. I guess it makes sense to treat a non-successful response to CONNECT as an error, however this means a loss of information of the underlying error (which in this case is embedded as an X-Squid-Error header). For my purposes this isn't a huge issue, checking the response from a regular HTTP request is sufficient. |
Also got surprised by this. The error originates when a non-200 is received for Agree with @nnathan that it makes sense this is considered a sub-HTTP error, but given that the errors end up with HTTP Statuses it's very confusing. Feels like the appropriate change here is a more informative error - e.g |
I've also hit this, with a similar use case -- a proxy that blocks access to certain domains and returns additional structured error info as an HTTP header on the failed It would be nice if either |
I am also observing similar issue in the environment, where squid is throwing 503 error. Is their any workaround for this issue, which anyone found? |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I'm running a squid proxy server listening on 127.0.0.1:3128 which is running as squid user with an iptables rule that drops outgoing port 53 packets emitted by the squid user. This forces squid to respond to all proxied requests using a dns name with a 503 response carrying a header
X-Squid-Error: ERR_DNS_FAIL 0
.I'm also writing a go program that performs a healthcheck when squid returns a response with X-Squid-Error header by making a proxied GET request to a URL using the default http client. The proxying is enabled using the http_proxy and https_proxy environment variables.
When querying a HTTP URL the http client returns the 503 response from squid with the X-Squid-Error header.
What did you expect to see?
When querying a HTTPS URL the http client should return the 503 response from squid.
What did you see instead?
When querying a HTTPS URL the http client returns an error and nil response, with the error returning "Get https://www.google.com: Service Unavailable".
The same query to https://www.google.com using curl with the https_proxy environment variable set returns the squid 503 response.
The text was updated successfully, but these errors were encountered: