Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: HTTP requests sent via HTTP proxy are forwarded to the wrong host #30775

Open
noneymous opened this Issue Mar 12, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@noneymous
Copy link

noneymous commented Mar 12, 2019

What version of Go are you using (go version)?

go version go1.11.2 windows/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GOARCH=amd64
set GOHOSTARCH=amd64
set GOHOSTOS=windows

What did you do?

I tried to send an HTTP request with a custom host header via an HTTP proxy. Sample code:

func Test(t *testing.T) {
	proxy, errParse := url.Parse("http://127.0.0.1:8080")
	if errParse != nil {
		t.Errorf("could not parse proxy URL '%s'", errParse)
	}

	// Define custom client allowing insecure SSL connections and any SSL ciphers (in case of HTTPS)
	client := &http.Client{
		Transport: &http.Transport{
			Proxy:                 http.ProxyURL(proxy),
		},
		// CheckRedirect: -> default is nil, which tells it to stop after 10 consecutive requests
	}

	// Build request
	req, errNew := http.NewRequest("GET", "http://192.168.0.01", nil)
	if errNew != nil {
		t.Errorf("could not parse proxy URL '%s'", errParse)
	}

	// Set virtual host
	req.Host = "mynotexistinghostheader1589.com"

	// Set request headers
	req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0")


	// Send request
	resp, errDo := client.Do(req)
	if errDo != nil {
		t.Errorf(errDo.Error())
	}

	fmt.Println(resp)
	return
}

What did you expect to see?

The sent request should be sent (by the proxy on behalf of me) to "http://192.168.0.01" along with the host header "mynotexistinghostheader1589.com".

When I define the web server host as "xxx" with a vhost "yyy", the proxy should do the same.

What did you see instead?

The proxy did NOT connect to 192.168.0.01 in order to send the HTTP request, but it directly tried to connect to "mynotexistinghostheader1589.com" taken from the request's host header. This is wrong, "mynotexistinghostheader1589.com" is not the server, it is just the vhost, so the request obviously could not be delivered.

Where is the bug?

I have already traced the issue. net/http/request.go:545 (line number from current master) takes data from the host header:
grafik

It should take it from the original URL, like this:
grafik

Proof

Here is a screenshot form BurpSutite, showing, that it receives the request but forwards it to mynotexistinghostheader1589.com instead of 192.168.0.01:
grafik

With my suggested fix, it is correct, like this:
grafik

@noneymous noneymous changed the title net/http HTTP requests sent via HTTP proxy are forwarded to the wrong host net/http: HTTP requests sent via HTTP proxy are forwarded to the wrong host Mar 12, 2019

@julieqiu

This comment has been minimized.

Copy link

julieqiu commented Mar 12, 2019

cc: @bradfitz

@noneymous

This comment has been minimized.

Copy link
Author

noneymous commented Mar 13, 2019

I asked myself why this was not discovered before, because it seems to be a quite common use-case. Two reason I can come up with:

  • It's only affecting HTTP requests. For HTTPS, a "CONNECT" request is created, and there it is done correctly
  • In most production environments the server has a hostname pointing to it, equal to the vhost. Then it wouldn't be a problem, you can use either vhost or hostname to establish a connection, becasue they are equal. However, in none-production environments (on the hosting side) it is quite common to have a server without hostname or DNS running multiple applications. Anyways, independent of the hosting setup, technically, the vhost should just be the header sent along and not the address to connect to.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.