Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: try next proxy if dial proxy failed #32253

Closed
oiooj opened this issue May 26, 2019 · 4 comments
Closed

cmd/go: try next proxy if dial proxy failed #32253

oiooj opened this issue May 26, 2019 · 4 comments

Comments

@oiooj
Copy link
Member

@oiooj oiooj commented May 26, 2019

if we got dial error when using the proxy lists, we should try next proxy. Now only 404 and 410 will try next proxy.

Get https://proxy.golang.org: dial tcp 172.217.24.14:80: i/o timeout

We can wrap dial op error as a no exist error to implement it.

As default lists https://proxy.golang.org,direct, if some users can't access https://proxy.golang.org, they will fall back to direct, maybe we should custom the timeout para, maybe not.

/cc @rsc @bcmills

@oiooj oiooj assigned rsc and unassigned rsc May 26, 2019
@hyangah

This comment has been minimized.

Copy link
Contributor

@hyangah hyangah commented May 28, 2019

My personal preference is not to try the next proxy if the first proxy fails or isn't reachable - so the user knows the failure situation and chooses to explicitly opt out to the next proxy or gets alerted.

If we fallback to the next proxy silently in case the first proxy fails to responds, it can lead to unexpected leakage of private module paths. There could be other security implication but I will let @FiloSottile chime in.

@FiloSottile

This comment has been minimized.

Copy link
Member

@FiloSottile FiloSottile commented May 28, 2019

I can see a pretty bad scenario like

GOPROXY=http://proxy.internal,https://proxy.untrusted.example
GONOSUMDB=company.internal/foo

Since GONOSUMDB is not scoped per proxy, this would let the fallback proxy provide arbitrary answers for company.internal/foo if http://proxy.internal is unreachable. That's pretty much unacceptable.

@bcmills

This comment has been minimized.

Copy link
Member

@bcmills bcmills commented May 28, 2019

#31913 (comment) also applies to this failure mode.

(We know that the current proxy behavior is not ideal for users in China, but that's tracked separately in #31755.)

@bcmills

This comment has been minimized.

Copy link
Member

@bcmills bcmills commented May 28, 2019

Duplicate of #31913

@bcmills bcmills marked this as a duplicate of #31913 May 28, 2019
@bcmills bcmills closed this May 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.