SOCKS proxy support

[Anorov]

Here's the SOCKS proxy support patch.

Usage is identical to setting HTTP proxies: ProxyManager("socks4://localhost:1080") or ProxyManager("socks5://localhost:1080") (or proxy_from_url()). Default ports for both are 1080.

I added new SOCKS Connection classes in connection.py, and added a _is_socks attribute to the proxy URL that is passed to ProxyManager (on the Url object). The _is_socks attribute is used by the connection pools so that HTTP proxy negotiation steps aren't taken when the proxy has a SOCKS scheme. This could possibly be refactored (separate socks_proxy and http_proxy attributes?); tell me how you feel about the _is_socks solution.

I also touched up some other parts of the codebase, as follows, which I noticed while working through files and debugging.

• Fixed inconsistent indentation in a few places.
• Fixed some typos in comments.
• Changed __str__ methods to __repr__. __str__ automatically defers to __repr__ if it isn't already defined, but the reverse isn't true. So this keeps the same behavior while also allowing easier debugging from the REPL.
• Added a newline in the middle of the proxy connection exception message, to make it a little easier to read.

I believe this branch should currently work fine for regular usage; it seems to have no trouble with any SOCKS proxies.

However, I had many confusing issues and bugs while trying to modify the test suite. The tests are currently broken (I added raise SkipTest() in the proxy tests, for the time being). I am using Twisted for the SOCKS4 and SOCKS5 proxy servers, and added that to the test requirements.

The test issues seem to stem from the Tornado HTTP and HTTPS dummy servers. On my computer, they spat out odd SSL errors (like SSLError: [Errno 1] _ssl.c:504: error:1411B072:SSL routines:SSL3_GET_NEW_SESSION_TICKET:bad message type
and many others), and would hang seemingly randomly.

I upgraded the Tornado version in test-requirements.txt because the version listed before appeared to have a bug that prevented me (or others) from running in IPv6 mode, see here: tornadoweb/tornado#593; I had to upgrade to get IPv6-related tests to pass. I'm not sure if the upgrade has anything to do with the current issues.

I think it has something to do with trying to run Tornado in separate threads. I was not able to get multithreading to work with Twisted, so I spawned a new process for each SOCKS proxy server instead; Twisted seems to work fine, as I can connect to and use the proxy servers while the tests are running.

I would appreciate if someone could modify the tests so the HTTP servers work properly, or give me some advice on how to fix the issue. And of course, I'd appreciate any suggestions or changes for the SOCKS patch itself.

[shazow]

Thank you for your bravery, @Anorov. :)

I guess the first thing we should sort out is the testing. After that we can tackle code design tweaks (though I don't see anything superbad).

Some concerns:

• You mentioned tests were broken for you. Were you able to get them working on a clean master? What platform are you testing on?
• Sad to re-introduce Twisted into our testing framework. :( Maybe we can use something like this, just to stick with Tornado? Or maybe socket-level tests are viable with something like this? Personally I lean towards socket-level tests these days because they're usually the most bare-metal to what we're testing and introduce the least interfering cruft.
• There are a couple of small things I think we should change, like where socks_connection_from_url lives and such, but let's deal with that after. :)

Also cc other people who helped on proxy-related work, I could really use more eyes on this: @schlamar @stanvit @brendoncrawford @foxx @lukasa @sigmavirus24 @t-8ch

[Anorov]

I initially put socks_connection_from_url in util.py but later decided that since it would only be used by the connection classes, I might as well put it in connection.py. Open to suggestions about that, though.

And yeah, I wasn't terribly keen on using Twisted for this but I could not find any other decent pure-Python SOCKS4 and SOCKS5 modules; the few that I found had serious issues with them. I'm aware of many non-Python ones; those would probably be the easiest to use, but would add a lot of additional dependencies to the tests.

I had issues with socks5.py. shuttle seems to work alright, but it only supports SOCKS5 and I did not find a good corresponding SOCKS4 equivalent. Still looking around for one.

I am able to run the tests on a clean master. Only after my re-arranging of the tests to accomodate SOCKS proxies did I get issues; the issues were only being had with the HTTP, SOCKS4, and SOCKS5 proxy tests. I believe it has something to do with starting TornadoServerThreads. So the broken code is likely in dummyserver/testcase.py. I am running Xubuntu 64-bit, on an Intel CPU.

[Lukasa]

So, I can confirm the broken tests on OS X, and they're very dramatically broken. In fact, their brokenness appears to be non-deterministic, which is awesome. In three runs I got two hangs (in different tests) and one run that ran to completion but failed many tests. However, as @Anorov spotted, they all failed with SSL errors (or errors relating to SSL, or logs that indicate that HTTPS was involved).

Running each test file by itself reveals that the problem is coming from with_dummyserver/test_proxy.py (not really a shock since @Anorov already spotted that). Running just that gets way more exciting, occasionally dumping fun errors like this one:

(env)cory@corymbp:urllib3/ % ./env/bin/nosetests test/with_dummyserver/test_proxy.py
E.python2.7(5354,0x110012000) malloc: *** error for object 0x7fdf01f79790: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
[1]    5354 abort      ./env/bin/nosetests test/with_dummyserver/test_proxy.py

So I suspect, as @Anorov does, that Tornado and Twisted are getting in each other's way. I particularly wonder if they're accidentally using each others sockets. My evidence for this is that in addition to the various SSL errors that pop up I frequently see errors moaning about file descriptors, like this one, wherein Tornado attempts to stop handling a file descriptor that it was never handling to begin with:

======================================================================
FAIL: test_basic_proxy (test.with_dummyserver.test_proxy.TestHTTPProxy)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/cory/tmp/urllib3/test/with_dummyserver/test_proxy.py", line 42, in test_basic_proxy
    self.assertEqual(r.status, 200)
AssertionError: 500 != 200
-------------------- >> begin captured logging << --------------------
urllib3.connectionpool: INFO: Starting new HTTP connection (1): localhost
tornado.general: ERROR: Uncaught exception, closing connection.
Traceback (most recent call last):
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/iostream.py", line 330, in _handle_events
    self.io_loop.update_handler(self.fileno(), self._state)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/ioloop.py", line 529, in update_handler
    self._impl.modify(fd, events | self.ERROR)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/platform/kqueue.py", line 45, in modify
    self.unregister(fd)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/platform/kqueue.py", line 49, in unregister
    events = self._active.pop(fd)
KeyError: 15
tornado.access: INFO: 200 GET / (127.0.0.1) 1.60ms
tornado.application: ERROR: Exception in I/O handler for fd 15
Traceback (most recent call last):
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/ioloop.py", line 672, in start
    self._handlers[fd](fd, events)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/stack_context.py", line 331, in wrapped
    raise_exc_info(exc)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/stack_context.py", line 302, in wrapped
    ret = fn(*args, **kwargs)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/iostream.py", line 330, in _handle_events
    self.io_loop.update_handler(self.fileno(), self._state)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/ioloop.py", line 529, in update_handler
    self._impl.modify(fd, events | self.ERROR)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/platform/kqueue.py", line 45, in modify
    self.unregister(fd)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/platform/kqueue.py", line 49, in unregister
    events = self._active.pop(fd)
KeyError: 15
tornado.application: ERROR: Uncaught exception GET http://localhost:56221/ (127.0.0.1)
HTTPRequest(protocol='http', host='localhost:56221', method='GET', uri='http://localhost:56221/', version='HTTP/1.1', remote_ip='127.0.0.1', headers={'Host': 'localhost:56221', 'Accept-Encoding': 'identity', 'Accept': '*/*'})
Traceback (most recent call last):
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/web.py", line 1115, in _stack_context_handle_exception
    raise_exc_info((type, value, traceback))
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/stack_context.py", line 302, in wrapped
    ret = fn(*args, **kwargs)
  File "/Users/cory/tmp/urllib3/dummyserver/httpproxy.py", line 53, in handle_response
    self.set_status(response.code)
  File "/Users/cory/tmp/urllib3/env/lib/python2.7/site-packages/tornado/web.py", line 284, in set_status
    raise ValueError("unknown status code %d", status_code)
ValueError: ('unknown status code %d', 599)
tornado.access: ERROR: 500 GET http://localhost:56221/ (127.0.0.1) 26.84ms
urllib3.connectionpool: DEBUG: "GET http://localhost:56221/ HTTP/1.1" 500 93
--------------------- >> end captured logging << ---------------------

Running just the proxy test and dumping the traffic with tcpdump reveals that we're not doing any SSL at all. I also don't see any traffic to or from ports 1080 or 1081, which should be where we're running the SOCKS proxies. That last bit of information seems most telling to me.

[shazow]

If memory serves, we had all kinds of fun non-deterministic stuff back when we had Twisted instead of Tornado for our dummyserver. I don't think we ever quite got Twisted working properly.

[Anorov]

@Lukasa Yep, that's exactly the behavior I observed. I was pulling my hair out for a while. Once I started seeing malloc errors I threw in the towel.

I temporarily "commented out" (added raise SkipTest) to the SOCKS tests, which may be why you aren't seeing 1080/1081 traffic if you didn't amend that. When testing on my own, I was able to manually connect to the SOCKS servers through my browser (I added a time.sleep(9999) immediately after the proxy server was started).

Though, if you did leave those SkipTests, that would mean Twisted wasn't running at all, which would indicate the core problem is elsewhere.

I don't actually think Tornado ioloops are supposed to be kicked off in separate threads; if so, that might explain quite a bit. I observed that TornadoServerThread._start_server() is called alone in some places: I don't think this actually starts the thread. And when I used just _start_server() in the _start_http_servers() class method, the HTTP servers would hang indefinitely when any request was sent to them.

_start_server() is already called in TornadoServerThread.run(), so I changed the calls (in the proxy tests) from _start_server() to .start(), which should spawn a thread as well as start the server. And after I did that, my hanging issue disappeared but all the other indeterministic problems began. So it's all a mess at this point.

Either way, I definitely think we should try and find non-Twisted alternatives for both SOCKS servers. If worse comes to worst, I suppose one of us (maybe me) can extend shuttle (which runs on Tornado) to also do SOCKS4. The core code is already there, it's just slightly different protocol negotiation logic.

The repo is here: https://github.com/ccp0101/shuttle

In config.py, set upstream = "upstreams.local.LocalUpstream" for regular tunneling.

[schlamar]

I don't actually think Tornado ioloops are supposed to be kicked off in separate threads;

No, that is not true: "Atypical applications may use more than one IOLoop, such as one IOLoop per thread, or per unittest case." (http://www.tornadoweb.org/en/stable/ioloop.html)

I observed that TornadoServerThread._start_server() is called alone in some places: I don't think this actually starts the thread. And when I used just _start_server() in the _start_http_servers() class method, the HTTP servers would hang indefinitely when any request was sent to them.

The code flow in the dummyserver test cases is really strange at some places, but last time I touched the Tornado tests (#226) I was pretty sure that I fixed all this issues with Tornado. But I'll have a look again.

[schlamar]

BTW, Twisted installation via pip is not officially supported: http://twistedmatrix.com/trac/wiki/FrequentlyAskedQuestions#CanIinstallTwistedusingeasy_installorpip

[Lukasa]

BTW, Twisted installation via pip is not officially supported: http://twistedmatrix.com/trac/wiki/FrequentlyAskedQuestions#CanIinstallTwistedusingeasy_installorpip

Well that's crap.

[schlamar]

Well that's crap.

No, pip install twisted fails on Windows.

[schlamar]

Ok, the main issue is the upgrade to Tornado 3.x and its changes to IOLoop.instance.

On master and with Tornado 2.x, we use one global IOLoop (which we get by calling IOLoop.instance) and run it in one thread, so it is intentional that we call _start_server because this will link the web application with the global IOLoop, which is later started in the proxy thread (see c6629d4).

On Tornado 3.x IOLoop.instance returns a thread specific IOLoop, so the web application started in _start_server is linked to the MainThread's IOLoop (which is never started) so there is obviously a dead lock.

If you want to make the tests compatible with Tornado 3.x you should create a global IOLoop on your own and pass them explicitly to the calls of HTTPServer (see http://www.tornadoweb.org/en/branch3.1/httpserver.html#tornado.httpserver.HTTPServer). I don't think that the upgrade to Tornado 3.x is necessary at all. But if you want to I would suggest that you make this in a separate PR.

[Lukasa]

@schlamar I didn't mean 'crap' as in 'wrong', I meant 'crap' as in 'tragic'. =D

[schlamar]

Btw, it should be possible to run multiple threads with IOLoops but there are some race conditions which are hard to track down so I would strongly suggest keeping the single thread solution.

[Lukasa]

Can we just use one event loop for everything? http://www.tornadoweb.org/en/latest/twisted.html

[schlamar]

On Tornado 3.x IOLoop.instance returns a thread specific IOLoop, so the web application started in _start_server is linked to the MainThread's IOLoop (which is never started) so there is obviously a dead lock.

Despite these changes Tornado 3.x works on master (because we run the MainThread's IOLoop in the thread). So I'm not sure what you have done wrong. Probably you didn't start any thread at all?!

[schlamar]

I think I'm going to refactor the dummyserver test cases slightly (on master) to make more clear what's going on.

[schlamar]

#287

[shazow]

@schlamar's very appreciated improvements to our dummyserver have been merged.

Feel free to rebase --force this branch onto master to see if we can get some extra sanity.

[Anorov]

@schlamar Thank you for investigating this. The reason I upgraded Tornado to version 3 is due to this bug: tornadoweb/tornado#593

With the older version used in the test suite, any unit test that involved IPv6 would cause bind_sockets to raise getaddrinfo exceptions on my computer. Upgrading immediately fixed that problem.

Will rebase.

[mcuelenaere]

@Anorov any updates on this? If not, I'm willing to look into rebasing this myself (but I'd rather not do duplicate work, hence the question).

[Anorov]

@mcuelenaere I had a bit of trouble with merging a few things, but the rebase has been made and I'll be updating this pull in the near future.

[kevinburke]

Any update here?

[shazow]

@Anorov Anything we can help with?

[Anorov]

Sorry, my laptop died unfortunately. Just got a new one. I have to modify things a little bit more based on master changes, but I should have everything pushed here by next week.

At this point it might be easier for me to scrap this pull and re-do my changes to master, since I have to rewrite a fair bit of the tests, then make another pull. Is it okay if I do that, or should I just rebase again?

[shazow]

Up to you. :) Retaining this thread is preferred, but if it's too much of a pain then a new PR is acceptable.

You could start a new branch, make your changes, rename it to the old branch's name and force-push it. That should keep this thread while making all the changes new.

[schlamar]

You could start a new branch, make your changes, rename it to the old branch's name and force-push it. That should keep this thread while making all the changes new.

(It might be even possible to force push the new branch without a local rename with git push -f origin old-branch)

[Anorov]

So, a few questions while I was mulling through connection.py.

VerifiedHTTPSConnection starts off with this connect method:

    try:
        sock = socket.create_connection(
            address=(self.host, self.port),
            timeout=self.timeout,
        )
    except SocketTimeout:
        raise ConnectTimeoutError(
            self, "Connection to %s timed out. (connect timeout=%s)" %
            (self.host, self.timeout))

As far as I can tell, neither HTTPConnection nor HTTPSConnection have that connect timeout wrapping.

Also, the socket.create_connection in VerifiedHTTPSConnection doesn't pass source_address here, despite the other 2 classes doing so. Both the other classes have:

    try:
        conn = socket.create_connection(
            (self.host, self.port),
            self.timeout,
            self.source_address,
        )
    except AttributeError: # Python 2.6
        conn = socket.create_connection(
            (self.host, self.port),
            self.timeout,
        )

This attribute existence check is only in VerifiedHTTPSConnection, but the same problem would affect every other Connection class:

    # the _tunnel_host attribute was added in python 2.6.3 (via
    # http://hg.python.org/cpython/rev/0f57b30a152f) so pythons 2.6(0-2) do
    # not have them.
    if getattr(self, '_tunnel_host', None):
        self.sock = sock
        # Calls self._set_hostport(), so self.host is
        # self._tunnel_host below.
        self._tunnel()

Basically, it seems like VerifiedHTTPSConnection is missing 2 fairly recent changes, and has 1 check (existence of _tunnel_host attribute) that everything else is missing. So it's kind of isolated from the rest of the file.

Should I try and remediate those 3 issues, including wrapping ConnectTimeout for all 3 classes? It would only be a few quick changes.

[Anorov]

Here is my new proposed version of connection.py:

https://gist.github.com/Anorov/9129376

I resolved the above issues, integrated SOCKS support, and also cleaned up some of the redundant conn, sock, and self.sock ambiguity in some parts, in favor of just modifying the instance variable each time. That last part is a bit ugly, but it accomodates _tunnel() better than the old version, I think.

I made the SOCKS modifications much simpler, without introducing any new classes; the disadvantage is that all HTTPConnection classes have a little bit of logic in their __init__ now. socks_connection_from_url was moved to util.

I also think we could simplify HTTPSConnection.__init__, see: https://gist.github.com/Anorov/9129376#file-connection-py-L137

Before I continue with the rest of the modifications and tests, I'd like comments on these changes.

[shazow]

@Anorov The gist seems fine, some style comments aside. :)

Re: fixing extra things, up to you. If you'd like to fix them in a separate earlier PR, that's cool too. :)

[schlamar]

If you'd like to fix them in a separate earlier PR

That would be great. Or at least a separate commit

[AlJohri]

looking forward to this!

[shazow]

Sorry this has stagnated over the months.

I'd still love your help @Anorov. I may have some time to invest in some urllib3 features next month, this will be near the top of my list. :)

[a3nm]

Hello, has any progress been made on this? Is it possible to help somehow?

[Anorov]

Sorry for basically going AWOL on this. I've been really busy with school and work in the past few months.

Basically I just need to hunker down, write the full test suite for this while taking into consideration some of the changes to the dummy servers, then re-apply something close to the commits I already have here.

[a3nm]

No worries! It'll be great when you find the time, as I believe this will allow requests to have SOCKS support also, which I'm trying to use (until now I used requesocks, but it's outdated and I just found out it had an annoying bug). Thanks a lot for your work on this! :)

…

On Sat, Jun 07, 2014 at 02:52:27PM -0700, Anorov wrote: Sorry for basically going AWOL on this. I've been really busy with school and work in the past few months. Basically I just need to hunker down, write the full test suite for this while taking into consideration some of the changes to the dummy servers, then re-apply something close to the commits I already have here. --- Reply to this email directly or view it on GitHub: https://github.com/shazow/urllib3/pull/284#issuecomment-45422161