New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS Proxy Connections don't play with with Connection: Close. #295
Comments
Ok, so I think I've worked out the problem. We do a test to confirm that the connection is still up in sock = getattr(conn, 'sock', False)
if not sock: # Platform-specific: AppEngine
return False However, that doesn't match with what def close(self):
"""Close the connection to the HTTP server."""
if self.sock:
self.sock.close() # close it manually... there may be other refs
self.sock = None
if self.__response:
self.__response.close()
self.__response = None
self.__state = _CS_IDLE
That leads me to another question: this code looks wrong to me. Why isn't it wrong? From # If this is a persistent connection, check if it got disconnected
if conn and is_connection_dropped(conn):
log.info("Resetting dropped connection: %s" % self.host)
conn.close()
return conn or self._new_conn() If the connection is dropped, it looks like this code branch will simply return the now-closed connection. Which seems wrong to me. Is it wrong? |
Perhaps we should be setting |
The code attempts to reuse existing Making a request with a closed socket should reopen it (this works because all the details remain the same—host, port, flags, etc). |
Really? I have never heard of this. So, you can do a socket.connect() on a closed socket, that was previously connected? |
Correct. Should be easy to test if I'm wrong. |
This is affecting us very badly. Any idea when this will be fixed? |
:( Sorry to hear that, @botouser. If you'd be interested in writing a fix/test for this, it would be much appreciated. @Lukasa Do we have any updates on this issue? |
Ah, no, this slipped off my radar, sorry. =( Based on my prior analysis (assuming it's right, no guarantees there), the simplest fix would probably be to update |
It seems that Paypal is now sending back Connection: Keep Alive so I don't hit the fancy error. I did, however, configure mitmproxy to override that header and send back Connection: Close to urllib3 so while the connections might still work I was able to check the type/value of sock in The patch is very straightforward, I do wish we could have a server to test on though. Maybe proxy to another app running locally? Or use a mock... |
Would be handy to do a socket-level test for this. @jschneier Could you share this patch? :) PR is appreciated. |
A test would be handy, yeah. I haven't sent any PR become something still confuses me: The interesting thing is that although strictly speaking our logic is wrong (the connection is dropped when we say it isn't) there wouldn't be much difference if it was right. Here's what I mean: if we add the check So I'm wondering if there is some weird edge case with proxies, redirects and SSL or if this was a bit of a wild goose chase where we found a different bug that luckily doesn't cause issues (maybe we just switch the name to Regardless, I'd like an actual reproducible scenario for this one, do you have one @botouser? edit: I actually did manage to find a different host that does the same redirect and issues Connection: close (https://nytimes.com) but still no error. |
@shazow You write:
I believe this isn't true for tunneled connections. |
Mmm, that's no good. Would love any help on this. :) |
Thanks everyone for all your hard work on this issue. Like @botouser, this issue is also affecting me pretty badly so I truly appreciate your efforts. Keep up the good work! If I see something that may help I'll be sure to chime in. |
@mliu7 can you share with us the set up/configuration that reproduces this issue. I've had trouble reproducing it in the past and having one would be extremely helpful. |
@jschneier, my colleague @kriwil will chime in since he's the guy who has been working on this particular feature for us. |
False alarm. We're using requests 2.2.1 which uses old urllib3 (vendored). Updating the requests to latest master fixes the issue. Sorry @mliu7 @jschneier. |
Soooo is this safe to close? |
also yes i think this is safe to close at this point. |
This was actually spotted on StackOverflow.
To reproduce, set up a proxy that can handle the CONNECT verb (e.g. mitmproxy), then do as follows:
You hit a nice big fancy error:
This can be more clearly reproduced by turning off redirects:
This is almost certainly because PayPal is sending back
Connection: Close
in the headers. This causes mitmproxy to close the upstream connection and our connection to it, but we don't remove the connection from the pool.The text was updated successfully, but these errors were encountered: