-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SocketsHttpHandler should throw instead of returning proxy response message when proxy tunnel creation fails #48679
Comments
Tagging subscribers to this area: @dotnet/ncl Issue DetailsDescriptionFor secure HTTP connections, we attempt to create a proxy tunnel using the CONNECT method against the proxy endpoint. This allows us to create an end-to-end secure SSL connection between client and destination server. If the proxy CONNECT request fails, (i.e. returns a status other than 200), we return the proxy's response to the user. However, this means the user can't distinguish whether the response came from the proxy or the destination server. This is problematic because the user is using SSL and thus reasonably expects that any response has been securely delivered via the end-to-end secure connection. I think we should change this behavior, and instead throw an HttpRequestException when a proxy tunnel CONNECT request fails. Something like Note that for non-secure requests, we always return the proxy response and the user can't tell whether the response came from the destination server unmodified, or was modified by the proxy, or was simply generated by the proxy without even contacting the destination server. This is intentional; for non-secure requests, proxies are explicitly allowed to do whatever they want to a request, including modifying it, blocking it entirely, etc.
|
make sense to me. basically treat CONNECT failures as form of connect() failure. How about authentication failures? They should have distinct status code, right? |
Yeah, an auth failure will show up as a 407 status code. |
Description
For secure HTTP connections, we attempt to create a proxy tunnel using the CONNECT method against the proxy endpoint. This allows us to create an end-to-end secure SSL connection between client and destination server.
If the proxy CONNECT request fails, (i.e. returns a status other than 200), we return the proxy's response to the user. However, this means the user can't distinguish whether the response came from the proxy or the destination server. This is problematic because the user is using SSL and thus reasonably expects that any response has been securely delivered via the end-to-end secure connection.
I think we should change this behavior, and instead throw an HttpRequestException when a proxy tunnel CONNECT request fails. Something like
"The proxy tunnel request to proxy {proxyUri} failed with status code {statusCode}."
Note that for non-secure requests, we always return the proxy response and the user can't tell whether the response came from the destination server unmodified, or was modified by the proxy, or was simply generated by the proxy without even contacting the destination server. This is intentional; for non-secure requests, proxies are explicitly allowed to do whatever they want to a request, including modifying it, blocking it entirely, etc.
The text was updated successfully, but these errors were encountered: