connection fails with status 401: Is Drawbridge not promoting to HTTPS properly?

[holtzermann17]

I see the following when I try to connect to my app on Heroku. Local connection on http to the dev box is fine, however. Since it says that the protocol is HTTP here I wonder if that's the problem.

$ lein repl :connect https://USER:PASS@APP.herokuapp.com/repl
Connecting to nREPL at https://USER:PASS@APP.herokuapp.com/repl
ExceptionInfo clj-http: status 401 {:cached nil, :request-time 839,
:repeatable? false, :protocol-version {:name "HTTP", :major 1, :minor
1}, :streaming? true, :http-client
#object[org.apache.http.impl.client.InternalHttpClient 0x7573c7b5
"org.apache.http.impl.client.InternalHttpClient@7573c7b5"], :chunked?
false, :type :clj-http.client/unexceptional-status, :reason-phrase
"Unauthorized", :headers {"Server" "Aleph/0.4.4", "Via" "1.1 vegur",
"Content-Type" "text/plain", "X-Content-Type-Options" "nosniff",
"Content-Length" "13", "X-Frame-Options" "DENY",
"Strict-Transport-Security" "max-age=31536000; includeSubDomains",
"Www-Authenticate" "Basic realm=\"restricted area\"", "Connection"
"close", "Date" "Wed, 11 Mar 2020 18:02:20 GMT", "X-Xss-Protection"
"1; mode=block"}, :orig-content-encoding nil, :status 401, :length 13,
:body #object[clj_http.core.proxy$java.io.FilterInputStream$ff19274a
0x717a8a76
"clj_http.core.proxy$java.io.FilterInputStream$ff19274a@717a8a76"],
:trace-redirects []}
	slingshot.support/stack-trace (support.clj:201)
	clj-http.client/exceptions-response (client.clj:245)
	clj-http.client/exceptions-response (client.clj:236)
	clj-http.client/wrap-exceptions/fn--4637 (client.clj:254)
	clj-http.client/wrap-accept/fn--4883 (client.clj:737)
	clj-http.client/wrap-accept-encoding/fn--4890 (client.clj:759)
	clj-http.client/wrap-content-type/fn--4877 (client.clj:720)
	clj-http.client/wrap-form-params/fn--4986 (client.clj:961)
	clj-http.client/wrap-nested-params/fn--5007 (client.clj:995)
	clj-http.client/wrap-flatten-nested-params/fn--5016 (client.clj:1019)
	clj-http.client/wrap-method/fn--4944 (client.clj:895)
	clj-http.cookies/wrap-cookies/fn--1862 (cookies.clj:131)
Bye for now!

[holtzermann17]

I notice that this is similar to #22, but it can't be directly solved by upgrading since we're already using the latest version [nrepl/drawbridge "0.2.1"].

[mallt]

Hi @holtzermann17, I think the :protocol-version is always HTTP, f.ex:

(-> (http/get "https://www.google.com")
    :protocol-version)
;; => {:name "HTTP", :major 1, :minor 1}

I notice the :reason-phrase is Unauthorized so it seems something goes wrong during the authentication of the request.

[holtzermann17]

Thanks for that. I agree that evidence suggests it is not a problem with HTTP vs HTTPS. Still can't connect though! I have updated our middleware to exactly follow what happens in #22. However, we still get access denied. Here is a curl trace showing what I see at the moment.

curl -v -d "(+ 1 1)"  https://USER:PASS@om-exchange-staging.herokuapp.com/repl
*   Trying IP-ADDRESS...
* TCP_NODELAY set
* Connected to om-exchange-staging.herokuapp.com (IP-ADDRESS) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Heroku, Inc.; CN=*.herokuapp.com
*  start date: Apr 19 00:00:00 2017 GMT
*  expire date: Jun 22 12:00:00 2020 GMT
*  subjectAltName: host "om-exchange-staging.herokuapp.com" matched cert's "*.herokuapp.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
*  SSL certificate verify ok.
* Server auth using Basic with user 'USER'
> POST /repl HTTP/1.1
> Host: om-exchange-staging.herokuapp.com
> Authorization: Basic TOKEN
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Length: 7
> Content-Type: application/x-www-form-urlencoded
> 
* upload completely sent off: 7 out of 7 bytes
< HTTP/1.1 401 Unauthorized
< Connection: keep-alive
* Authentication problem. Ignoring this.
< Www-Authenticate: Basic realm="restricted area"
< Content-Type: text/plain
< X-Content-Type-Options: nosniff
< X-Xss-Protection: 1; mode=block
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Server: Aleph/0.4.4
< Date: Thu, 12 Mar 2020 14:07:54 GMT
< Content-Length: 13
< Via: 1.1 vegur
< 
* Connection #0 to host om-exchange-staging.herokuapp.com left intact
access denied