proxy.golang.org: 403 forbidden (Hetzner Hosting)

[dev-zynko]

What version of Go are you using (go version)?

 golang:1.21.0-alpine3.17

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env

What did you do?

The dockerized golang app was pushed onto a Hetzner Docker CE server which is based in Germany. On my local env, the container works but it seems like Hetzner's IPS got banned from accessing the packages.

What did you expect to see?

go: downloading github.com/klauspost/compress

What did you see instead?

err: #9 3.349 /go/pkg/mod/github.com/valyala/fasthttp@v1.45.0/compress.go:10:2: github.com/klauspost/compress@v1.16.4: reading https://proxy.golang.org/github.com/klauspost/compress/@v/v1.16.4.zip: 403 Forbidden err: #9 3.349 /go/pkg/mod/github.com/valyala/fasthttp@v1.45.0/compress.go:11:2: github.com/klauspost/compress@v1.16.4: reading https://proxy.golang.org/github.com/klauspost/compress/@v/v1.16.4.zip: 403 Forbidden err: #9 3.349 /go/pkg/mod/github.com/valyala/fasthttp@v1.45.0/compress.go:12:2: github.com/klauspost/compress@v1.16.4: reading https://proxy.golang.org/github.com/klauspost/compress/@v/v1.16.4.zip: 403 Forbidden err: #9 3.349 /go/pkg/mod/go.mongodb.org/mongo-driver@v1.11.4/x/mongo/driver/compression.go:17:2: github.com/klauspost/compress@v1.16.4: reading https://proxy.golang.org/github.com/klauspost/compress/@v/v1.16.4.zip: 403 Forbidden err: #9 ERROR: process "/bin/sh -c go build -o app main.go" did not complete successfully: exit code: 1

I was able to fix the issue by using GOPROXY='direct' but this caused just new issues like

err: #10 43.20 go: golang.org/x/sync@v0.1.0: unrecognized import path "golang.org/x/sync": reading https://golang.org/x/sync?go-get=1: 403 Forbidden

I could replace them all, but this would be tedious work. Is there a reason why Hetzner is not allowed to access and download all the packages?

If this is not a bug I am sorry for the inconvenience.

Kind regards

[seankhliao]

I don't think it's all of hetzner, my stuff on there seems fine can you narrow it down?

[dev-zynko]

@seankhliao It seems to affect this range 5.75.128.0 - 5.75.255.255

At least it happens with 2 of my server in that range. I can also open a ticket with hetzner if they can give me more detail.

[seankhliao]

cc @golang/tools-team

[mengzhuo]

Can you try GOPROXY=https://goproxy.cn,direct?

[dev-zynko]

Using a different proxy makes it work.

[hyangah]

@dev-zynko What do you see when you try to curl the proxy urls?

curl -v -L -o /dev/null https://proxy.golang.org/github.com/klauspost/compress/@v/v1.16.4.info
curl -v -L -o /dev/null https://proxy.golang.org/github.com/klauspost/compress/@v/v1.16.4.zip

The zip url will return 302 with a signed URL pointing to storage.googleapis.com. Can you check if it is accessible?

[dev-zynko]

@hyangah

$curl -v -L -o /dev/null https://proxy.golang.org/github.com/klauspost/compress/@v/v1.16.4.info

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2a00:1450:4001:82b::2011:443...
* TCP_NODELAY set
* Connected to proxy.golang.org (2a00:1450:4001:82b::2011) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [10764 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=misc-sni.google.com
*  start date: Jul 31 08:17:59 2023 GMT
*  expire date: Oct 23 08:17:58 2023 GMT
*  subjectAltName: host "proxy.golang.org" matched cert's "*.golang.org"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55ed0d1f2300)
} [5 bytes data]
> GET /github.com/klauspost/compress/@v/v1.16.4.info HTTP/2
> Host: proxy.golang.org
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200
< accept-ranges: bytes
< access-control-allow-origin: *
< content-length: 196
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 0
< date: Fri, 01 Sep 2023 18:16:40 GMT
< expires: Fri, 01 Sep 2023 21:16:40 GMT
< cache-control: public, max-age=10800
< content-type: application/json
< age: 2816
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
{ [5 bytes data]
100   196  100   196    0     0   5157      0 --:--:-- --:--:-- --:--:--  5157
* Connection #0 to host proxy.golang.org left intact

$ curl -v -L -o /dev/null https://proxy.golang.org/github.com/klauspost/compress/@v/v1.16.4.zip

 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 2a00:1450:4001:82b::2011:443...
* TCP_NODELAY set
* Connected to proxy.golang.org (2a00:1450:4001:82b::2011) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [10764 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=misc-sni.google.com
*  start date: Jul 31 08:17:59 2023 GMT
*  expire date: Oct 23 08:17:58 2023 GMT
*  subjectAltName: host "proxy.golang.org" matched cert's "*.golang.org"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5620e2cbf300)
} [5 bytes data]
> GET /github.com/klauspost/compress/@v/v1.16.4.zip HTTP/2
> Host: proxy.golang.org
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 302
< access-control-allow-origin: *
< location: https://storage.googleapis.com/proxy-golang-org-prod/37b3470a7e96ca28-github.com:klauspost:compress-v1.16.4.zip?Expires=1693670696&GoogleAccessId=gcs-urlsigner-prod%40golang-modproxy.iam.gserviceaccount.com&Signature=UXQINUNiU1OFeAaOJOkuFG%2F9w4I9DPzxRrvBbfcULgOMoJLCdetWhYQB%2FDu1OIDnmBG7s1HtCNu2R9vz6okBE%2BmcLXGlkSy993RYlmm8vBwp6dQujgV4tcbyjgKJCYX7vqOkoaGYUFlSvpfY9P0wedIp5uTRWXIHgHnBh621W%2BfxUqX5J%2BiVsHdwRgSyFoha8cqcBzHgOEhTf3M4Qed8eRLk3G6HQXZKoltWLIIyaardVeACXtwpgCuulFzr42tUSCzFNHJhVg6oB84IcH8IJKzz076sn9mr6gp0jpIwBhg%2BAAtLrhPmg5bpZHuG%2BW8BVqWJy%2FZsCAX6oKxbwmHjVw%3D%3D
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 0
< content-length: 0
< date: Fri, 01 Sep 2023 16:04:56 GMT
< expires: Fri, 01 Sep 2023 19:04:56 GMT
< cache-control: public, max-age=10800
< etag: "89f6d7e01111ef97fdfacde82a0f7e69e0e5b34f93148a9a11f75c68fd869a1b"
< content-type: application/zip
< age: 10776
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
{ [0 bytes data]
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host proxy.golang.org left intact
* Issue another request to this URL: 'https://storage.googleapis.com/proxy-golang-org-prod/37b3470a7e96ca28-github.com:klauspost:compress-v1.16.4.zip?Expires=1693670696&GoogleAccessId=gcs-urlsigner-prod%40golang-modproxy.iam.gserviceaccount.com&Signature=UXQINUNiU1OFeAaOJOkuFG%2F9w4I9DPzxRrvBbfcULgOMoJLCdetWhYQB%2FDu1OIDnmBG7s1HtCNu2R9vz6okBE%2BmcLXGlkSy993RYlmm8vBwp6dQujgV4tcbyjgKJCYX7vqOkoaGYUFlSvpfY9P0wedIp5uTRWXIHgHnBh621W%2BfxUqX5J%2BiVsHdwRgSyFoha8cqcBzHgOEhTf3M4Qed8eRLk3G6HQXZKoltWLIIyaardVeACXtwpgCuulFzr42tUSCzFNHJhVg6oB84IcH8IJKzz076sn9mr6gp0jpIwBhg%2BAAtLrhPmg5bpZHuG%2BW8BVqWJy%2FZsCAX6oKxbwmHjVw%3D%3D'
*   Trying 2a00:1450:4001:801::2010:443...
* TCP_NODELAY set
* Connected to storage.googleapis.com (2a00:1450:4001:801::2010) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4018 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [80 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=storage.googleapis.com
*  start date: Jul 31 08:25:19 2023 GMT
*  expire date: Oct 23 08:25:18 2023 GMT
*  subjectAltName: host "storage.googleapis.com" matched cert's "storage.googleapis.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5620e2cbf300)
} [5 bytes data]
> GET /proxy-golang-org-prod/37b3470a7e96ca28-github.com:klauspost:compress-v1.16.4.zip?Expires=1693670696&GoogleAccessId=gcs-urlsigner-prod%40golang-modproxy.iam.gserviceaccount.com&Signature=UXQINUNiU1OFeAaOJOkuFG%2F9w4I9DPzxRrvBbfcULgOMoJLCdetWhYQB%2FDu1OIDnmBG7s1HtCNu2R9vz6okBE%2BmcLXGlkSy993RYlmm8vBwp6dQujgV4tcbyjgKJCYX7vqOkoaGYUFlSvpfY9P0wedIp5uTRWXIHgHnBh621W%2BfxUqX5J%2BiVsHdwRgSyFoha8cqcBzHgOEhTf3M4Qed8eRLk3G6HQXZKoltWLIIyaardVeACXtwpgCuulFzr42tUSCzFNHJhVg6oB84IcH8IJKzz076sn9mr6gp0jpIwBhg%2BAAtLrhPmg5bpZHuG%2BW8BVqWJy%2FZsCAX6oKxbwmHjVw%3D%3D HTTP/2
> Host: storage.googleapis.com
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [282 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200
< x-guploader-uploadid: ADPycdu4x9_sEgJFl64XeGAn1vqZwfELok8G6-KdCgUB1w4c5kuZ62HfGiDiELHRcQhzKYvYSz18mDkkVo2Fk8dDYlBNANXaqiiw
< date: Fri, 01 Sep 2023 19:04:32 GMT
< cache-control: public,max-age=3600,must-revalidate
< expires: Fri, 01 Sep 2023 20:04:32 GMT
< last-modified: Wed, 05 Apr 2023 10:49:23 GMT
< etag: "5b5fb00757d5c7558d1febd80ec31129"
< x-goog-generation: 1680691763127712
< x-goog-metageneration: 1
< x-goog-stored-content-encoding: identity
< x-goog-stored-content-length: 38029082
< content-type: application/zip
< content-disposition: attachment; filename="v1.16.4.zip"
< x-goog-hash: crc32c=WIeXVw==
< x-goog-hash: md5=W1+wB1fVx1WNH+vYDsMRKQ==
< x-goog-storage-class: MULTI_REGIONAL
< accept-ranges: bytes
< content-length: 38029082
< server: UploadServer
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
{ [5 bytes data]
100 36.2M  100 36.2M    0     0  17.5M      0  0:00:02  0:00:02 --:--:-- 27.7M
* Connection #1 to host storage.googleapis.com left intact

[hyangah]

Thanks. @dev-zynko Seems like you no longer have an issue with https://proxy.golang.org/github.com/klauspost/compress/@v/v1.16.4.zip

And, looking into the original report you had an issue withhttps://golang.org/x/sync?go-get=1 as well back then - that url doesn't involve proxy.golang.org nor sum.golang.org. It looks to me like a client-side or hosting service issue.

Or if you keep experiencing the issue, can you double check if https://golang.org/x/sync?go-get=1 works from your docker ce and other google services, and if doesn't work, send us your ip address?

[gopherbot]

Timed out in state WaitingForInfo. Closing.

(I am just a bot, though. Please speak up if this is a mistake or you have the requested information.)