search

pyamsoft / tetherfi

TetherFi - Internet sharing without Root
Apache License 2.0
428 stars 36 forks source link

Unable to browse the "National Health Insurance Administration Ministry of Health and Welfare, Taiwan" website via TetherFi(Error 502) #349

Open brlin-tw opened 3 weeks ago

brlin-tw commented 3 weeks ago

Other websites browse fine, but I am unable to browse this specific website via TetherFi for some reason: National Health Insurance Administration Ministry of Health and Welfare

The page just stuck at loading for a very long time and returns a timeout error(NS_ERROR_NET_TIMEOUT).

Testing request using curl returns a 502 Bad Gateway response after around 2 minutes and 10 seconds(sample size = 5):

$ curl --verbose https://www.nhi.gov.tw/
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Uses proxy env variable https_proxy == 'http://192.168.49.1:8228/'
*   Trying 192.168.49.1:8228...
* Connected to 192.168.49.1 (192.168.49.1) port 8228
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to www.nhi.gov.tw:443
> CONNECT www.nhi.gov.tw:443 HTTP/1.1
> Host: www.nhi.gov.tw:443
> User-Agent: curl/8.5.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 502 Bad Gateway
< 
* CONNECT tunnel failed, response 502
* Closing connection
curl: (56) CONNECT tunnel failed, response 502

The developer log indicates that there's a connection timed out java.net.ConnectException, but nothing else.

[D] First time seeing client: IpAddressClient(ip=192.168.49.46, nickName=, mostRecentlySeen=2024-11-05T23:44:23.746, transferLimit=null, bandwidthLimit=null, totalBytes=ByteTransferReport(internetToProxy=0, proxyToInternet=0), limiter=BandwidthLimiter(mutex=Mutex@6176522[isLocked=false,owner=<NO_OWNER>], amount=kotlinx.coroutines.flow.StateFlowImpl@3129bb3)) 
[D] Updated foreground notification: NotifyId(id=42069): ServerNotificationData(status=Running, clientCount=1, blockCount=0) 
[D] HTTP: Clear out old closed sockets Old=1 New=1 
[D] HTTP: Clear out old closed sockets Old=1 New=1 
[E] HTTP: Error during Internet exchange HttpProxyRequest(method=CONNECT, valid=true, host=www.nhi.gov.tw, port=443, version=HTTP/1.1, raw=CONNECT www.nhi.gov.tw:443 HTTP/1.1, file=/) IpAddressClient(ip=192.168.49.46, nickName=, mostRecentlySeen=2024-11-05T23:44:23.746, transferLimit=null, bandwidthLimit=null, totalBytes=ByteTransferReport(internetToProxy=0, proxyToInternet=0), limiter=BandwidthLimiter(mutex=Mutex@6176522[isLocked=false,owner=<NO_OWNER>], amount=kotlinx.coroutines.flow.StateFlowImpl@3129bb3))
java.net.ConnectException: Connection timed out
 at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
 at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:762)
 at io.ktor.network.sockets.SocketImpl.connect$ktor_network(SourceFile:87)
 at io.ktor.network.sockets.SocketImpl$connect$1.invokeSuspend(Unknown Source:12)
 at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(SourceFile:9)
 at kotlinx.coroutines.DispatchedTask.run(SourceFile:107)
 at com.google.android.gms.tasks.zzi.run(SourceFile:11)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
 at java.lang.Thread.run(Thread.java:1012)
 Connection timed out
[D] HTTP: Clear out old closed sockets Old=1 New=0

Website browse without issue on the phone.

Additional information

TetherFi

49 from Google Play

Android

14 (AP2A.240905.003)

Phone

Google Pixel 8 Pro

pyamsoft commented 3 weeks ago

That line about Google GMs package in the connection timeout is Interesting

TetherFi does not use any google library outside of the billing code, so I wonder why this google line and the ktor code are getting used in the same stack. I will look.

Are you able to access the website fine normally? Do other proxies or VPNs work?

brlin-tw commented 3 weeks ago

@pyamsoft

Are you able to access the website fine normally?

Without the proxy, yes.

Do other proxies or VPNs work?

I noticed that when I started a SimpleSSHD service on the phone, connected to the service using the SSH client on the PC, and attempted to connect to the same website via the SOCKS service of the SSH client's DynamicForward feature a similar connection hang behavior occurred:

$ time https_proxy=socks5h://127.0.0.1:1080 curl --verbose https://www.nhi.gov.tw
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Uses proxy env variable https_proxy == 'socks5h://127.0.0.1:1080'
*   Trying 127.0.0.1:1080...
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* SOCKS5 connect to www.nhi.gov.tw:443 (remotely resolved)  *stuck at here*

though in this case after a similar 2m10s duration, a valid response does eventually return:

* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / prime256v1 / rsaEncryption
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=TW; L=\U81FA\U5317\U5E02; O=\U885B\U751F\U798F\U5229\U90E8\U4E2D\U592E\U5065\U5EB7\U4FDD\U96AA\U7F72; CN=*.nhi.gov.tw
*  start date: Jul 17 10:56:26 2024 GMT
*  expire date: Aug 16 15:59:59 2025 GMT
*  subjectAltName: host "www.nhi.gov.tw" matched cert's "*.nhi.gov.tw"
*  issuer: C=TW; O=Chunghwa Telecom Co., Ltd.; OU=Public Certification Authority - G2
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha1WithRSAEncryption
* using HTTP/1.x
> GET / HTTP/1.1
> Host: www.nhi.gov.tw
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Location: /ch/mp-1.html
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-UA-Compatible: IE=edge
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
< Content-Security-Policy: form-action 'self';frame-ancestors 'self';default-src 'self' 'unsafe-inline' 'unsafe-eval' data: ws.csptc.gov.tw nhifile-nhi.cdn.hinet.net i.ytimg.com www.google.com.tw *.googletagmanager.com www.google-analytics.com *.googleapis.com *.gstatic.com *.google.com *.facebook.com *.facebook.net *.doubleclick.net *.youtube.com;
< Date: Tue, 05 Nov 2024 16:56:00 GMT
< Set-Cookie: TS01bdd66b=01d4478401d8e8e817ad79d4ed7a4dce1decf0e8c6bace515deb14a77858e0440a93ff4bc2ab4a56de4373a35849b1877ac6085025; Path=/; Domain=.www.nhi.gov.tw
< Transfer-Encoding: chunked
< 
* Connection #0 to host 127.0.0.1 left intact

real    2m10.163s
user    0m0.025s
sys 0m0.014s
pyamsoft commented 3 weeks ago

Interesting, I will take a look and see if I can figure out more, thanks for the logs!

brlin-tw commented 3 weeks ago

I noticed that this problem is not reproduced when PCAPdroid is capturing the network packets(via emulating a system VPN connection) for some reason.

pyamsoft commented 3 weeks ago

If its taking almost 2 minutes for a non VPN socks proxy to get a response, TetherFi is probably timing out because we kill connections after 1 minute.

Version 50/51 reduces this even further to 10 seconds to save memory.

I will make this timeout user configurable, to allow you to wait longer. Assuming the website just throttles Proxy connections for whatever reason, perhaps this additional waiting would work.

As for why pcapdroid works, I imagine the fact that it operates as an Android level VPN service gives it additional privileges, and network wise it removes the need for the CONNECT on the http side. TetherFi has no plans right now to become a VPN level application though, so for now, I believe allowing the timeout to be configurable is the best short term way forward

brlin-tw commented 3 weeks ago

@pyamsoft

I'd like to clarify that when PCAPdroid is capturing the network packets I'm still connecting the website via the HTTP proxy service TetherFi created, it kinda acts as a gateway between TetherFi and the external network to allow capturing all packets flows through it.

pyamsoft commented 3 weeks ago

Oh, so its basically "watching" but not actually doing anything to change the request? And suddenly the website just works? That is weird then.

Still, I believe it would be good to allow configuration of the timeout for other websites that behave poorly or slowly, so I will still continue with that option.

I will have to revisit the base idea then for why this occurs - this is a curious problem.

If it is ultimately that this specific website just doesn't like proxy connections, I'm not sure what else we can do here.

pyamsoft commented 3 weeks ago

Thank you for your patience and your consistently detailed bug reporting!

brlin-tw commented 3 weeks ago

@pyamsoft

Version 50/51 reduces this even further to 10 seconds to save memory.

I have patched the SOCKET_TIMEOUT_DURATION value of the server/src/main/java/com/pyamsoft/tetherfi/server/Utils.kt file to 3,600 seconds and rebuild the application from source, but the connection is still timeouted at around 2m10s.

pyamsoft commented 3 weeks ago

Thanks for trying :)

Given that it always times out at 2m 10 seconds, this must be something configured on the website's end. Tricky problem.

pyamsoft commented 3 weeks ago

Hello, further compounding the confusing problem is this

I just tried again this morning and got a normal request, perfectly fine, via curl

* Uses proxy env variable no_proxy == 'localhost,127.0.0.1,127.0.0.0/8'
* Uses proxy env variable https_proxy == 'http://192.168.49.1:8228'
*   Trying 192.168.49.1:8228...
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to www.nhi.gov.tw:443
> CONNECT www.nhi.gov.tw:443 HTTP/1.1
> Host: www.nhi.gov.tw:443
> User-Agent: curl/8.11.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
<
* CONNECT phase completed
* CONNECT tunnel established, response 200
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / secp256r1 / rsaEncryption
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=TW; L=\U81FA\U5317\U5E02; O=\U885B\U751F\U798F\U5229\U90E8\U4E2D\U592E\U5065\U5EB7\U4FDD\U96AA\U7F72; CN=*.nhi.gov.tw
*  start date: Jul 17 10:56:26 2024 GMT
*  expire date: Aug 16 15:59:59 2025 GMT
*  subjectAltName: host "www.nhi.gov.tw" matched cert's "*.nhi.gov.tw"
*  issuer: C=TW; O=Chunghwa Telecom Co., Ltd.; OU=Public Certification Authority - G2
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha1WithRSAEncryption
* Connected to 192.168.49.1 (192.168.49.1) port 8228
* using HTTP/1.x
> GET / HTTP/1.1
> Host: www.nhi.gov.tw
> User-Agent: curl/8.11.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Location: /ch/mp-1.html
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-UA-Compatible: IE=edge
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
< Content-Security-Policy: form-action 'self';frame-ancestors 'self';default-src 'self' 'unsafe-inline' 'unsafe-eval' data: ws.csptc.gov.tw nhifile-nhi.cdn.hinet.net i.ytimg.com www.google.com.tw *.googletagmanager.com www.google-analytics.com *.googleapis.com *.gstatic.com *.google.com *.facebook.com *.facebook.net *.doubleclick.net *.youtube.com;
< Date: Fri, 08 Nov 2024 18:05:01 GMT
< Set-Cookie: TS01bdd66b=01d4478401e67512c30e2687089932815a2ba5327e2908f10f4ff838a0b4e5f843f426f308ac70a477c70f4bf35ac1145120aacb6c; Path=/; Domain=.www.nhi.gov.tw
< Transfer-Encoding: chunked
<
* Connection #0 to host 192.168.49.1 left intact

I tried a second time, and it again worked completely fine.

I then tried again but this time going to http instead of httpS, and got the hanging behavior you describe. What a strange one.

pyamsoft commented 3 weeks ago

Actually now I'm getting connection problems on a normal connection, when I'm not using TetherFi

I think something is just "weird" with this specific website on this specific week.