Unable to proxy through for https://ajax.googleapis.com

imcotton commented 6 years ago

This happens recently, seems has to do with SNI in SSL?

SpechtLite listening port is 7788 for http proxy
and then have 7789 for socks5 proxy
another regular socks5 proxy listening on port 8000 for compare

SpechtLite http proxy:

curl -vI -x http://localhost:7788     https://ajax.googleapis.com
* Rebuilt URL to: https://ajax.googleapis.com/
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 7788 (#0)
* Establish HTTP proxy tunnel to ajax.googleapis.com:443
> CONNECT ajax.googleapis.com:443 HTTP/1.1
> Host: ajax.googleapis.com:443
> User-Agent: curl/7.54.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection Established
< 

* Proxy replied OK to CONNECT request
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake

SpechtLite socks5 proxy:

curl -vI -x socks5h://localhost:7789     https://ajax.googleapis.com
* Rebuilt URL to: https://ajax.googleapis.com/
*   Trying ::1...
* TCP_NODELAY set
* SOCKS5 communication to ajax.googleapis.com:443
* SOCKS5 request granted.
* Connected to localhost (::1) port 7789 (#0)
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake

Regular socks5 proxy

curl -vI -x socks5h://localhost:8000     https://ajax.googleapis.com
* Rebuilt URL to: https://ajax.googleapis.com/
*   Trying ::1...
* TCP_NODELAY set
* SOCKS5 communication to ajax.googleapis.com:443
* SOCKS5 request granted.
* Connected to localhost (::1) port 8000 (#0)
* TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.googleapis.com
* Server certificate: Google Internet Authority G3
* Server certificate: GlobalSign
> HEAD / HTTP/1.1
> Host: ajax.googleapis.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Location: https://developers.google.com/speed/libraries/devguide
< Cache-Control: private
< Content-Type: text/html; charset=UTF-8
< X-Content-Type-Options: nosniff
< Date: Mon, 02 Jul 2018 04:28:56 GMT
< Server: sffe
< Content-Length: 251
< X-XSS-Protection: 1; mode=block

< 
* Connection #0 to host localhost left intact

zhuhaow commented 6 years ago

What does the log say? What rule are you using? Have you tried to use an “all” rule?

On 2 Jul 2018, at 12:50, Cotton Hou notifications@github.com wrote:

This happens recently, seems has to do with SNI in SSL?

SpechtLite listening port is 7788 for http proxy and then have 7789 for socks5 proxy another regular socks5 proxy listening on port 8000 for compare SpechtLite http proxy:

curl -vI -x http://localhost:7788 https://ajax.googleapis.com

Rebuilt URL to: https://ajax.googleapis.com/

Trying ::1...

TCP_NODELAY set

Connected to localhost (::1) port 7788 (#0)

Establish HTTP proxy tunnel to ajax.googleapis.com:443

CONNECT ajax.googleapis.com:443 HTTP/1.1 Host: ajax.googleapis.com:443 User-Agent: curl/7.54.0 Proxy-Connection: Keep-Alive

< HTTP/1.1 200 Connection Established <

Proxy replied OK to CONNECT request

Server aborted the SSL handshake

Closing connection 0 curl: (35) Server aborted the SSL handshake SpechtLite socks5 proxy:

curl -vI -x socks5h://localhost:7789 https://ajax.googleapis.com

Rebuilt URL to: https://ajax.googleapis.com/

Trying ::1...

TCP_NODELAY set

SOCKS5 communication to ajax.googleapis.com:443

SOCKS5 request granted.

Connected to localhost (::1) port 7789 (#0)

Server aborted the SSL handshake

Closing connection 0 curl: (35) Server aborted the SSL handshake Regular socks5 proxy

curl -vI -x socks5h://localhost:8000 https://ajax.googleapis.com

Rebuilt URL to: https://ajax.googleapis.com/

Trying ::1...

TCP_NODELAY set

SOCKS5 communication to ajax.googleapis.com:443

SOCKS5 request granted.

Connected to localhost (::1) port 60000 (#0)

TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Server certificate: *.googleapis.com

Server certificate: Google Internet Authority G3

Server certificate: GlobalSign

HEAD / HTTP/1.1 Host: ajax.googleapis.com User-Agent: curl/7.54.0 Accept: /

< HTTP/1.1 302 Found < Location: https://developers.google.com/speed/libraries/devguide < Cache-Control: private < Content-Type: text/html; charset=UTF-8 < X-Content-Type-Options: nosniff < Date: Mon, 02 Jul 2018 04:28:56 GMT < Server: sffe < Content-Length: 251 < X-XSS-Protection: 1; mode=block

<

Connection #0 to host localhost left intact — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

imcotton commented 6 years ago

log says

Request: ajax.googleapis.com Type: SpeedAdapter Rule:
my rules are mostly from sample of readme file
just changed to only use the all rule, got the same result

zhuhaow commented 6 years ago

Try not to use speed adapter

On 2 Jul 2018, at 21:23, Cotton Hou notifications@github.com wrote:

log says

Request: ajax.googleapis.com Type: SpeedAdapter Rule: my rules are mostly from sample of readme file

just changed to only use the all rule, got the same result

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

imcotton commented 6 years ago

Try not to use speed adapter

That did the trick, thanks a lot!

Oddly my rules has not been changed for a long time, yet only recently this behavior occurred, and to this domain particular.

Shall I close this issue or leave it opened for further investigation (in case you might have clues in mind)?

zhuhaow commented 6 years ago

You should check what the domain resolve to, is it a genuine address? If it’s not, can you connect to it?

On 2 Jul 2018, at 21:49, Cotton Hou notifications@github.com wrote:

Try not to use speed adapter

That did the trick, thanks a lot!

Oddly my rules has not been changed for a long time, yet only recently this behavior occurred, and to this domain particular.

Shall I close this issue or leave it opened for further investigation (in case you might have clues in mind)?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

imcotton commented 6 years ago

This domain is legit, trying to get things like

https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js

Where lots of 3rd-party sites have been using.

It is this site specifically been giving me the trouble.

zhuhaow commented 6 years ago

Try dig ajax.googleapis.com

On 2 Jul 2018, at 22:00, Cotton Hou notifications@github.com wrote:

This domain is legit, trying to get things like

https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js Where lots of 3rd-party sites have been using.

It is this site specifically been giving me the trouble.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

imcotton commented 6 years ago

dig ajax.googleapis.com

; <<>> DiG 9.8.3-P1 <<>> ajax.googleapis.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53404
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ajax.googleapis.com.       IN  A

;; ANSWER SECTION:
ajax.googleapis.com.    1041    IN  CNAME   googleapis.l.google.com.
googleapis.l.google.com. 300    IN  A   172.217.24.10
googleapis.l.google.com. 300    IN  A   216.58.200.42
googleapis.l.google.com. 300    IN  A   172.217.160.74
googleapis.l.google.com. 300    IN  A   216.58.200.234
googleapis.l.google.com. 300    IN  A   172.217.27.138
googleapis.l.google.com. 300    IN  A   172.217.160.106

;; Query time: 16 msec
;; SERVER: 192.168.11.1#53(192.168.11.1)
;; WHEN: Mon Jul  2 22:06:24 2018
;; MSG SIZE  rcvd: 167

zhuhaow commented 6 years ago

Try telnet or nc to these address, see if you can connect to any.

On 2 Jul 2018, at 22:08, Cotton Hou notifications@github.com wrote:

dig ajax.googleapis.com

; <<>> DiG 9.8.3-P1 <<>> ajax.googleapis.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53404 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION: ;ajax.googleapis.com. IN A

;; ANSWER SECTION: ajax.googleapis.com. 1041 IN CNAME googleapis.l.google.com. googleapis.l.google.com. 300 IN A 172.217.24.10 googleapis.l.google.com. 300 IN A 216.58.200.42 googleapis.l.google.com. 300 IN A 172.217.160.74 googleapis.l.google.com. 300 IN A 216.58.200.234 googleapis.l.google.com. 300 IN A 172.217.27.138 googleapis.l.google.com. 300 IN A 172.217.160.106

;; Query time: 16 msec ;; SERVER: 192.168.11.1#53(192.168.11.1) ;; WHEN: Mon Jul 2 22:06:24 2018 ;; MSG SIZE rcvd: 167 — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

imcotton commented 6 years ago

telnet ajax.googleapis.com 443
Trying 216.58.200.42...
Connected to googleapis.l.google.com.
Escape character is '^]'.

The connection has been made, just hard to issue TLS handshake inside telnet I guess.

zhuhaow commented 6 years ago

Try ping this address or visit it directly in browser without proxy.

On 2 Jul 2018, at 22:27, Cotton Hou notifications@github.com wrote:

telnet ajax.googleapis.com 443 Trying 216.58.200.42... Connected to googleapis.l.google.com. Escape character is '^]'. The connection has been made, just hard to issue TLS handshake inside telnet I guess.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

imcotton commented 6 years ago

t=65848 [st=0] +SOCKET_ALIVE  [dt=8]
                --> source_dependency = 118592 (TRANSPORT_CONNECT_JOB)
t=65848 [st=0]   +TCP_CONNECT  [dt=4]
                  --> address_list = ["172.217.24.10:443","172.217.160.74:443","172.217.160.106:443"]
t=65848 [st=0]      TCP_CONNECT_ATTEMPT  [dt=4]
                    --> address = "172.217.24.10:443"
t=65852 [st=4]   -TCP_CONNECT
                  --> source_address = "192.168.11.65:50948"
t=65853 [st=5]   +SOCKET_IN_USE  [dt=3]
                  --> source_dependency = 118591 (SSL_CONNECT_JOB)
t=65853 [st=5]     +SSL_CONNECT  [dt=3]
t=65853 [st=5]        SSL_HANDSHAKE_MESSAGE_SENT
                      --> hex_encoded_bytes =
                        01 00 00 C6 03 03 8E F3  56 D2 CD 6F 4E A8 92 27   .  .....V..oN..'
                        6D 8D B2 53 34 2D 34 5C  68 1F A4 9E 69 D5 FE 83   m..S4-4\h...i...
                        9B 30 D7 C4 6C 5C 00 00  1C 9A 9A C0 2B C0 2F C0   .0..l\  ....+./.
                        2C C0 30 CC A9 CC A8 C0  13 C0 14 00 9C 00 9D 00   ,.0........ . . 
                        2F 00 35 00 0A 01 00 00  81 2A 2A 00 00 FF 01 00   / 5 ..  .**  .. 
                        01 00 00 00 00 18 00 16  00 00 13 61 6A 61 78 2E   .    . .  .ajax.
                        67 6F 6F 67 6C 65 61 70  69 73 2E 63 6F 6D 00 17   googleapis.com .
                        00 00 00 23 00 00 00 0D  00 14 00 12 04 03 08 04      #   . . .....
                        04 01 05 03 08 05 05 01  08 06 06 01 02 01 00 05   .............. .
                        00 05 01 00 00 00 00 00  12 00 00 00 10 00 0E 00    ..     .   . . 
                        0C 02 68 32 08 68 74 74  70 2F 31 2E 31 75 50 00   ..h2.http/1.1uP 
                        00 00 0B 00 02 01 00 00  0A 00 0A 00 08 FA FA 00     . ..  . . ... 
                        1D 00 17 00 18 DA DA 00  01 00                     . . ... . 
                      --> type = 1
t=65853 [st=5]        SOCKET_BYTES_SENT
                      --> byte_count = 207
t=65856 [st=8]        SOCKET_READ_ERROR
                      --> net_error = -101 (ERR_CONNECTION_RESET)
                      --> os_error = 54
t=65856 [st=8]        SSL_HANDSHAKE_ERROR
                      --> error_lib = 33
                      --> error_reason = 101
                      --> file = "../../net/socket/socket_bio_adapter.cc"
                      --> line = 154
                      --> net_error = -101 (ERR_CONNECTION_RESET)
                      --> ssl_error = 1
t=65856 [st=8]     -SSL_CONNECT
                    --> net_error = -101 (ERR_CONNECTION_RESET)
t=65856 [st=8]   -SOCKET_IN_USE
t=65856 [st=8] -SOCKET_ALIVE

Without proxy will get me ERR_CONNECTION_RESET in the SSL phase for sure.

zhuhaow commented 6 years ago

So for some reason this address is not blocked but the firewall is still actively monitoring the domain in the tls handshake.

There is nothing wrong on spechtlite and you can close the issue.

On 2 Jul 2018, at 22:37, Cotton Hou notifications@github.com wrote:

t=65848 [st=0] +SOCKET_ALIVE [dt=8] --> source_dependency = 118592 (TRANSPORT_CONNECT_JOB) t=65848 [st=0] +TCP_CONNECT [dt=4] --> address_list = ["172.217.24.10:443","172.217.160.74:443","172.217.160.106:443"] t=65848 [st=0] TCP_CONNECT_ATTEMPT [dt=4] --> address = "172.217.24.10:443" t=65852 [st=4] -TCP_CONNECT --> source_address = "192.168.11.65:50948" t=65853 [st=5] +SOCKET_IN_USE [dt=3] --> source_dependency = 118591 (SSL_CONNECT_JOB) t=65853 [st=5] +SSL_CONNECT [dt=3] t=65853 [st=5] SSL_HANDSHAKE_MESSAGE_SENT --> hex_encoded_bytes = 01 00 00 C6 03 03 8E F3 56 D2 CD 6F 4E A8 92 27 . .....V..oN..' 6D 8D B2 53 34 2D 34 5C 68 1F A4 9E 69 D5 FE 83 m..S4-4\h...i... 9B 30 D7 C4 6C 5C 00 00 1C 9A 9A C0 2B C0 2F C0 .0..l\ ....+./. 2C C0 30 CC A9 CC A8 C0 13 C0 14 00 9C 00 9D 00 ,.0........ . . 2F 00 35 00 0A 01 00 00 81 2A 2A 00 00 FF 01 00 / 5 .. .** .. 01 00 00 00 00 18 00 16 00 00 13 61 6A 61 78 2E . . . .ajax. 67 6F 6F 67 6C 65 61 70 69 73 2E 63 6F 6D 00 17 googleapis.com . 00 00 00 23 00 00 00 0D 00 14 00 12 04 03 08 04 # . . ..... 04 01 05 03 08 05 05 01 08 06 06 01 02 01 00 05 .............. . 00 05 01 00 00 00 00 00 12 00 00 00 10 00 0E 00 .. . . . 0C 02 68 32 08 68 74 74 70 2F 31 2E 31 75 50 00 ..h2.http/1.1uP 00 00 0B 00 02 01 00 00 0A 00 0A 00 08 FA FA 00 . .. . . ... 1D 00 17 00 18 DA DA 00 01 00 . . ... . --> type = 1 t=65853 [st=5] SOCKET_BYTES_SENT --> byte_count = 207 t=65856 [st=8] SOCKET_READ_ERROR --> net_error = -101 (ERR_CONNECTION_RESET) --> os_error = 54 t=65856 [st=8] SSL_HANDSHAKE_ERROR --> error_lib = 33 --> error_reason = 101 --> file = "../../net/socket/socket_bio_adapter.cc" --> line = 154 --> net_error = -101 (ERR_CONNECTION_RESET) --> ssl_error = 1 t=65856 [st=8] -SSL_CONNECT --> net_error = -101 (ERR_CONNECTION_RESET) t=65856 [st=8] -SOCKET_IN_USE t=65856 [st=8] -SOCKET_ALIVE Without proxy will get me ERR_CONNECTION_RESET in the SSL phase for sure.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

imcotton commented 6 years ago

Okay, thanks for helping out 👍

zhuhaow / SpechtLite