Opened 8 months ago

Closed 5 weeks ago

Last modified 3 weeks ago

#27821 closed enhancement (fixed)

HTTPTunnelPort "405 Method Not Allowed" page should say "this is not an HTTP Proxy"

Reported by: traumschule Owned by:
Priority: Medium Milestone: Tor: 0.4.1.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: reviewer-was-teor-20190422
Cc: hans@… Actual Points: 0.1
Parent ID: Points: 0.1
Reviewer: Sponsor:

Description

Using HTTPTunnelPort gives "Method Not Allowed" for http and ftp with wget and curl. If this usage is not supported we should expand the manual to show how to use it correctly.

tor.info.log

[info] {NET} connection_handle_listener_read(): New SOCKS connection opened from 127.0.0.1.
[info] {EDGE} connection_ap_process_http_connect(): HTTP tunnel error: saying "HTTP/1.0 405 Method Not Allowed\r\n\r\n"
[info] {NET} connection_handle_listener_read(): New SOCKS connection opened from 127.0.0.1.
[info] {EDGE} connection_ap_process_http_connect(): HTTP tunnel error: saying "HTTP/1.0 405 Method Not Allowed\r\n\r\n"

wget

$ http_proxy=127.0.0.1:9099 ftp_proxy=$http_proxy wget ftp://debian.org http://debian.org
--2018-09-22 17:34:47--  ftp://debian.org/
Connecting to 127.0.0.1:9099... connected.
Proxy request sent, awaiting response... 405 Method Not Allowed
2018-09-22 17:34:47 ERROR 405: Method Not Allowed.

--2018-09-22 17:34:47--  http://debian.org/
Connecting to 127.0.0.1:9099... connected.
Proxy request sent, awaiting response... 405 Method Not Allowed
2018-09-22 17:34:47 ERROR 405: Method Not Allowed.

curl

$ http_proxy=127.0.0.1:9099 ftp_proxy=$http_proxy  curl -v ftp://debian.org http://debian.org                                                                                                
* Rebuilt URL to: ftp://debian.org/
* Uses proxy env variable ftp_proxy == '127.0.0.1:9099'
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9099 (#0)
> GET ftp://debian.org/ HTTP/1.1
> Host: debian.org:21
> User-Agent: curl/7.61.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* HTTP 1.0, assume close after body
< HTTP/1.0 405 Method Not Allowed
<
* Closing connection 0
* Rebuilt URL to: http://debian.org/
* Uses proxy env variable http_proxy == '127.0.0.1:9099'
* Hostname 127.0.0.1 was found in DNS cache
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9099 (#1)
> GET http://debian.org/ HTTP/1.1
> Host: debian.org
> User-Agent: curl/7.61.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
* HTTP 1.0, assume close after body
< HTTP/1.0 405 Method Not Allowed
<
* Closing connection 1

Child Tickets

Attachments (1)

HTTP_CONNECT_is_not_an_HTTP_proxy.patch (1.8 KB) - added by eighthave 7 weeks ago.

Download all attachments as: .zip

Change History (16)

comment:1 Changed 8 months ago by nickm

Right -- GET and POST and everything else won't work. This is only for CONNECT requests.

comment:2 Changed 8 months ago by traumschule

ok, then it just needs a friendly message to instead use a client that supports #22407.

comment:3 Changed 8 months ago by dgoulet

Parent ID: #26470
Resolution: not a bug
Status: newclosed

HTTP/1.0 405 Method Not Allowed is probably the proper returned code format for HTTP.

The man page does mention quite clearly that it only supports "CONNECT" method...

Open this port to listen for proxy connections using the "HTTP CONNECT" protocol instead of SOCKS.

comment:4 Changed 8 months ago by traumschule

Type: defectenhancement

This is the message i get using the SOCKSPORT. Could we give a similar message for HTTPTunnelPort as well?

$ http_proxy=localhost:9050 curl torproject.org|cat
<html>
<head>
<title>This is a SOCKS Proxy, Not An HTTP Proxy</title>
</head>
<body>
<h1>This is a SOCKs proxy, not an HTTP proxy.</h1>
<p>
It appears you have configured your web browser to use this Tor port as
an HTTP proxy.
</p><p>
This is not correct: This port is configured as a SOCKS proxy, not
an HTTP proxy. If you need an HTTP proxy tunnel, use the HTTPTunnelPort
configuration option in place of, or in addition to, SOCKSPort.
Please configure your client accordingly.
</p>
<p>
See <a href="https://www.torproject.org/documentation.html">https://www.torproject.org/documentation.html</a> for more information.                                                                   
</p>
</body>
</html>

comment:5 Changed 3 months ago by eighthave

I agree, the error page should be improved, since this is a really common misconception.

@traumschule did you try curl --proxytunnel, which then makes curl use HTTP CONNECT?

comment:6 Changed 3 months ago by eighthave

Cc: hans@… added
Resolution: not a bug
Status: closedreopened
Summary: HTTP tunnel error: saying "HTTP/1.0 405 Method Not AllowedHTTPTunnelPort "405 Method Not Allowed" page should say "this is not an HTTP Proxy"

The 405 error page should say something like "This is not an HTTP Proxy, this is an HTTP CONNECT tunnel. Please configure your client accordingly"

comment:7 Changed 3 months ago by nickm

I'd welcome a patch here. The string to change would be the one in src/core/or/connection_edge.c ; please see coding and patching guidelines in doc/HACKING.

comment:8 Changed 7 weeks ago by eighthave

Here's a patch (also attached):

diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c
index 071a8c91e..4f7cbafe0 100644
--- a/src/core/or/connection_edge.c
+++ b/src/core/or/connection_edge.c
@@ -2810,6 +2810,31 @@ connection_ap_process_natd(entry_connection_t *conn)
   return connection_ap_rewrite_and_attach_if_allowed(conn, NULL, NULL);
 }
 
+static const char HTTP_CONNECT_IS_NOT_AN_HTTP_PROXY_MSG[] =
+  "HTTP/1.0 405 Method Not Allowed\r\n";
+  "Content-Type: text/html; charset=iso-8859-1\r\n\r\n"
+  "<html>\n"
+  "<head>\n"
+  "<title>This is an HTTP CONNECT tunnel, not an full HTTP Proxy</title>\n"
+  "</head>\n"
+  "<body>\n"
+  "<h1>This is an HTTP CONNECT tunnel, not an HTTP proxy.</h1>\n"
+  "<p>\n"
+  "It appears you have configured your web browser to use this Tor port as\n"
+  "an HTTP proxy.\n"
+  "</p><p>\n"
+  "This is not correct: This port is configured as a CONNECT tunnel, not\n"
+  "an HTTP proxy. Please configure your client accordingly.  You can also\n"
+  "use HTTPS, then the client should automatically use HTTP CONNECT."
+  "</p>\n"
+  "<p>\n"
+  "See <a href=\"https://www.torproject.org/documentation.html\">"
+  "https://www.torproject.org/documentation.html</a> for more "
+  "information.\n"
+  "</p>\n"
+  "</body>\n"
+  "</html>\n";
+
 /** Called on an HTTP CONNECT entry connection when some bytes have arrived,
  * but we have not yet received a full HTTP CONNECT request.  Try to parse an
  * HTTP CONNECT request from the connection's inbuf.  On success, set up the
@@ -2850,7 +2875,7 @@ connection_ap_process_http_connect(entry_connection_t *conn)
   tor_assert(command);
   tor_assert(addrport);
   if (strcasecmp(command, "connect")) {
-    errmsg = "HTTP/1.0 405 Method Not Allowed\r\n\r\n";
+    errmsg = HTTP_CONNECT_IS_NOT_AN_HTTP_PROXY_MSG;
     goto err;
   }
 

Changed 7 weeks ago by eighthave

comment:9 Changed 7 weeks ago by nickm

Milestone: Tor: 0.4.1.x-final
Status: reopenedneeds_review

comment:10 Changed 6 weeks ago by asn

Reviewer: teor

comment:11 Changed 5 weeks ago by teor

Actual Points: 0.1
Points: 0.1
Status: needs_reviewmerge_ready

Thanks for this patch!

I made a pull request, and added a changes file:
https://github.com/torproject/tor/pull/962

We can merge it when CI passes.

comment:12 Changed 5 weeks ago by teor

There was a typo in the patch, and we need to accept 25 extra lines of string constant for practracker.

We should think about how to split up connection_edge.c. And how to split out long character constants. And how to localise them.

comment:13 Changed 5 weeks ago by teor

Keywords: reviewer-was-teor-20190422 added
Reviewer: teor

If these tickets go back in to needs_review, and I am on leave, they will need another reviewer.

comment:14 Changed 5 weeks ago by nickm

Resolution: fixed
Status: merge_readyclosed

Merged to master.

comment:15 Changed 3 weeks ago by ageisp0lis

ha, thanks for this ticket; it confused me and I totally thought this was an HTTP proxy (would be nice to have, wouldn't it? Polipo and Privoxy aren't perfect and I'm sure the Tor developer community could do a great job)

Note: See TracTickets for help on using tickets.