Skip to content

HTTPS requests in plaintext #284

Description

@indyjo

Context:
I noticed that a bug (apparently mapbox/node-pre-gyp#400, see this comment) caused node-pre-gyp to issue HTTPS requests in plaintext (without using CONNECT). My local tinyproxy instance then handles the request in a weird way.

Description:
When doing the following plaintext request to a local tinyproxy (which is configured to relay to an upstream proxy server), the result is very surprising:

$ netcat localhost 8888
GET https://github.com/ HTTP/1.1
Host: github.com

HTTP/1.0 301 Moved Permanently
Via: 1.0 proxy1.kuka.int.kuka.com:80 (Cisco-WSA/11.8.0-440), 1.1 tinyproxy (tinyproxy/1.8.4)
Location: https://github.com//github.com/
Date: Thu, 09 Jan 2020 11:47:44 GMT
Content-Length: 0

The weird part is the Location: response, where "github.com" has been duplicated. The exact point in the source code where this happens seems to be line 104 in transparent-proxy.c.

Tinyproxy will forward the request to its configured proxy server, and the request is already broken at that point:

GET http://github.com:80https://github.com/ HTTP/1.0
Host: github.com
Connection: close
Via: 1.1 tinyproxy (tinyproxy/1.8.4)

HTTP/1.0 301 Moved Permanently
Location: https://github.com//github.com/
Content-Length: 0
Date: Thu, 09 Jan 2020 11:47:44 GMT
Via: 1.0 proxy1.kuka.int.kuka.com:80 (Cisco-WSA/11.8.0-440)
Connection: close
Proxy-Connection: close

Whether the upstream proxy server's response makes sense or not is up to debate. The point is, tinyproxy creates a broken request.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions