Infinite recursion upon a `GET /` about goproxy HOT 8 CLOSED

The most stable way to do this would be to have a list of local addresses (net.InterfaceAddrs()?), then possibly do an DNS lookup for every request, then check whether that resolves to a local address and the IP the proxy is bound to. If it does, cancel the request.

However, an additional DNS lookup on every request sounds costly.

from goproxy.

It shouldn't happen, since the request goproxy send is not a proxy request
(ie, it is GET / instead of GET http://localost/).

I'll investigate.

On Tue, Jun 17, 2014 at 9:08 PM, Justinas Stankevičius <
[email protected]> wrote:

The most stable way to do this would be to have a list of local addresses (
net.InterfaceAddrs()?), then possibly do an DNS lookup for every request,
then check whether that resolves to a local address and the IP the proxy is
bound to. If it does, cancel the request.

However, an additional DNS lookup on every request sounds costly.

—
Reply to this email directly or view it on GitHub
#53 (comment).

from goproxy.

I decided that disallowing direct proxy requests is the best solution, since you can't always know whether or not the request was directed to you. Let me know if it works for you now.

Thanks for the bug report.

from goproxy.

Seems like I was overcomplicating the issue. It seems to work now. Thanks for the quick fix! 👍

from goproxy.

This fix breaks transparent proxy support as is noted in #26

from goproxy.

@mzimmerman what do you suggest? Setting to enable transparent proxy? Note that transparent proxy won't work for HTTP 1.0 request without Host header.

from goproxy.

@elazarl I wasn't sure, I was hoping you could tell me! :) I've just started looking at your code today. I'm trying to implement a successor to whitetrash which is a proxy with liberal whitelist for purposes of defending against malware. It hasn't been updated in several years and is written in python. If I'm going to update it, I'd rather do it in Go.

Just starting with the basics, I ran into the lack of support for transparent proxying through iptables. Implementing what you had in 3831094 fixes it for me, but it breaks some tests.

from goproxy.

@mzimmerman hmmm... there are conflicting requirements here. On the one hand, you might want to act like a proxy, and refuse non-proxy direct requests, as squid would. On the other hand, when you're acting like a transparent proxy, you do want to respond to transparent requests.

At any rate, you never want the feedback loop.

What I suggest is, have a Transparent property to the proxy, and detect self connections, by, e.g., adding a header to the request, or, by letting the proxy know on which address it listens.

from goproxy.