Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

reverse proxy mode for h2→h2c connections not working

See original GitHub issue

Steps to reproduce the problem:

Start listening on local port 8081 like this: nc -vl 8081
Start mitmproxy like this: mitmdump --http2 --reverse http://localhost:8081
Use nghttp to make a request like this: nghttp -v https://localhost:8080/
mitmdump prints:

('::ffff:127.0.0.1', 39950, 0, 0): clientconnect
('::ffff:127.0.0.1', 39950, 0, 0): Traceback (most recent call last):
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/server.py", line 118, in handle
    root_layer()
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/modes/reverse_proxy.py", line 13, in __call__
    layer()
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/protocol/tls.py", line 383, in __call__
    layer()
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/protocol/http2.py", line 325, in __call__
    self._initiate_server_conn()
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/protocol/http2.py", line 111, in _initiate_server_conn
    self.connections[self.server_conn].initiate_connection()
KeyError: <ServerConnection: localhost:8081>

Traceback (most recent call last):
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/server.py", line 118, in handle
    root_layer()
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/modes/reverse_proxy.py", line 13, in __call__
    layer()
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/protocol/tls.py", line 383, in __call__
    layer()
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/protocol/http2.py", line 325, in __call__
    self._initiate_server_conn()
  File "/home/vasiliy/tmp/env8/lib/python3.5/site-packages/mitmproxy/proxy/protocol/http2.py", line 111, in _initiate_server_conn
    self.connections[self.server_conn].initiate_connection()
KeyError: <ServerConnection: localhost:8081>

mitmproxy has crashed!
Please lodge a bug report at: https://github.com/mitmproxy/mitmproxy
('::ffff:127.0.0.1', 39950, 0, 0): clientdisconnect

Meanwhile, nghttp prints that it has sent a bunch of HTTP/2 frames, but not received any.

Meanwhile, no connections are made to port 8081.

Any other comments? What have you tried so far?

I’m not sure what I would expect to happen. What I would like to happen is that mitmproxy talk cleartext HTTP/2 (direct or upgrading) to port 8081, and talk HTTP/2-over-TLS to nghttp.

If I use a Web browser instead of nghttp, then mitmproxy talks cleartext HTTP/1.1 to port 8081, and talks HTTP/1.1-over-TLS to the browser.

System information

(this is mitmproxy master)

Mitmproxy version: 3.0.0 (release version) Python version: 3.5.2 Platform: Linux-4.4.0-65-generic-x86_64-with-Ubuntu-16.04-xenial SSL version: OpenSSL 1.0.2g 1 Mar 2016 Linux distro: Ubuntu 16.04 xenial

Issue Analytics

State:
Created 7 years ago
Comments:9 (5 by maintainers)

Top GitHub Comments

1reaction

vfaronovcommented, Mar 8, 2017

I took the liberty to edit the title, because reverse proxy mode for h2→h2 definitely does work for me. It’s only when I try to do strange things that I get strange results 😃

0reactions

TuomasKiviahocommented, Sep 12, 2017

However I think this would probably make the h2-internals in mitmproxy overly complex for a rarely used feature (I guess?)

I was trying to do similar TLS offloading like what HAProxy is capable of providing to Jetty (https://www.eclipse.org/jetty/documentation/9.3.x/http2-enabling.html and https://www.eclipse.org/jetty/documentation/9.4.x/http2-configuring-haproxy.html), but apparently that’s not possible.

@mhils suggested force_alpn at https://discourse.mitmproxy.org/t/using-mitmproxy-to-terminate-tls-for-http-2/404 and that still puzzles me. Would it be possible to make TLS offloading possible (alpn+h2) without even needing h2c.

Top Results From Across the Web

Reverse proxying HTTP/2 from h2 to h2c - Stack Overflow

We would like to reverse proxy connections established using h2 (i.e. standard HTTP/2 over SSL) to the java server in h2c.

How to Configure Apache Reverse Proxy With HTTP/2 - Medium

In this tutorial, we will see how to enable Apache Server as a reverse proxy system for a back-end server that is enabled...

H2C Smuggling in the Wild - Assetnote

Using H2C Smuggling, we can bypass rules a reverse proxy uses when processing requests such as path based routing, authentication, or the WAF ......

915 ("Upgrade" header should not be proxied over h2) - nginx

When proxying an HTTP/2-enabled webserver with nginx, nginx fetches resources using HTTP/1.1, which the backend server tries to upgrade to HTTP/2 by sending ......

haproxy and HTTP/2 - Andreas Karis Blog - GitHub Pages

haproxy does not support the Upgrade: h2c statement. Hence, it is possible to establish either HTTP/1.1 or HTTP/2 connections, but clear text connections...