Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: try next proxy if dial proxy failed #32253

Closed
oiooj opened this issue May 26, 2019 · 4 comments
Closed

cmd/go: try next proxy if dial proxy failed #32253

oiooj opened this issue May 26, 2019 · 4 comments
Labels
FeatureRequest FrozenDueToAge modules

Comments

@oiooj
Copy link
Member

oiooj commented May 26, 2019
edited

if we got dial error when using the proxy lists, we should try next proxy. Now only 404 and 410 will try next proxy.

Get https://proxy.golang.org: dial tcp 172.217.24.14:80: i/o timeout

We can wrap dial op error as a no exist error to implement it.

As default lists https://proxy.golang.org,direct, if some users can't access https://proxy.golang.org, they will fall back to direct, maybe we should custom the timeout para, maybe not.

/cc @rsc @bcmills
@oiooj oiooj assigned rsc and unassigned rsc May 26, 2019
@hyangah
Copy link
Contributor

hyangah commented May 28, 2019

My personal preference is not to try the next proxy if the first proxy fails or isn't reachable - so the user knows the failure situation and chooses to explicitly opt out to the next proxy or gets alerted.

If we fallback to the next proxy silently in case the first proxy fails to responds, it can lead to unexpected leakage of private module paths. There could be other security implication but I will let @FiloSottile chime in.

@FiloSottile
Copy link
Contributor

I can see a pretty bad scenario like

GOPROXY=http://proxy.internal,https://proxy.untrusted.example
GONOSUMDB=company.internal/foo

Since GONOSUMDB is not scoped per proxy, this would let the fallback proxy provide arbitrary answers for company.internal/foo if http://proxy.internal is unreachable. That's pretty much unacceptable.

@bcmills
Copy link
Contributor

bcmills commented May 28, 2019

#31913 (comment) also applies to this failure mode.

(We know that the current proxy behavior is not ideal for users in China, but that's tracked separately in #31755.)

@bcmills
Copy link
Contributor

bcmills commented May 28, 2019

Duplicate of #31913

@bcmills bcmills marked this as a duplicate of #31913 May 28, 2019
@bcmills bcmills closed this as completed May 28, 2019
@golang golang locked and limited conversation to collaborators May 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FeatureRequest FrozenDueToAge modules
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rsc @FiloSottile @oiooj @hyangah @bcmills @gopherbot