Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: add logging before returning error 400 HTTP request to HTTPS server #66501

Closed
1f604 opened this issue Mar 23, 2024 · 11 comments
Closed

net/http: add logging before returning error 400 HTTP request to HTTPS server #66501

1f604 opened this issue Mar 23, 2024 · 11 comments
Milestone
Proposal

Comments

@1f604
Copy link

1f604 commented Mar 23, 2024
edited

Proposal Details

Proposal

This proposal is specifically talking about this line of code here:

go/src/net/http/server.go

Line 1926 in c2c4a32

io.WriteString(re.Conn, "HTTP/1.0 400 Bad Request\r\n\r\nClient sent an HTTP request to an HTTPS server.\n")

My proposal is to add a line writing some error message to logs before returning the 400 error.

Motivation

Spent almost an hour today tracking down a bug which turned out to be due to Cloudflare proxy sending plain HTTP traffic (decrypted from TLS traffic) to my Go server which serves TLS.

It turns out that ListenAndServeTLS doesn't log any error messages when it receives a HTTP request, instead it just sends error: "Client sent an HTTP request to an HTTPS server." back to the client.

The problem is that my web browsers (tried both Firefox and Chrome, same result) don't display the message at all, it just shows an error 400 and that's it.

And in my Go program, there is no indication that it received any packets - no logging and there is no ability for me to add any logging to it at all.

I think the ideal solution would be to allow users to specify whether they want logging here, since some users might want it and some users might not.

But the simplest fix is to just add the logging for now.
@1f604 1f604 added the Proposal label Mar 23, 2024
@gopherbot gopherbot added this to the Proposal milestone Mar 23, 2024
@gopherbot
Copy link

Change https://go.dev/cl/573995 mentions this issue: net/http: log error when HTTPS server receives HTTP request

@seankhliao
Copy link
Member

cc @neild

@1f604
Copy link
Author

1f604 commented Mar 23, 2024

Hi @seankhliao could you share your thoughts on this proposal?

I know you're not obligated to explain downvotes but other people would also benefit from you sharing your perspectives on this matter.

If the problem is that my proposal doesn't contain enough information then I'd be happy to add more information.

@AlexanderYastrebov
Copy link
Contributor

Previous related #56028

@mitar
Copy link
Contributor

mitar commented Mar 24, 2024

I think this is a duplicate of #49310 for which a draft CL already exists.

@1f604
Copy link
Author

1f604 commented Mar 24, 2024
edited

I think this is a duplicate of #49310 for which a draft CL already exists.

No, that proposal is about modifying the HTTP(S?) response to the client, whereas this proposal is about printing something to server's console via stdout/stderr.

@mitar
Copy link
Contributor

mitar commented Mar 24, 2024
edited

That proposal is of having a hook when this happens. You can also log in that hook, or not. You yourself wrote:

no logging and there is no ability for me to add any logging to it at all.

#49310 gives you that ability, or if current proposal in that issue is lacking/preventing you from using it to do logging, make a comment there.

@1f604
Copy link
Author

1f604 commented Mar 24, 2024

That proposal is of having a hook when this happens. You can also log in that hook, or not. You yourself wrote:

no logging and there is no ability for me to add any logging to it at all.

#49310 gives you that ability, or if current proposal in that issue is lacking/preventing you from using it to do logging, make a comment there.

Okay, I see so the idea is to allow users to write their own HttpOnHttpsPortErrorHandler func(conn net.Conn, requestBytes []byte) function that would have access to the net.Conn which would have the RemoteAddr.

Yes you're right that would allow me to achieve what I want here and it would be a more flexible solution compared to what I want to do.

@neild
Copy link
Contributor

neild commented Mar 25, 2024

We have an existing log line for TLS handshake errors, we just suppress it for requests that look like HTTP:

if re, ok := err.(tls.RecordHeaderError); ok && re.Conn != nil && tlsRecordHeaderLooksLikeHTTP(re.RecordHeader) {
  io.WriteString(re.Conn, "HTTP/1.0 400 Bad Request\r\n\r\nClient sent an HTTP request to an HTTPS server.\n")
  re.Conn.Close()
  return
}
c.server.logf("http: TLS handshake error from %s: %v", c.rwc.RemoteAddr(), err)

https://go.googlesource.com/go/+/refs/tags/go1.22.1/src/net/http/server.go#1930

If we're going to log some TLS handshake errors, I don't see any reason we shouldn't be logging all of them.

@neild neild removed the Proposal label Mar 25, 2024
@neild neild changed the title proposal: net/http: add logging before returning error 400 HTTP request to HTTPS server net/http: add logging before returning error 400 HTTP request to HTTPS server Mar 25, 2024
@neild
Copy link
Contributor

neild commented Mar 25, 2024

Unmarked as proposal, since I don't think this requires going through the proposal process. It's not an API change, and the behavioral change isn't particularly significant.

@gopherbot
Copy link

Change https://go.dev/cl/573979 mentions this issue: net/http: also log TLS errors which look like HTTP sent to an HTTPS port

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Proposal
Development

No branches or pull requests
6 participants
@neild @mitar @AlexanderYastrebov @gopherbot @1f604 @seankhliao