Skip to content

Fix Handling of HTTP CONNECT Header in Proxy Connections #8021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bearx3f wants to merge 5 commits into
base: RC_2_0
Choose a base branch
from
Open

Fix Handling of HTTP CONNECT Header in Proxy Connections #8021

bearx3f wants to merge 5 commits into from

Conversation

@bearx3f
Copy link

@bearx3f bearx3f commented Aug 29, 2025
edited
Loading

From #7651 After I tested the latest pull request, which I'd previously said passed, the proxy server still couldn't sign the certificate when deployed with the actual application. This was because the server didn't receive the remote server in the correct domain:port format, such as example.com:443. In this patch, I've fixed the CONNECT request to be correct.

I noticed this by observing the request sent by Curl, which sends:

CONNECT example.com:443 HTTP/1.0
Host: example.com:443

Originally, Libtorrent was sending:

CONNECT 23.220.75.232:443 HTTP/1.0
Host: example.com

In this original request, the Host header was missing the port, and the CONNECT method was sending an IP address instead of a domain name.

Copilot AI review requested due to automatic review settings August 29, 2025 03:06
Copilot AI reviewed Aug 29, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes the HTTP CONNECT header formatting for proxy connections to ensure proper SSL certificate verification. The changes address issues where the server was receiving IP addresses instead of domain names and missing port numbers in Host headers.

  • Modified the CONNECT request logic to use domain names instead of IP addresses when available
  • Added proper port number formatting to Host headers following HTTP standards
  • Implemented IPv6 address handling for bracketed and non-bracketed formats

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@bearx3f bearx3f force-pushed the send_host_in_connect_fix branch 2 times, most recently from 2054c17 to d1a69ea Compare August 29, 2025 04:04
@bearx3f bearx3f mentioned this pull request Aug 29, 2025
Open
@bearx3f bearx3f force-pushed the send_host_in_connect_fix branch from d1a69ea to 74223e9 Compare August 29, 2025 15:42
arvidn
arvidn reviewed Sep 7, 2025
View reviewed changes
Copy link
Owner

@arvidn arvidn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in your description there's also a difference in the host: header. but this is not important then?

@bearx3f bearx3f force-pushed the send_host_in_connect_fix branch 2 times, most recently from 6e11686 to 4257926 Compare September 8, 2025 03:43
@bearx3f bearx3f force-pushed the send_host_in_connect_fix branch from 4257926 to 39d4c39 Compare September 8, 2025 03:44
arvidn
arvidn reviewed Sep 8, 2025
View reviewed changes
@bearx3f
implement format_host_for_connect function to handle hostname and por…
df03567 
…t formatting for HTTP CONNECT requests, including IPv6 support and edge case handling; add comprehensive tests for various scenarios
arvidn
arvidn reviewed Sep 8, 2025
View reviewed changes
test/http_proxy.py
host, port)

# If require_host_header is set, reject requests without Host header
if self.require_host_header and not host_header:
Copy link
Owner

@arvidn arvidn Sep 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you you remove the check for self.require_host_header (and make it mandatory), you should remove the comment above as well as setting this member to True at the top of the class

Copy link
Author

@bearx3f bearx3f Sep 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm really sorry.

@bearx3f
enforce Host header requirement in CONNECT requests for HTTP complian…
baedd6b 
…ce; update logging for Host header checks and add tests for CONNECT requests with/without Host header
@bearx3f bearx3f force-pushed the send_host_in_connect_fix branch from be4f2db to baedd6b Compare September 8, 2025 14:29
@arvidn arvidn closed this Sep 8, 2025
@arvidn arvidn reopened this Sep 8, 2025
@arvidn
Copy link
Owner

arvidn commented Sep 8, 2025

it looks like the simulation error is legitimate and needs to be addressed

@bearx3f
update SSL proxy connection tests to verify Host header format based …
3b8c0a2 
…on send_host_in_connect setting; ensure compliance with RFC 9110 and RFC 9112
@bearx3f
Copy link
Author

bearx3f commented Sep 9, 2025

it looks like the simulation error is legitimate and needs to be addressed

The problem is my patch will always send Host header but simulation test check if send_host_in_connect=false host should be empty. I will fix.

@bearx3f bearx3f changed the title fix HTTP CONNECT header Fix Handling of HTTP CONNECT Header in Proxy Connections Sep 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arvidn arvidn arvidn left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bearx3f @arvidn