Open Bug 1579985 Opened 2 years ago Updated 2 years ago

Impossible to use proxies with DoH

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Version:
70 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: yegors, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged][trr][mode3])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

Steps to reproduce:

  1. Enable DoH (any resolver) and set network.trr.mode = 3
  2. Load a Pac file with a single proxy into the browser
  3. Try to load any website

Actual results:

Firefox errors out on all requests with error "Unable to find the proxy server". Setting network.trr.mode = 2 "fixes" the issue.

Expected results:

Proxy hostname should have been resolved through DoH (it wasn't), and user should be able to proxy all requests though it.

Considering DoH is about to become the default (https://bugzilla.mozilla.org/show_bug.cgi?id=1573840) this is a huge issue for all proxy extensions.

Blocks: 1573840
Whiteboard: [trr]

Hi Yegor,

Can you share the contents of the PAC file? How are you setting the PAC file?

Note that mode3 hasn't been thoroughly tested and will not be shipped by default in Firefox.

Flags: needinfo?(yegors)

Note that in the description, it says this is not an issue if trr.mode = 2, which is what will be set in the DoH rollout. So the rollout will not affect functionality of proxy extensions.

Blocks: 1434852
No longer blocks: 1573840
Priority: -- → P3
Whiteboard: [trr] → [necko-triaged][trr][mode3]

The Pac file can be as simple as this:

function FindProxyForURL(url, host) {
return "HTTPS stg-ie-003.windscribe.com";
}

Loading the proxy via the extension APIs has the same effect.

Flags: needinfo?(yegors)

So, this is a bootstrapping problem.
Most likely we are trying to use the proxy for the DoH URL, but DNS doesn't yet work in mode 3, because TRR hasn't connected yet.

I can suggest

  1. setting network.trr.bootstrapAddress to the IP address you get when resolving the URL in network.trr.uri
  2. trying a PAC script that only contains IP addresses.
Flags: needinfo?(yegors)

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Networking
Product: Firefox → Core

The product::component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.

Priority: P3 → --
Priority: -- → P3

(In reply to Valentin Gosu [:valentin] (he/him) from comment #5)

  1. trying a PAC script that only contains IP addresses.

Definitely not, if the proxy is a secure proxy we connect via TLS, which in the example definitely was one (HTTPS).

(In reply to Valentin Gosu [:valentin] (he/him) from comment #5)

So, this is a bootstrapping problem.
Most likely we are trying to use the proxy for the DoH URL, but DNS doesn't yet work in mode 3, because TRR hasn't connected yet.

I can suggest

  1. setting network.trr.bootstrapAddress to the IP address you get when resolving the URL in network.trr.uri
  2. trying a PAC script that only contains IP addresses.
  1. bootstrapAddress was already used at the time of the bug being filed.
  2. As Honza suggested, this is not an option. It's a TLS proxy which requires valid TLS certs.
Flags: needinfo?(yegors)

(In reply to Yegor from comment #9)

(In reply to Valentin Gosu [:valentin] (he/him) from comment #5)

So, this is a bootstrapping problem.
Most likely we are trying to use the proxy for the DoH URL, but DNS doesn't yet work in mode 3, because TRR hasn't connected yet.

I can suggest

  1. setting network.trr.bootstrapAddress to the IP address you get when resolving the URL in network.trr.uri
  2. trying a PAC script that only contains IP addresses.
  1. bootstrapAddress was already used at the time of the bug being filed.
  2. As Honza suggested, this is not an option. It's a TLS proxy which requires valid TLS certs.

Where is the PAC script loaded from?
Could you help us with some logs? https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging
Set the module list/ MOZ_LOG to timestamp,sync,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5
It's best to start with a new profile, and set all the prefs as you normally would.

Thanks assisting us with debugging this.

Flags: needinfo?(yegors)

The Pac file was loaded via "Network Settings" -> Automatic proxy configuration URL

Can just load this Pac file into the box: https://gist.githubusercontent.com/yegors/5df3ddbf95cd88a17f930b4857b6fc80/raw/bb5d761245f0aad6432adc7d91bd514cde967aa6/gistfile1.txt

The same issue occurs with the Firefox Private Network extension, once you enable DoH in trr.mode = 3.

I won't have time to test this in the next several days, but the issue is easily reproducible given the steps above.

Flags: needinfo?(yegors)
You need to log in before you can comment on or make changes to this bug.