Issue metadata
Sign in to add a comment
|
Proxy is considered BAD when ERR_TUNNEL_CONNECTION_FAILED is returned for any URL
Reported by
lex...@gmail.com,
Jan 11 2017
|
||||||||||||||||||||||
Issue descriptionVersion of Google Chrome (Wrench-> About Google Chrome): 55.0.2883.87 m (64-bit) Version of MSI (if applicable): Using group policy settings? Yes Issue: When running chrome with "chrome --winhttp-proxy-resolver" the described issue is not happening. Chrome in our enterprise is configured with a .PAC file. The instructions provide a FALLBACK proxy of "DIRECT". I used chrome://net-internals/#proxy to see why the primary proxy is invalidated and when and I saw the below: This is the point where our proxy is deemed bad because of source dependency 18115 which can be found below: t=219521 [st=488] SOCKET_POOL_BOUND_TO_CONNECT_JOB --> source_dependency = 18115 (CONNECT_JOB) t=219521 [st=488] -SOCKET_POOL --> net_error = -111 (ERR_TUNNEL_CONNECTION_FAILED) t=219521 [st=488] PROXY_LIST_FALLBACK --> bad_proxy = "192.168.51.8:3128" t=219521 [st=488] +HOST_RESOLVER_IMPL_REQUEST [dt=0] --> address_family = 0 --> allow_cached_response = true --> host = "www.facebook.com:443" --> is_speculative = false t=219521 [st=488] HOST_RESOLVER_IMPL_IPV6_REACHABILITY_CHECK --> cached = true --> ipv6_available = false t=219521 [st=488] -HOST_RESOLVER_IMPL_REQUEST --> net_error = -804 (ERR_DNS_CACHE_MISS) So, when Chrome can't use this proxy to access Facebook (or any other site for that matter), then the whole proxy is considered BAD and the Fallback option in the PAC is enabled (which Is DIRECT). 18115: CONNECT_JOB ssl/www.facebook.com:443 Start Time: 2017-01-10 16:01:06.294 t=219039 [st= 0] +SOCKET_POOL_CONNECT_JOB [dt=482] --> group_name = "ssl/www.facebook.com:443" t=219039 [st= 0] +SOCKET_POOL_CONNECT_JOB_CONNECT [dt=482] t=219039 [st= 0] +SOCKET_POOL [dt=482] t=219521 [st=482] SOCKET_POOL_BOUND_TO_CONNECT_JOB --> source_dependency = 18116 (CONNECT_JOB) t=219521 [st=482] -SOCKET_POOL --> net_error = -111 (ERR_TUNNEL_CONNECTION_FAILED) t=219521 [st=482] -SOCKET_POOL_CONNECT_JOB_CONNECT --> net_error = -111 (ERR_TUNNEL_CONNECTION_FAILED) t=219521 [st=482] -SOCKET_POOL_CONNECT_JOB Our proxy shouldn't get invalidated when access to one site is not working. We intentionally block a big number of URLs for security and compliance reasons. Expected Behavior: We need this facility to work exactly like it does on Internet Explorer 11 and Firefox. Stick to the primary proxy "unless" the proxy is completely unresponsive/unavailable. Testing of the availability of the proxy would be to check a number of URLs in the background (like well known sites like google.com, bing.com, godaddy.com) in a way to make sure that the proxy has failed completely. Actual Behavior: Whenever a site is not accessible, the proxy is invalidated. Workaround proposal: Add a Group Policy option to always run Chrome with --winhttp-proxy-resolver Solution proposal: Add a Group Policy option to make this work like --winhttp-proxy-resolver but continue to use Chrome's facility and WinInet API.
,
Jan 13 2017
I believe this is WontFix/WorkingAsIntended , and do not believe it would be advisable to expose either the WinHTTP Proxy Resolver or to alter behaviours. Both of these go against Chrome's mission of "simple" Proposed Resolution: Don't include DIRECT if users should not go to that site.
,
Jan 13 2017
--winhttp-proxy-resolver should not be affecting this problem. Assuming it returns the same proxy list "PROXY 192.168.51.8:3128; DIRECT", you would have the same problem. Can you include a netlog with both modes? Or at the very least copy-paste what the proxy list inferred in both cases was. As far as the general issue, if the intent is to block sites there shouldn't be a fallback to DIRECT in the list. Another option could be to remove Chrome's re-ordering of proxies to attempt based on past performance all-together, and always try them in linear fashion...
,
Jan 16 2017
> --winhttp-proxy-resolver should not be affecting this problem. Assuming it returns the same proxy list "PROXY 192.168.51.8:3128; DIRECT", you would have the same problem. No, and proof that the behavior is different is attached. I did the following test: 1. Execute Chrome (with and without --winhttp-proxy-resolver 2. Go to chrome://net-internals/#proxy to clear an Bad proxy results and reloaded the .pac 3. Tried to access https://www.facebook.com With --winhttp-proxy-resolver, we had the expected and proper results. There is no logic in banning a whole proxy because a specific URL is not accessible. This is logically and functionally wrong and that is why it is not followed by any other browser. I understand Chrome would like to be a good and obedient browsers so users like it, but in a corporate environment this is a no go. In a corporate environment rules and policies are to be followed. We want to keep DIRECT as a FALLBACK on occasions where the main proxy is indeed dead and that's how IE and Firefox are working and have been tested to provide this. I am waiting on your comments. Thanks, Alex
,
Jan 17 2017
Worth noting we only mark a proxy as bad when we get an error, and we can successfully get a response without using the proxy. i.e., if we can fallback to direct connections, and we get a response from a direct connection, we consider the proxy bad (Admittedly, a "You can't get there from here" page served over HTTP counts as fallback working, but I don't think that's the case here).
,
Jan 26 2017
Any progress on this ticket?
,
Feb 13 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by brajkumar@chromium.org
, Jan 12 2017Labels: TE-NeedsTriageHelp