New issue
Advanced search Search tips

Issue 680083 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 680837
Owner: ----
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Proxy is considered BAD when ERR_TUNNEL_CONNECTION_FAILED is returned for any URL

Reported by lex...@gmail.com, Jan 11 2017

Issue description

Version of Google Chrome (Wrench-> About Google Chrome): 55.0.2883.87 m (64-bit)
Version of MSI (if applicable):
Using group policy settings? Yes


Issue:
When running chrome with "chrome --winhttp-proxy-resolver" the described issue is not happening.

Chrome in our enterprise is configured with a .PAC file. The instructions provide a FALLBACK proxy of "DIRECT".

I used chrome://net-internals/#proxy to see why the primary proxy is invalidated and when and I saw the below:

This is the point where our proxy is deemed bad because of source dependency
18115 which can be found below:

t=219521 [st=488] SOCKET_POOL_BOUND_TO_CONNECT_JOB
--> source_dependency = 18115 (CONNECT_JOB)
t=219521 [st=488] -SOCKET_POOL
--> net_error = -111 (ERR_TUNNEL_CONNECTION_FAILED)
t=219521 [st=488] PROXY_LIST_FALLBACK
--> bad_proxy = "192.168.51.8:3128"
t=219521 [st=488] +HOST_RESOLVER_IMPL_REQUEST [dt=0]
--> address_family = 0
--> allow_cached_response = true
--> host = "www.facebook.com:443"
--> is_speculative = false
t=219521 [st=488] HOST_RESOLVER_IMPL_IPV6_REACHABILITY_CHECK
--> cached = true
--> ipv6_available = false
t=219521 [st=488] -HOST_RESOLVER_IMPL_REQUEST
--> net_error = -804 (ERR_DNS_CACHE_MISS)

So, when Chrome can't use this proxy to access Facebook (or any other site
for that matter), then the whole proxy is considered BAD and the Fallback
option in the PAC is enabled (which Is DIRECT).


18115: CONNECT_JOB
ssl/www.facebook.com:443
Start Time: 2017-01-10 16:01:06.294

t=219039 [st= 0] +SOCKET_POOL_CONNECT_JOB [dt=482]
--> group_name = "ssl/www.facebook.com:443"
t=219039 [st= 0] +SOCKET_POOL_CONNECT_JOB_CONNECT [dt=482]
t=219039 [st= 0] +SOCKET_POOL [dt=482]
t=219521 [st=482] SOCKET_POOL_BOUND_TO_CONNECT_JOB
--> source_dependency = 18116 (CONNECT_JOB)
t=219521 [st=482] -SOCKET_POOL
--> net_error = -111 (ERR_TUNNEL_CONNECTION_FAILED)
t=219521 [st=482] -SOCKET_POOL_CONNECT_JOB_CONNECT
--> net_error = -111 (ERR_TUNNEL_CONNECTION_FAILED)
t=219521 [st=482] -SOCKET_POOL_CONNECT_JOB

Our proxy shouldn't get invalidated when access to one site is not working. We intentionally block a big number of URLs for security and compliance reasons.


Expected Behavior:
We need this facility to work exactly like it does on Internet Explorer 11 and Firefox. Stick to the primary proxy "unless" the proxy is completely unresponsive/unavailable. Testing of the availability of the proxy would be to check a number of URLs in the background (like well known sites like google.com, bing.com, godaddy.com) in a way to make sure that the proxy has failed completely.

Actual Behavior:
Whenever a site is not accessible, the proxy is invalidated.

Workaround proposal:
Add a Group Policy option to always run Chrome with --winhttp-proxy-resolver

Solution proposal:
Add a Group Policy option to make this work like --winhttp-proxy-resolver but continue to use Chrome's facility and WinInet API.




 
Components: -Enterprise Internals>Network>Proxy
Labels: TE-NeedsTriageHelp
I believe this is WontFix/WorkingAsIntended , and do not believe it would be advisable to expose either the WinHTTP Proxy Resolver or to alter behaviours. Both of these go against Chrome's mission of "simple"

Proposed Resolution:
Don't include DIRECT if users should not go to that site.

Comment 3 by eroman@chromium.org, Jan 13 2017

--winhttp-proxy-resolver should not be affecting this problem. Assuming it returns the same proxy list "PROXY 192.168.51.8:3128; DIRECT", you would have the same problem. Can you include a netlog with both modes? Or at the very least copy-paste what the proxy list inferred in both cases was.

As far as the general issue, if the intent is to block sites there shouldn't be a fallback to DIRECT in the list.

Another option could be to remove Chrome's re-ordering of proxies to attempt based on past performance all-together, and always try them in linear fashion...

Comment 4 by lex...@gmail.com, Jan 16 2017

> --winhttp-proxy-resolver should not be affecting this problem. Assuming it returns the same proxy list "PROXY 192.168.51.8:3128; DIRECT", you would have the same problem.

No, and proof that the behavior is different is attached. I did the following test:

1. Execute Chrome (with and without --winhttp-proxy-resolver
2. Go to chrome://net-internals/#proxy to clear an Bad proxy results and reloaded the .pac
3. Tried to access https://www.facebook.com


With --winhttp-proxy-resolver, we had the expected and proper results. There is no logic in banning a whole proxy because a specific URL is not accessible. This is logically and functionally wrong and that is why it is not followed by any other browser.

I understand Chrome would like to be a good and obedient browsers so users like it, but in a corporate environment this is a no go. In a corporate environment rules and policies are to be followed.

We want to keep DIRECT as a FALLBACK on occasions where the main proxy is indeed dead and that's how IE and Firefox are working and have been tested to provide this.


I am waiting on your comments.


Thanks,
Alex

net-internals-log-winhttp-proxy-resolver-off.json
2.9 MB View Download
net-internals-log-winhttp-proxy-resolver-on.json
515 KB View Download

Comment 5 by mmenke@chromium.org, Jan 17 2017

Worth noting we only mark a proxy as bad when we get an error, and we can successfully get a response without using the proxy.  i.e., if we can fallback to direct connections, and we get a response from a direct connection, we consider the proxy bad (Admittedly, a "You can't get there from here" page served over HTTP counts as fallback working, but I don't think that's the case here).

Comment 6 by lex...@gmail.com, Jan 26 2017

Any progress on this ticket?

Comment 7 by eroman@chromium.org, Feb 13 2017

Mergedinto: 680837
Status: Duplicate (was: Unconfirmed)

Sign in to add a comment