prevent不请自来的CONNECT方法从HttpURLConnection类调用 [英] Prevent unsolicited CONNECT method calls from HttpURLConnection

问题描述

我使用 HttpURLConnection类大致如下的行：

String strURL = "https://example.herokuapp.com";
Bitmap bmImage = null;
HttpURLConnection connection = null;
InputStream in = null;
showMessage(context.getString(R.string.message_preparing));
try {
    int timeoutMS = 15000;
    URL url = new URL(strURL);
    connection = (HttpURLConnection) url.openConnection();
    connection.setDoInput(true);
    connection.setConnectTimeout(timeoutMS);
    connection.setReadTimeout(timeoutMS);
    connection.connect();
    in = connection.getInputStream();
    BitmapFactory.Options options = new BitmapFactory.Options();
    bmImage = BitmapFactory.decodeStream(in, null, options);
} catch (Exception e) {
    e.printStackTrace();
} finally {
    if (connection != null)
        connection.disconnect();
    if (in != null) {
        try {
            in.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

return bmImage;

这工作得很好，由 strURL 定义返回一个bmp图像的URL，这之中去codeD准备使用上述code

This works just fine, with the url defined by strURL returning a bmp image, and this being decoded ready for use by the above code.

但对于特定的一个用户，虽然code正常工作来获取bmp图像，在服务器（在Heroku的一个服务器的nod​​e.js），很明显，一个 CONNECT 请求也被他们的设备发送。该请求被拒绝，并自动将503的响应，所以它不是因为这样的问题，而BMP仍发送到他们的设备，但我想知道为什么那些连接请求都被发送，以及如何阻止他们。当然应该有什么，但 GET 请求？

But for one user in particular, although the code works fine to fetch the bmp image, at the server (a node.js server at heroku) it is apparent that a CONNECT request is also being sent by their device. That request is rejected with a 503 response automatically, so it's not a problem as such, and the bmp is still sent to their device, but I'd like to know why those CONNECT requests are being sent at all, and how to stop them. Surely there should be nothing but GET requests?

我试过这个解决方案以这似乎是一个类似的问题，但它没有什么区别我。

I've tried this solution to what appears to be a similar problem, but it makes no difference for me.

注意 strURL 是HTTPS服务器，而我使用 HttpURLConnection类（不是的Https ） - 不知道是否有在任何意义

Note that strURL is to an https server, and I'm using HttpURLConnection (not Https) -- not sure if there is any significance in that.

我也不能100％确定连接请求从上面的电话获得，但他们肯定大约在同一时间为 GET发生的要求，提供了BMP。也许它可以通过操作系统以某种方式产生，我的code之外吗？不知道。

I'm also not 100% sure the CONNECT requests derive from the above calls, but they certainly happen around the same time as a GET request that delivers the bmp. Maybe it could be generated by the OS somehow, outside of my code? Not sure.

在情况下，它可以帮助，从Heroku的一个例子日志消息，以响应连接请求之一，如下：

In case it helps, an example log message from heroku, in response to one of the CONNECT requests, is as follows:

Oct 27 14:14:25 example heroku/router: at=error code=H13 desc="Connection closed without response" method=CONNECT path="example.herokuapp.com:443" host=example.herokuapp.com request_id=353e623x-dec4-42x5-bcfb-452add02ecef fwd="111.22.333.4" dyno=web.1 connect=0ms service=1ms status=503 bytes=0

编辑：它也可以是相关的，实际上有关的装置使彼此（完全独立的和合法的请求）的很短的时间内的两个独立的GET请求，但是只有以往的单一CONNECT请求表观（大约相同的时间作为对GET请求）。所以它不是仿佛有每个一个CONNECT GET。

it may also be of relevance that the device concerned actually makes two independent GET requests within a short time of each other (completely separate and legitimate requests), but there is only ever a single CONNECT request apparent (around the same time as the pair of GET requests). So it's not as if there is a CONNECT for each GET.

推荐答案

的连接方法preface到HTTP服务器的请求（无论是代理服务器或原始服务器），这基本上意味着：

The CONNECT method can preface a request to an HTTP server (either a proxy server or an origin server), and it basically means:

对了，老家伙，你不会介意中继这东西我说
  逐字主机/端口我正好提了，你会吗？
  无需真正关注我在说什么，真的。

"By the way, old chap, you wouldn't mind relaying this stuff I say 'verbatim' to the host/port I happen to mention, would you? No need to actually pay attention to what I'm saying, really."

通常这将是一个代理的指令，为走出的道路，并让请求者（可能是用户代理或其他代理）直接跟上游服务器。

Usually this would be an instruction to a proxy, to 'get out of the way', and let the requestor (which could be the user-agent OR another proxy) to talk directly to the upstream server.

这是一个不错的设施有，如果有你和源服务器之间的，否则，不合作的（也许是过时的）代理。这也是方便的，如果你是一个黑客，想一个错误配置的源服务器轻率地方便您进入内部网络。

It's a nice facility to have if there is an otherwise-uncooperative (perhaps outdated) proxy between you and an origin server. It's also handy if you're a hacker and would like a mis-configured origin server to blithely facilitate your entry into the internal network.

不过，除非你有网络的完善的知识和知道该是你的路径只有一个代理，你需要栈的CONNECT头，直到你得到一个拒绝。

However, unless you have perfect knowledge of the network and 'know' that the is only ONE proxy in your path, you'll need to 'stack' the CONNECT header until you get a refusal.

例如：

CONNECT site.example.com 80 HTTP/1.1
CONNECT site.example.com 80 HTTP/1.1
GET /foo HTTP/1.1
Host: site.example.com

....要么让你通过2干涉，良好的换什么，上游代理;或者让你通过只是1这其实那里，赚你503从源服务器......于是你就会有少一个重复你的要求连接 preface的方法。

.... will either get you through 2 interfering, good-for-nothing, upstream proxies; OR get you through just the 1 that's actually there, and earn you a 503 from the origin-server ... whereupon you'll have to repeat your request with ONE FEWER CONNECT preface-methods.

因此​​，这将占到迄今所看到的行为。

So that would account for the behaviour seen so far.

不过，目前尚不清楚谁是被添加连接 preFACE？而他们为什么不喜欢代理？

However, what isn't clear is WHO is ADDING THE CONNECT PREFACE?! And why don't they like proxies?

这可能是：

1. 在用户代理（你在使用客户端的智能手机Android应用code HttpURLConnection类或 HttpsURLConnection的 （由自动使用的openConnection（）如果URL有一个的https：// 方案）;


2. 的用户代理和原始服务器，由于某种原因是不信任其上游代理的或通过其他方式只支持HTTP代理服务器需要隧道HTTPS之间的任何代理（这是什么连接是为的）


3. 这就是被黑客攻击的代理，并且正在寻找哑出身的服务器利用......但为什么一定要等到有人实际需要的东西，费尽口舌原始服务器？

1. code on the User-Agent (your Android app on your client's smartphone using HttpUrlConnection or HttpsUrlConnection (used automatically by openConnection() if the URL has an https:// scheme);
2. any Proxy between the User-Agent and the origin-server, which for some reason is distrustful of its upstream proxies or needs to tunnel HTTPS through a proxy which otherwise only supports HTTP (which is what CONNECT is for)
3. a Proxy that's been hacked, and is looking for dumb origin-servers to exploit ... but why wait until someone actually needs stuff, to hassle the origin server?

在连接方法，并为数据包的源IP的全部内容将是有趣的。我敢打赌，在＃2，虽然，predict，你不会看到连接如果您通过访问网站 HTTP： // URL。

The full content of the CONNECT method, and the source IP for the packet would be interesting. I'm betting on #2 though, and predict that you won't see the CONNECT if you accessed the site via a http:// URL.

有什么它的您的可以做的。

There is nothing which you can do about it.

这篇关于prevent不请自来的CONNECT方法从HttpURLConnection类调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！