-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to browse the "National Health Insurance Administration Ministry of Health and Welfare, Taiwan" website via TetherFi(Error 502) #349
Comments
That line about Google GMs package in the connection timeout is Interesting TetherFi does not use any google library outside of the billing code, so I wonder why this google line and the ktor code are getting used in the same stack. I will look. Are you able to access the website fine normally? Do other proxies or VPNs work? |
Without the proxy, yes.
I noticed that when I started a SimpleSSHD service on the phone, connected to the service using the SSH client on the PC, and attempted to connect to the same website via the SOCKS service of the SSH client's $ time https_proxy=socks5h://127.0.0.1:1080 curl --verbose https://www.nhi.gov.tw
* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'
* Uses proxy env variable https_proxy == 'socks5h://127.0.0.1:1080'
* Trying 127.0.0.1:1080...
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* SOCKS5 connect to www.nhi.gov.tw:443 (remotely resolved) *stuck at here* though in this case after a similar 2m10s duration, a valid response does eventually return: * SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / prime256v1 / rsaEncryption
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=TW; L=\U81FA\U5317\U5E02; O=\U885B\U751F\U798F\U5229\U90E8\U4E2D\U592E\U5065\U5EB7\U4FDD\U96AA\U7F72; CN=*.nhi.gov.tw
* start date: Jul 17 10:56:26 2024 GMT
* expire date: Aug 16 15:59:59 2025 GMT
* subjectAltName: host "www.nhi.gov.tw" matched cert's "*.nhi.gov.tw"
* issuer: C=TW; O=Chunghwa Telecom Co., Ltd.; OU=Public Certification Authority - G2
* SSL certificate verify ok.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha1WithRSAEncryption
* using HTTP/1.x
> GET / HTTP/1.1
> Host: www.nhi.gov.tw
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Location: /ch/mp-1.html
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-UA-Compatible: IE=edge
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Referrer-Policy: same-origin
< Content-Security-Policy: form-action 'self';frame-ancestors 'self';default-src 'self' 'unsafe-inline' 'unsafe-eval' data: ws.csptc.gov.tw nhifile-nhi.cdn.hinet.net i.ytimg.com www.google.com.tw *.googletagmanager.com www.google-analytics.com *.googleapis.com *.gstatic.com *.google.com *.facebook.com *.facebook.net *.doubleclick.net *.youtube.com;
< Date: Tue, 05 Nov 2024 16:56:00 GMT
< Set-Cookie: TS01bdd66b=01d4478401d8e8e817ad79d4ed7a4dce1decf0e8c6bace515deb14a77858e0440a93ff4bc2ab4a56de4373a35849b1877ac6085025; Path=/; Domain=.www.nhi.gov.tw
< Transfer-Encoding: chunked
<
* Connection #0 to host 127.0.0.1 left intact
real 2m10.163s
user 0m0.025s
sys 0m0.014s |
Interesting, I will take a look and see if I can figure out more, thanks for the logs! |
I noticed that this problem is not reproduced when PCAPdroid is capturing the network packets(via emulating a system VPN connection) for some reason. |
If its taking almost 2 minutes for a non VPN socks proxy to get a response, TetherFi is probably timing out because we kill connections after 1 minute. Version 50/51 reduces this even further to 10 seconds to save memory. I will make this timeout user configurable, to allow you to wait longer. Assuming the website just throttles Proxy connections for whatever reason, perhaps this additional waiting would work. As for why pcapdroid works, I imagine the fact that it operates as an Android level VPN service gives it additional privileges, and network wise it removes the need for the CONNECT on the http side. TetherFi has no plans right now to become a VPN level application though, so for now, I believe allowing the timeout to be configurable is the best short term way forward |
Oh, so its basically "watching" but not actually doing anything to change the request? And suddenly the website just works? That is weird then. Still, I believe it would be good to allow configuration of the timeout for other websites that behave poorly or slowly, so I will still continue with that option. I will have to revisit the base idea then for why this occurs - this is a curious problem. If it is ultimately that this specific website just doesn't like proxy connections, I'm not sure what else we can do here. |
Thank you for your patience and your consistently detailed bug reporting! |
I have patched the |
Thanks for trying :) Given that it always times out at 2m 10 seconds, this must be something configured on the website's end. Tricky problem. |
Hello, further compounding the confusing problem is this I just tried again this morning and got a normal request, perfectly fine, via curl
I tried a second time, and it again worked completely fine. I then tried again but this time going to |
Actually now I'm getting connection problems on a normal connection, when I'm not using TetherFi I think something is just "weird" with this specific website on this specific week. |
Other websites browse fine, but I am unable to browse this specific website via TetherFi for some reason: National Health Insurance Administration Ministry of Health and Welfare
The page just stuck at loading for a very long time and returns a timeout error(
NS_ERROR_NET_TIMEOUT
).Testing request using curl returns a 502 Bad Gateway response after around 2 minutes and 10 seconds(sample size = 5):
The developer log indicates that there's a connection timed out
java.net.ConnectException
, but nothing else.Website browse without issue on the phone.
Additional information
TetherFi
49 from Google Play
Android
14 (AP2A.240905.003)
Phone
Google Pixel 8 Pro
The text was updated successfully, but these errors were encountered: