Skip to content

Fix SOCKS proxy hangs and enable third-party resource loading#1

Open
Pebl3 wants to merge 2 commits intosenderend:masterfrom
Pebl3:master
Open

Fix SOCKS proxy hangs and enable third-party resource loading#1
Pebl3 wants to merge 2 commits intosenderend:masterfrom
Pebl3:master

Conversation

@Pebl3
Copy link
Copy Markdown

@Pebl3 Pebl3 commented Apr 25, 2026

Disclaimer... all code is completely AI generated, but I have verified that the patch works and removed bloat.

Summary

Two bugs made the SOCKS proxy unusable for real browser traffic against relayed targets: non-relay hosts (CDNs, fonts) got rejected outright, and a single slow relay response could deadlock the entire proxy. This PR fixes both.

Problems

1. Third-party resources rejected. The SOCKS handler required every connection to have an active relay session, so any page pulling in CDN/font assets failed:

[-] SOCKS: Don't have a relay for cdn.jsdelivr.net(443)
[-] SOCKS: Don't have a relay for fonts.googleapis.com(443)

2. Whole-proxy deadlock after a few seconds. The relay socket used settimeout(None), and every recv() path (transferResponse body read, transferChunked) was unguarded. One slow/hung response from the target held socketLock forever. Every subsequent browser connection blocked on lock acquisition and the browser spun on "infinite loading."

Changes

lib/relay/servers/socksserver.py — direct TCP passthrough for non-relay traffic

  • Removed the early CONNECTION_REFUSED gate for unknown hosts.
  • Added a select-based bidirectional pipe in the "no relay handler" branch, matching the pattern already used for DNS (port 53).
  • Relay targets still go through the NTLM plugin path unchanged.

lib/relay/servers/socksplugins/http.py — bounded relay I/O

  • New _sendViaRelay() helper wrapping the lock/send/recv sequence:
    • 15s lock acquire timeout → 503 to browser (session preserved).
    • 10s socket-level timeout on relaySocket covers every recv() in transferResponse and transferChunked.
    • On timeout/socket error → 504 to browser, close the relay socket so later handlers fail isConnectionAlive() cleanly instead of reading misaligned response bytes.
  • Collapsed 5 duplicated with socketLock: blocks in _processRequestWithProbe into single _sendViaRelay() calls.

Behavior

Scenario Before After
Browser request to CDN / fonts / any non-relay host CONNECTION_REFUSED Direct TCP passthrough
Relay target, fast response Works Works
Relay target, target hangs >10s Whole proxy deadlocks until restart 504 to that browser, session killed, proxy stays responsive
Concurrent browser connections contending on relay socket Serialized (pre-existing) Serialized with 15s cap, fail-fast with 503 on excess contention

Trade-offs

A true target-side hang now ends the NTLM session (relay socket closed). Re-capture is needed — acceptable since the alternative is a dead proxy.

Pebl3 added 2 commits April 24, 2026 21:53
@Pebl3
Enhance SOCKS server with direct DNS passthrough
928684b 
Refactor SOCKS server to handle DNS requests directly and improve error handling for connections without relays.
@Pebl3
Refactor HTTP request handling to use _sendViaRelay
0feab08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Pebl3