Golang proxy.golang.org: problematic 302 redirects to www.google.com/sorry/... URLs

Background

At our organization we have our own Go proxy that serves our own private modules. This Go proxy server contains a httputil.NewSingleHostReverseProxy pointing at proxy.golang.org.

This proxy predates the ability to provide a comma separated list of proxy URLs in the GOPROXY env var. Now that this exists we will may try to resolve this issue by moving to what the Go mod ref recommends just doing something like GOPROXY=https://proxy.corp.example.com,https://proxy.golang.org,direct.

Issue

When we attempt to download packages through our proxy.corp.example.com Go proxy server we are sporadically getting errors that look like this:

go: cloud.google.com/go/bigquery@v1.8.0: reading https://proxy.corp.example.com/cloud.google.com/go/bigquery/@v/v1.8.0.info: 400 Bad Request
        server response: bad request: query parameters not allowed

These errors have been sporadic. If I do a go clean -modcache go download sometimes it works without issues, sometimes it hits one of these errors.

Debugging

By setting GODEBUG=http2debug=1 environment variable on our proxy.corp.example.com machine I was able to track the reason for these errors is https://proxy.golang.org is sometimes responding to requests like proxy.golang.org/github.com/opencontainers/go-digest/@v/v1.0.0.mod with a 302 response redirecting to https://www.google.com/sorry/index?continue=https://proxy.golang.org/github.com/opencontainers/go-digest/%40v/v1.0.0.mod&q=REDACTED

This https://www.google.com/sorry/... url returns another 302 redirect to proxy.golang.org/github.com/opencontainers/go-digest/@v/v1.0.0.mod?google_abuse=GOOGLE_ABUSE_EXEMPTION%3DID%3D_REDACTED_:TM%3D_REDACTED_:C%3D%3E:IP%3D1_REDACTED_-:S%3D_REDACTED_%3B+path%3D/%3B+domain%3Dgoogle.com%3B+expires%3DThu,+31-Jul-2025+21:08:15+GMT

Since proxy.golang.org doesn't allow query parameters it returns a 400 Bad Request with the body:

bad request: query parameters not allowed

I happened to visit one of those https://www.google.com/sorry/... urls from my personal machine instead of my work machine and was greeted with a page blocking access instead of redirecting me back to proxy.golang.org and noting this is because the IPs don't match:

Our systems have detected unusual traffic from your computer network. Please try your request again later. Why did this happen?

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service. The block will expire shortly after those requests stop.

This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests. If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible. Learn more

Sometimes you may see this page if you are using advanced terms that robots are known to use, or sending requests very quickly.

IP address: 38.REDACTED ≠ 144.REDACTED Time: 2025-08-01T18:10:52Z URL: https://proxy.golang.org/github.com/mitchellh/mapstructure/@v/v0.0.0-20150613213606-2caf8efc9366.mod

Conclusion

So it looks to me like proxy.golang.org is deciding that the traffic coming from our proxy.corp.example.com server is suspicious for some reason (probably we are sending too much traffic to proxy.golang.org through that server?) and 302 redirects it through a google.com/sorry page to validate that the request is real. When the 302 works it's way back to go and go follows it the google.com/sorry page decides it is legit and redirects it along to the original proxy.golang.org page, BUT it adds on extra query parameters that causes proxy.golang.org to error.

Given it seems to me like the google.com/sorry thinks our requests are ok it would be nice if something in this system could be made to support this workflow. Either when google.com/sorry redirects to proxy.golang.org it needs to strip off the extra query parameters, or proxy.golang.org needs to be made so it allows this special google_abuse query parameter.

Comment From: gabyhelp

Related Issues

• proposal: net/http: increase verbosity of unsuccessful proxy CONNECT request #40873 (closed)
• x/net/http/httpproxy: misleading error for http requests when proxy URL is misconfigured #64206

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}