Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NO_PROXY port support + special case for proxying via localhost #11403

Merged
merged 54 commits into from
Apr 4, 2022
Merged

NO_PROXY port support + special case for proxying via localhost #11403

merged 54 commits into from
Apr 4, 2022

Conversation

atburke
Copy link
Contributor

@atburke atburke commented Mar 23, 2022

This PR updates NO_PROXY handling to allow blocking specific host:port combinations, rather than just the host. It also adds a special case for downgrading requests to plain HTTP when the following conditions are met:

  • --insecure is true
  • The request goes through a plain HTTP proxy at localhost (i.e. HTTP_PROXY=http://localhost)

Resolves #10175.

atburke and others added 30 commits February 7, 2022 15:21
@atburke
Add http proxy to web clients
72459fb
@atburke
Add tests
05fa8b5
@atburke
Reduce arg ambiguity
37cd786
@atburke
Make error assertions more specific
e2df595
@atburke
Fix linting
8281dfc
@atburke
Merge branch 'master' into atburke/tsh-https-proxy
59088d7
@atburke
Add messages to assertions
700abc2
@atburke
Change fake proxy address in tests
d41122a
@atburke
Add http proxy support for ssh
d225e71
@atburke
Move proxy utils to api
810d958
@atburke
Add proxy-aware context dialer
dd5e232
@atburke
Fix incorrect address in makeProxySSHClient
7981450
@atburke
Merge branch 'master' into atburke/tsh-https-proxy
726297f
@atburke
Merge branch 'master' into atburke/tsh-https-proxy
1823b90
@atburke
Merge branch 'master' into atburke/tsh-https-proxy
f57114d
@atburke
Add docs
ad44ccf
@atburke
Add NO_PROXY tests
de6c715
@atburke
Simplify bodyclose workaround
df6c5e2
@atburke
Stop caching env vars
bde8fb2
@atburke
Split makeProxySSHClient
bbc3af7
@atburke
Remove leftover teleport imports from api
79e3f3f
@atburke
Make dialALPNWithDeadline a member of directDial
fcf43ee
@atburke
Add DialProxyWithDialer for custom dialers
e24d3d0
@atburke
Make tlsConfig mandatory
749d889
@atburke
Bring back tlsRoutingEnabled flag
4e2a20a
@atburke
Move tls config configuration to its own function
cad2d6c
@atburke
Update NO_PROXY matching
2117a9b
@atburke
Change GetProxyAddress return type
5d69d45
@atburke
Add ProxyAwareRoundTripper
b3f1d13
@atburke
Remove siddontang logger from proxy.go
2a6b7b2
@r0mant r0mant removed the request for review from zmb3 March 28, 2022 18:32
@r0mant
Copy link
Collaborator

r0mant commented Mar 28, 2022

@jimbishopp Can you please take a look too?

jimbishopp
jimbishopp reviewed Mar 28, 2022
View reviewed changes
api/client/proxy/proxy.go Outdated Show resolved Hide resolved
api/client/proxy/proxy.go Outdated Show resolved Hide resolved
api/client/proxy/proxy.go Show resolved Hide resolved
api/client/proxy/proxy.go Outdated Show resolved Hide resolved
jimbishopp
jimbishopp approved these changes Mar 29, 2022
View reviewed changes
Copy link
Contributor

@jimbishopp jimbishopp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

api/client/proxy/proxy_test.go Show resolved Hide resolved
r0mant
r0mant reviewed Mar 29, 2022
View reviewed changes
api/client/proxy/proxy.go Outdated

// parse parses a URL. If the address does not have a scheme, it will prepend "http" and try.
func parse(addr string) (*url.URL, error) {
proxyurl, err := url.Parse(addr)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some things about this function are still unclear to me:

  • proxyurl is still confusing because this function doesn't actually deal with proxy addresses now.
  • In which case addr will not have a scheme in it?
  • Shouldn't we default to https if the scheme is empty? That would be a more secure default, no?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whether or not addr has a scheme depends on the caller; the existing proxy tests didn't have schemes, so I'm assuming that's a common and expected scenario.

The extra http:// is only there to help parse the url; parse doesn't assume http. GetProxyAddress handles the scheme-less URLs by checking https first, then http.

api/client/proxy/proxy.go Show resolved Hide resolved
lib/client/https_client.go Outdated Show resolved Hide resolved
api/client/webclient/webclient.go Outdated Show resolved Hide resolved
@atburke atburke requested a review from r0mant March 31, 2022 22:54
r0mant
r0mant approved these changes Apr 1, 2022
View reviewed changes
api/client/proxy/proxy.go Outdated Show resolved Hide resolved
api/client/proxy/proxy.go Outdated Show resolved Hide resolved
@atburke atburke enabled auto-merge (squash) April 1, 2022 22:46
@atburke atburke disabled auto-merge April 4, 2022 17:52
@atburke atburke merged commit e3a8fb7 into master Apr 4, 2022
@atburke atburke deleted the atburke/tsh-http-fallback branch April 4, 2022 21:23
atburke added a commit that referenced this pull request Apr 5, 2022
@atburke
NO_PROXY port support + special case for proxying via localhost (#11403)
856714f 
This change updates NO_PROXY handling to allow blocking specific host:port combinations, rather than just the host. It also adds a special case for downgrading requests to plain HTTP when --insecure is true and the request goes through a plain HTTP proxy at localhost (i.e. HTTP_PROXY=http://localhost).
@atburke atburke mentioned this pull request Apr 11, 2022
Merged
atburke added a commit that referenced this pull request Apr 12, 2022
@atburke
NO_PROXY port support + special case for proxying via localhost (#11403)
265dc7f 
This change updates NO_PROXY handling to allow blocking specific host:port combinations, rather than just the host. It also adds a special case for downgrading requests to plain HTTP when --insecure is true and the request goes through a plain HTTP proxy at localhost (i.e. HTTP_PROXY=http://localhost).
@webvictim webvictim mentioned this pull request Apr 19, 2022
Closed
@webvictim webvictim mentioned this pull request Jun 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jimbishopp jimbishopp jimbishopp approved these changes

@r0mant r0mant r0mant approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

HTTP fallback for tsh
4 participants
@atburke @r0mant @jimbishopp @zmb3