Add an experimental transparent HTTP proxy #225
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
djs55
force-pushed
the
http-intercept
branch
2 times, most recently
from
d7c07bb to
f363c02
Compare
If the key `slirp/http-intercept` is provided, then its contents are
parsed as json and interpreted as transparent proxy settings e.g.
{
"http": "http://docker.com:3128",
"https": "http://docker.com:3128",
"excludes": ""
}
means to forward both HTTP and HTTPs to http://docker.com:3128.
The proxied request should be identical to the original request, except
that the resource will have been transformed from a relative URI (e.g. `/`)
into an absolute one (e.g. `http://dave.recoil.org/`).
The address of a proxy can take any of the following forms:
ip:port
host:port
http://host:port
http://ip:port
There is currently no support for the `excludes` key.
Signed-off-by: David Scott <[email protected]>
This enables HTTP interception and checks that - requests are captured - resources are converted to absolute URIs - headers of various kinds are preserved Signed-off-by: David Scott <[email protected]>
Signed-off-by: David Scott <[email protected]>
Signed-off-by: David Scott <[email protected]>
Signed-off-by: David Scott <[email protected]>
If `http-intercept` is set and there is an upstream https proxy, then all outgoing traffic to port 443 will be proxied at the TCP level through a HTTP CONNECT. Signed-off-by: David Scott <[email protected]>
Signed-off-by: David Scott <[email protected]>
These tests appear to block on appveyor. As a general rule we don't re-run the unit tests of all our dependencies here, but we make a special exception for tcpip which we have heavily modified. This patch installs and runs the tests for tcpip first, before installing (without tests) all the other dependencies. Signed-off-by: David Scott <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
If the key
slirp/http-interceptis provided thenHTTP CONNECTThis has the advantage that the client doesn't need to know it's being proxied or the address of the proxy, so that if the client moves on the network everything continues to work.
Note that normally a client knows that it is talking to a proxy and sends slightly different requests: in particular it will use an absolute URI for the resource (e.g.
GET http://dave.recoil.org/rather thanGET /) and it will expect the proxy to behave like a proxy. Since we are trying to pretend we don't exist we try to be as transparent as possible and only change the resource URI.This PR works for simple cases such as
apk updateand plaincurl/wget. Test cases are provided which compare the proxied request to the original.This PR currently doesn't handle exclusions: we need to decide on the expressivity (e.g. wildcards and CIDRs)
Related to #20