Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for http connect proxying to tls connections. Fixes #54 #55

Merged
merged 1 commit into from
Aug 23, 2023
Merged

Add support for http connect proxying to tls connections. Fixes #54 #55

merged 1 commit into from
Aug 23, 2023

Conversation

plorenz
Copy link
Member

@plorenz plorenz commented Aug 15, 2023

No description provided.

@plorenz plorenz requested a review from a team as a code owner August 15, 2023 21:45
@plorenz plorenz force-pushed the tls-over-http-connect-proxy branch from 4755c28 to 85f3ca2 Compare August 16, 2023 21:41
@plorenz plorenz force-pushed the tls-over-http-connect-proxy branch from 85f3ca2 to 81f734f Compare August 17, 2023 15:57
andrewpmartinez
andrewpmartinez reviewed Aug 22, 2023
View reviewed changes
proxies/http_connect.go
}

func (self *HttpConnectProxyDialer) Dial(network, addr string) (net.Conn, error) {
c, err := net.Dial(network, self.address)
Copy link
Member

@andrewpmartinez andrewpmartinez Aug 22, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This assumes the proxy server is not TLS, correct? I believe that if the HTTP proxy is using TLS this will fail to connect properly.

It looks like the net.Conn from here is expected to be used in .Connect(), which sends credentials. If HTTP is only supported, those creds are sent in the clear.

Copy link
Member

@andrewpmartinez andrewpmartinez Aug 22, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One way to handle TLS vs non-TLS HTTP proxies is to require the protocol prefix on the address and inspect it:

https://proxyhost vs http://proxyhost and then do the right thing. However I don't know how well that pattern meshes with the transport codebase.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this is just to get the bare minimum working. If/when we get more feature requests we can look at how to expand this out

andrewpmartinez
andrewpmartinez approved these changes Aug 22, 2023
View reviewed changes
Copy link
Member

@andrewpmartinez andrewpmartinez left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good only if we are not expecting to support (TLS) HTTPS proxies. I assume we are looking to support enterprise networks that aren't locking down an internal HTTP proxy.

@plorenz plorenz merged commit 66cba72 into main Aug 23, 2023
26 checks passed
@plorenz plorenz deleted the tls-over-http-connect-proxy branch August 23, 2023 00:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewpmartinez andrewpmartinez andrewpmartinez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@plorenz @andrewpmartinez