-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support proxying client requests through direct and tunneling HTTP/HTTPS proxies #1080
base: master
Are you sure you want to change the base?
Conversation
0add310
to
ba4a191
Compare
I don't think you should modify the |
We're only adding a boolean, |
Whether it's just a boolean or not is besides the point. You're changing the semantics of comparison, pretty printing, etc for a large group of users who aren't gaining anything from this feature. Some alternatives you could try:
EDIT: after glancing at the spec, seems like 1. is the way to go. the |
I did not follow this option, because the |
Good point, doesn't that mean we can get rid of scheme from the request as well? @anuragsoni why did we add scheme? |
From what I remember we kept it around mostly to maintain compatibility with the existing release of cohttp. |
@MisterDA do you want to take the honors of getting rid of it? |
let* ans = Cohttp_lwt_unix.Client.get ?headers uri in | ||
follow_redirect ~max_redirects ?headers uri ans | ||
|
||
and follow_redirect ~max_redirects ?headers request_uri (response, body) = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doesn't need to be done for this PR but that would be nice to have a similar function in the client API (so that every user do not have to re-implement an half-broken version of it)
It doesn't seem possible to remove the ocaml-cohttp/cohttp/test/test_request.ml Lines 251 to 255 in 53fbf39
we might want to remove this feature altogether. This mostly impacts logging and testing, but also the |
ba4a191
to
02a78e3
Compare
Indeed it's not worth it. I got rid of it here #1086 |
02a78e3
to
bc8f3a4
Compare
bc8f3a4
to
473456b
Compare
5fbbee0
to
40af14b
Compare
Hey wondering if there was any work left here besides the merge conflicts? |
LGTM - happy to merge this once rebased |
40af14b
to
e272348
Compare
I was waiting to do another round of review after this PR went past the "draft" stage |
@rgrinberg - ha ok! feel free to dismiss my comment and make a proper round of review then :-) I'm still interested in moving the helper functions to manage redirects into the lib, but I am not sure where exactly. |
c35d0c5
to
c877c41
Compare
@samoht I think @rgrinberg is waiting for this PR to no longer a draft. Is there anything I can help do to get this out of the draft stage? |
> When making a request to a proxy, other than a CONNECT or > server-wide OPTIONS request (as detailed below), a client MUST send > the target URI in "absolute-form" as the request-target. https://www.rfc-editor.org/rfc/rfc9112#name-absolute-form See https://www.rfc-editor.org/rfc/rfc3986#appendix-A for the ABNF of absolute-URI. Signed-off-by: Antonin Décimo <[email protected]>
Signed-off-by: Antonin Décimo <[email protected]>
Signed-off-by: Antonin Décimo <[email protected]>
Signed-off-by: Antonin Décimo <[email protected]>
To ensure end-to-end security it's possible to use a tunneling proxy. The proxy in the middle blindly forwards data. This is needed if the remote server is available via HTTPS. First, a CONNECT request is made to the proxy with the remote server as target. If it succeeds, a new connection can be made to the remote server, tunneled via the connection made to the proxy. See also RFC 9110 § 9.3.6. CONNECT. https://www.rfc-editor.org/rfc/rfc9110#name-connect We consider that it's a sane default to always tunnel connections to HTTPS remote server. We provide the Connection_proxy module that automatically opens connections to a direct proxy or a tunneling proxy, based on the remote sheme used. We show how to respect curl's [scheme]_proxy, ALL_PROXY, and NO_PROXY environment variables. https://curl.se/libcurl/c/libcurl-env.html Signed-off-by: Antonin Décimo <[email protected]>
Signed-off-by: Antonin Décimo <[email protected]>
811f790
to
f0ff485
Compare
Appreciate all the effort put into this. These changes are really valuable to us as well. So, I just wanted to check in on the status. Thanks again! |
@MisterDA @art-w - do you think you could fix the CI errors? I'm happy to merge and release it now that @rgrinberg has approved it. |
The CI errors will be fixed when core_unix 0.18 is released. |
This PR implements a new
Cohttp_lwt_unix.Connection_proxy
module satisfyingCohttp_lwt.S.Connection_cache
, allowing client HTTP/HTTPS requests to be routed through proxies.I recommend a quick glance at Everything curl - 9.8 Proxies for a nice introduction to proxies. As curl is well established, I try following the same terminology and support similar features.
HTTP proxy
If the remote server is reachable through HTTP, then the client should send HTTP requests where targets are in absolute form (see RFC 9112).
The first step is to thread an
~absolute_form
parameter when building requests. This way, theCohttp_lwt_unix.Connection_cache
module can simply be extended with an optional?proxy
parameter, taking the URI of the proxy. If a proxy is specified, all requests will be send in the absolute form, and instead of connecting to the remote server, the client will transparently connect to the proxy. Conduit handles the connection to an HTTPS proxy automatically.HTTPS with HTTP proxy
If the remote server uses HTTPS, then a tunneling proxy needs to be used. The CONNECT HTTP requests asks the proxy to open a connection to the remote server. If it succeeds, the proxy then blindly forwards data between the client and the remote server. Conduit needs to be modified to handle an HTTPS connection (more specifically, a TLS handshake and encryption layer) on top of an already opened connection. If the proxy itself is reachable through HTTPS, conduit needs to be able to tunnel a TLS connection on top of another TLS connection.
To handle tunneled client connections, we provide the (private)
Cohttp_lwt.Connection_tunnel
, which takes the proxy URI when created. It then maintains a cache of opened connections via the proxy to each remote server, and is able to distribute new requests amongst currently opened connections (the code is mostly copied fromCohttp_lwt.Connection_cache
balancing).We expose the
Cohttp_lwt.Connection_proxy
viaCohttp_lwt_unix.Connection_proxy
which, based on the remote URI, selects either a direct (absolute-form queries) or tunneled connection.MITM proxy
This can be achieved by installing a new certificate system-wide, or passing it to the ca-certs library via external means (environment variable, parameter at startup, ...). See Facilitate the use of extra CA certificates ca-certs#30.
Proxy environment variables
We show how to support
ALL_PROXY
,NO_PROXY
, and<scheme>_proxy
(such ashttp_proxy
,https_proxy
), as documented by the curl project.This PR relies on tunneling the TLS-on-TLS feature being added to ocaml-tls and Conduit. We've added some opam pin-depends to allow it to build with the latest dependencies.