Support proxying client requests through direct and tunneling HTTP/HTTPS proxies #1080
Conversation
art-w
force-pushed
the
connection-cache-proxy
branch
5 times, most recently
from
0add310
to
ba4a191
Compare
|
I don't think you should modify the |
We're only adding a boolean, |
|
Whether it's just a boolean or not is besides the point. You're changing the semantics of comparison, pretty printing, etc for a large group of users who aren't gaining anything from this feature. Some alternatives you could try:
EDIT: after glancing at the spec, seems like 1. is the way to go. the |
I did not follow this option, because the |
|
Good point, doesn't that mean we can get rid of scheme from the request as well? @anuragsoni why did we add scheme? |
From what I remember we kept it around mostly to maintain compatibility with the existing release of cohttp. |
|
@MisterDA do you want to take the honors of getting rid of it? |
| let* ans = Cohttp_lwt_unix.Client.get ?headers uri in | ||
| follow_redirect ~max_redirects ?headers uri ans | ||
|
|
||
| and follow_redirect ~max_redirects ?headers request_uri (response, body) = |
There was a problem hiding this comment.
doesn't need to be done for this PR but that would be nice to have a similar function in the client API (so that every user do not have to re-implement an half-broken version of it)
It doesn't seem possible to remove the ocaml-cohttp/cohttp/test/test_request.ml Lines 251 to 255 in 53fbf39 we might want to remove this feature altogether. This mostly impacts logging and testing, but also the |
art-w
force-pushed
the
connection-cache-proxy
branch
from
ba4a191
to
02a78e3
Compare
|
Indeed it's not worth it. I got rid of it here #1086 |
> When making a request to a proxy, other than a CONNECT or > server-wide OPTIONS request (as detailed below), a client MUST send > the target URI in "absolute-form" as the request-target. https://www.rfc-editor.org/rfc/rfc9112#name-absolute-form See https://www.rfc-editor.org/rfc/rfc3986#appendix-A for the ABNF of absolute-URI. Signed-off-by: Antonin Décimo <antonin@tarides.com>
Signed-off-by: Antonin Décimo <antonin@tarides.com>
Signed-off-by: Antonin Décimo <antonin@tarides.com>
Signed-off-by: Antonin Décimo <antonin@tarides.com>
To ensure end-to-end security it's possible to use a tunneling proxy. The proxy in the middle blindly forwards data. This is needed if the remote server is available via HTTPS. First, a CONNECT request is made to the proxy with the remote server as target. If it succeeds, a new connection can be made to the remote server, tunneled via the connection made to the proxy. See also RFC 9110 § 9.3.6. CONNECT. https://www.rfc-editor.org/rfc/rfc9110#name-connect We consider that it's a sane default to always tunnel connections to HTTPS remote server. We provide the Connection_proxy module that automatically opens connections to a direct proxy or a tunneling proxy, based on the remote sheme used. We show how to respect curl's [scheme]_proxy, ALL_PROXY, and NO_PROXY environment variables. https://curl.se/libcurl/c/libcurl-env.html Signed-off-by: Antonin Décimo <antonin@tarides.com>
Signed-off-by: Antonin Décimo <antonin@tarides.com>
MisterDA
force-pushed
the
connection-cache-proxy
branch
from
02a78e3
to
bc8f3a4
Compare
| ]) | ||
| `GET "http://example.com/foo.html" | ||
| in | ||
| assert_req_success ~here:[ [%here] ] ~expected_req ~expected_consumed:104 buf |
There was a problem hiding this comment.
Could this test come in a separate PR? AFAIK, nothing in this PR was added to make this pass.
This PR implements a new
Cohttp_lwt_unix.Connection_proxymodule satisfyingCohttp_lwt.S.Connection_cache, allowing client HTTP/HTTPS requests to be routed through proxies.I recommend a quick glance at Everything curl - 9.8 Proxies for a nice introduction to proxies. As curl is well established, I try following the same terminology and support similar features.
HTTP proxy
If the remote server is reachable through HTTP, then the client should send HTTP requests where targets are in absolute form (see RFC 9112).
The first step is to thread an
~absolute_formparameter when building requests. This way, theCohttp_lwt_unix.Connection_cachemodule can simply be extended with an optional?proxyparameter, taking the URI of the proxy. If a proxy is specified, all requests will be send in the absolute form, and instead of connecting to the remote server, the client will transparently connect to the proxy. Conduit handles the connection to an HTTPS proxy automatically.HTTPS with HTTP proxy
If the remote server uses HTTPS, then a tunneling proxy needs to be used. The CONNECT HTTP requests asks the proxy to open a connection to the remote server. If it succeeds, the proxy then blindly forwards data between the client and the remote server. Conduit needs to be modified to handle an HTTPS connection (more specifically, a TLS handshake and encryption layer) on top of an already opened connection. If the proxy itself is reachable through HTTPS, conduit needs to be able to tunnel a TLS connection on top of another TLS connection.
To handle tunneled client connections, we provide the (private)
Cohttp_lwt.Connection_tunnel, which takes the proxy URI when created. It then maintains a cache of opened connections via the proxy to each remote server, and is able to distribute new requests amongst currently opened connections (the code is mostly copied fromCohttp_lwt.Connection_cachebalancing).We expose the
Cohttp_lwt.Connection_proxyviaCohttp_lwt_unix.Connection_proxywhich, based on the remote URI, selects either a direct (absolute-form queries) or tunneled connection.MITM proxy
This can be achieved by installing a new certificate system-wide, or passing it to the ca-certs library via external means (environment variable, parameter at startup, ...). See Facilitate the use of extra CA certificates ca-certs#30.
Proxy environment variables
We show how to support
ALL_PROXY,NO_PROXY, and<scheme>_proxy(such ashttp_proxy,https_proxy), as documented by the curl project.This PR relies on tunneling the TLS-on-TLS feature being added to ocaml-tls and Conduit. We've added some opam pin-depends to allow it to build with the latest dependencies.