Ignore HTTP_PROXY for reverse tunnels (#11990) (#12035)

This change disables the HTTP_PROXY support for reverse tunnel connections, as introduced in #10209. This is for backwards compatibility. Co-authored-by: Roman Tkachenko <[email protected]>
gravitational · Apr 22, 2022 · 464d1ea · 464d1ea
1 parent fccc509
commit 464d1ea
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 4 deletions.
diff --git a/api/client/webclient/webclient.go b/api/client/webclient/webclient.go
@@ -58,6 +58,8 @@ type Config struct {
 	// ExtraHeaders is a map of extra HTTP headers to be included in
 	// requests.
 	ExtraHeaders map[string]string
+	// IgnoreHTTPProxy disables support for HTTP proxying when true.
+	IgnoreHTTPProxy bool
 }
 
 // CheckAndSetDefaults checks and sets defaults
@@ -83,9 +85,11 @@ func newWebClient(cfg *Config) (*http.Client, error) {
 			InsecureSkipVerify: cfg.Insecure,
 			RootCAs:            cfg.Pool,
 		},
-		Proxy: func(req *http.Request) (*url.URL, error) {
+	}
+	if !cfg.IgnoreHTTPProxy {
+		transport.Proxy = func(req *http.Request) (*url.URL, error) {
 			return httpproxy.FromEnvironment().ProxyFunc()(req.URL)
-		},
+		}
 	}
 	return &http.Client{
 		Transport: proxy.NewHTTPFallbackRoundTripper(&transport, cfg.Insecure),

diff --git a/api/client/webclient/webclient_test.go b/api/client/webclient/webclient_test.go
@@ -323,3 +323,19 @@ func TestNewWebClientNoProxy(t *testing.T) {
 	require.Contains(t, err.Error(), "lookup fakedomain.example.com")
 	require.Contains(t, err.Error(), "no such host")
 }
+
+func TestNewWebClientIgnoreProxy(t *testing.T) {
+	t.Setenv("HTTPS_PROXY", "fakeproxy.example.com:9999")
+	client, err := newWebClient(&Config{
+		Context:         context.Background(),
+		ProxyAddr:       "localhost:3080",
+		IgnoreHTTPProxy: true,
+	})
+	require.NoError(t, err)
+	//nolint:bodyclose
+	resp, err := client.Get("https://fakedomain.example.com")
+	require.Error(t, err, "GET unexpectedly succeeded: %+v", resp)
+	require.NotContains(t, err.Error(), "proxyconnect")
+	require.Contains(t, err.Error(), "lookup fakedomain.example.com")
+	require.Contains(t, err.Error(), "no such host")
+}
diff --git a/lib/reversetunnel/agent.go b/lib/reversetunnel/agent.go
@@ -265,7 +265,7 @@ func (a *Agent) getHostCheckers() ([]ssh.PublicKey, error) {
 func (a *Agent) getReverseTunnelDetails() *reverseTunnelDetails {
 	pd := reverseTunnelDetails{TLSRoutingEnabled: false}
 	resp, err := webclient.Find(
-		&webclient.Config{Context: a.ctx, ProxyAddr: a.Addr.Addr, Insecure: lib.IsInsecureDevMode()})
+		&webclient.Config{Context: a.ctx, ProxyAddr: a.Addr.Addr, Insecure: lib.IsInsecureDevMode(), IgnoreHTTPProxy: true})
 
 	if err != nil {
 		// If TLS Routing is disabled the address is the proxy reverse tunnel

diff --git a/lib/reversetunnel/transport.go b/lib/reversetunnel/transport.go
@@ -93,7 +93,7 @@ func (t *TunnelAuthDialer) DialContext(ctx context.Context, _, _ string) (net.Co
 
 	// Check if t.ProxyAddr is ProxyWebPort and remote Proxy supports TLS ALPNSNIListener.
 	resp, err := webclient.Find(
-		&webclient.Config{Context: ctx, ProxyAddr: addr.Addr, Insecure: t.InsecureSkipTLSVerify})
+		&webclient.Config{Context: ctx, ProxyAddr: addr.Addr, Insecure: t.InsecureSkipTLSVerify, IgnoreHTTPProxy: true})
 	if err != nil {
 		// If TLS Routing is disabled the address is the proxy reverse tunnel
 		// address thus the ping call will always fail.