net/http, x/net/http/httpproxy: http_proxy is being used for https requests #40909
Labels
Milestone
Comments
|
Change https://golang.org/cl/249440 mentions this issue: |
ALTree
changed the title
ALTree
added
the
NeedsInvestigation
|
That CL's code seems fine, @fraenkel, but it's a behavior change away from the documented behavior (and changes the documented behavior), so the decision on whether to do this should be made intentionally. I'm pretty sure the old behavior (of HTTP_PROXY also applying to "https" scheme URLs when HTTPS_PROXY was not present) was intentional but I don't have the time to go digging through git history to figure out whose behavior we were copying at the time, but I thought we were. /cc @rsc who might also remember and should decide who makes this decision. |
|
One can tunnel any protocol through an HTTP proxy: https://wiki.squid-cache.org/Features/HTTPS#CONNECT_tunnel |
|
While CONNECT is the mechanism used, this is about the environment variables. all_proxy was meant to be the catch all but that is not implemented. |
|
@neild, this should probably go in now-ish with release notes for Go 1.16 so we can see if anybody is surprised during the rcs/betas. |
|
Googling for Tentatively SGTM. |
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Oct 16, 2020
Protocol specific proxies must match based on scheme. If the https proxy is no configured, and the proxy for a https URL is requested, no proxy should be returned. Updates golang/go#40909 Change-Id: I62dfcf95d819c634e8f2862e891877a4eb55fca7 Reviewed-on: https://go-review.googlesource.com/c/net/+/249440 Trust: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Damien Neil <dneil@google.com>
dmitshur
changed the title
dmitshur
added
NeedsFix
dmitshur
changed the title
|
@taylanisikdemir This change is documented in the Go 1.16 release notes, see the 5th paragraph at https://golang.org/doc/go1.16#net/http. |
thaJeztah
added a commit
to thaJeztah/go-connections
that referenced
this issue
Jul 21, 2021
TCPProxyFromEnvironment wraps http.ProxyFromEnvironment, to preserve the pre-go1.16 behavior for URLs using the 'tcp://' scheme. Prior to go1.16, `https://` schemes would use HTTPS_PROXY, and any other scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in golang/go#40909) changed this behavior to only use HTTP_PROXY for `http://` schemes, no longer using a proxy for any other scheme. Docker uses the `tcp://` scheme as a default for API connections, to indicate that the API is not "purely" HTTP. Various parts in the code also *require* this scheme to be used. While we could change the default and allow http(s) schemes to be used, doing so will take time, taking into account that there are many installs in existence that have tcp:// configured as DOCKER_HOST. This function detects if the `tcp://` scheme is used; if it is, it creates a shallow copy of req, containing just the URL, and overrides the scheme with 'http', which should be sufficient to perform proxy detection. For other (non-'tcp://') schemes, http.ProxyFromEnvironment is called without altering the request. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added a commit
to thaJeztah/go-connections
that referenced
this issue
Jul 21, 2021
TCPProxyFromEnvironment wraps http.ProxyFromEnvironment, to preserve the pre-go1.16 behavior for URLs using the 'tcp://' scheme. Prior to go1.16, `https://` schemes would use HTTPS_PROXY, and any other scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in golang/go#40909) changed this behavior to only use HTTP_PROXY for `http://` schemes, no longer using a proxy for any other scheme. Docker uses the `tcp://` scheme as a default for API connections, to indicate that the API is not "purely" HTTP. Various parts in the code also *require* this scheme to be used. While we could change the default and allow http(s) schemes to be used, doing so will take time, taking into account that there are many installs in existence that have tcp:// configured as DOCKER_HOST. This function detects if the `tcp://` scheme is used; if it is, it creates a shallow copy of req, containing just the URL, and overrides the scheme with 'http', which should be sufficient to perform proxy detection. For other (non-'tcp://') schemes, http.ProxyFromEnvironment is called without altering the request. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added a commit
to thaJeztah/go-connections
that referenced
this issue
Jul 22, 2021
TCPProxyFromEnvironment wraps http.ProxyFromEnvironment, to preserve the pre-go1.16 behavior for URLs using the 'tcp://' scheme. Prior to go1.16, `https://` schemes would use HTTPS_PROXY, and any other scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in golang/go#40909) changed this behavior to only use HTTP_PROXY for `http://` schemes, no longer using a proxy for any other scheme. Docker uses the `tcp://` scheme as a default for API connections, to indicate that the API is not "purely" HTTP. Various parts in the code also *require* this scheme to be used. While we could change the default and allow http(s) schemes to be used, doing so will take time, taking into account that there are many installs in existence that have tcp:// configured as DOCKER_HOST. This function detects if the `tcp://` scheme is used; if it is, it creates a shallow copy of req, containing just the URL, and overrides the scheme with 'http', which should be sufficient to perform proxy detection. For other (non-'tcp://') schemes, http.ProxyFromEnvironment is called without altering the request. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added a commit
to thaJeztah/go-connections
that referenced
this issue
Jul 22, 2021
TCPProxyFromEnvironment wraps http.ProxyFromEnvironment, to preserve the pre-go1.16 behavior for URLs using the 'tcp://' scheme. Prior to go1.16, `https://` schemes would use HTTPS_PROXY, and any other scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in golang/go#40909) changed this behavior to only use HTTP_PROXY for `http://` schemes, no longer using a proxy for any other scheme. Docker uses the `tcp://` scheme as a default for API connections, to indicate that the API is not "purely" HTTP. Various parts in the code also *require* this scheme to be used. While we could change the default and allow http(s) schemes to be used, doing so will take time, taking into account that there are many installs in existence that have tcp:// configured as DOCKER_HOST. This function detects if the `tcp://` scheme is used; if it is, it creates a shallow copy of req, containing just the URL, and overrides the scheme with 'http', which should be sufficient to perform proxy detection. For other (non-'tcp://') schemes, http.ProxyFromEnvironment is called without altering the request. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added a commit
to thaJeztah/go-connections
that referenced
this issue
Jul 22, 2021
TCPProxyFromEnvironment wraps http.ProxyFromEnvironment, to preserve the pre-go1.16 behavior for URLs using the 'tcp://' scheme. For other schemes, golang's standard behavior is preserved (and depends on the Go version used). Prior to go1.16, `https://` schemes would use HTTPS_PROXY, and any other scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in golang/go#40909) changed this behavior to only use HTTP_PROXY for `http://` schemes, no longer using a proxy for any other scheme. Docker uses the `tcp://` scheme as a default for API connections, to indicate that the API is not "purely" HTTP. Various parts in the code also *require* this scheme to be used. While we could change the default and allow http(s) schemes to be used, doing so will take time, taking into account that there are many installs in existence that have tcp:// configured as DOCKER_HOST. This function detects if the `tcp://` scheme is used; if it is, it creates a shallow copy of req, containing just the URL, and overrides the scheme with 'http', which should be sufficient to perform proxy detection. For other (non-'tcp://') schemes, http.ProxyFromEnvironment is called without altering the request. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added a commit
to thaJeztah/go-connections
that referenced
this issue
Jul 22, 2021
TCPProxyFromEnvironment wraps http.ProxyFromEnvironment, to preserve the pre-go1.16 behavior for URLs using the 'tcp://' scheme. For other schemes, golang's standard behavior is preserved (and depends on the Go version used). Prior to go1.16, `https://` schemes would use HTTPS_PROXY, and any other scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in golang/go#40909) changed this behavior to only use HTTP_PROXY for `http://` schemes, no longer using a proxy for any other scheme. Docker uses the `tcp://` scheme as a default for API connections, to indicate that the API is not "purely" HTTP. Various parts in the code also *require* this scheme to be used. While we could change the default and allow http(s) schemes to be used, doing so will take time, taking into account that there are many installs in existence that have tcp:// configured as DOCKER_HOST. This function detects if the `tcp://` scheme is used; if it is, it creates a shallow copy of req, containing just the URL, and overrides the scheme with 'http', which should be sufficient to perform proxy detection. For other (non-'tcp://') schemes, http.ProxyFromEnvironment is called without altering the request. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added a commit
to thaJeztah/go-connections
that referenced
this issue
Jul 26, 2021
TCPProxyFromEnvironment wraps http.ProxyFromEnvironment, to preserve the pre-go1.16 behavior for URLs using the 'tcp://' scheme. For other schemes, golang's standard behavior is preserved (and depends on the Go version used). Prior to go1.16, `https://` schemes would use HTTPS_PROXY, and any other scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in golang/go#40909) changed this behavior to only use HTTP_PROXY for `http://` schemes, no longer using a proxy for any other scheme. Docker uses the `tcp://` scheme as a default for API connections, to indicate that the API is not "purely" HTTP. Various parts in the code also *require* this scheme to be used. While we could change the default and allow http(s) schemes to be used, doing so will take time, taking into account that there are many installs in existence that have tcp:// configured as DOCKER_HOST. This function detects if the `tcp://` scheme is used; if it is, it creates a shallow copy of req, containing just the URL, and overrides the scheme with 'http', which should be sufficient to perform proxy detection. For other (non-'tcp://') schemes, http.ProxyFromEnvironment is called without altering the request. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added a commit
to thaJeztah/go-connections
that referenced
this issue
Jul 28, 2021
TCPProxyFromEnvironment wraps http.ProxyFromEnvironment, to preserve the pre-go1.16 behavior for URLs using the 'tcp://' scheme. For other schemes, golang's standard behavior is preserved (and depends on the Go version used). Prior to go1.16, `https://` schemes would use HTTPS_PROXY, and any other scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in golang/go#40909) changed this behavior to only use HTTP_PROXY for `http://` schemes, no longer using a proxy for any other scheme. Docker uses the `tcp://` scheme as a default for API connections, to indicate that the API is not "purely" HTTP. Various parts in the code also *require* this scheme to be used. While we could change the default and allow http(s) schemes to be used, doing so will take time, taking into account that there are many installs in existence that have tcp:// configured as DOCKER_HOST. This function detects if the `tcp://` scheme is used; if it is, it creates a shallow copy of req, containing just the URL, and overrides the scheme with 'http', which should be sufficient to perform proxy detection. For other (non-'tcp://') schemes, http.ProxyFromEnvironment is called without altering the request. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
thaJeztah
added a commit
to thaJeztah/go-connections
that referenced
this issue
Jul 28, 2021
TCPProxyFromEnvironment wraps http.ProxyFromEnvironment, to preserve the pre-go1.16 behavior for URLs using the 'tcp://' scheme. For other schemes, golang's standard behavior is preserved (and depends on the Go version used). Prior to go1.16, `https://` schemes would use HTTPS_PROXY, and any other scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in golang/go#40909) changed this behavior to only use HTTP_PROXY for `http://` schemes, no longer using a proxy for any other scheme. Docker uses the `tcp://` scheme as a default for API connections, to indicate that the API is not "purely" HTTP. Various parts in the code also *require* this scheme to be used. While we could change the default and allow http(s) schemes to be used, doing so will take time, taking into account that there are many installs in existence that have tcp:// configured as DOCKER_HOST. This function detects if the `tcp://` scheme is used; if it is, it creates a shallow copy of req, containing just the URL, and overrides the scheme with 'http', which should be sufficient to perform proxy detection. For other (non-'tcp://') schemes, http.ProxyFromEnvironment is called without altering the request. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
5 tasks
wadahiro
added a commit
to wadahiro/nproxy
that referenced
this issue
Aug 2, 2022
|
Change https://go.dev/cl/428775 mentions this issue: |
|
Change https://go.dev/cl/428795 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Sep 6, 2022
For #40909 Fixes #54890 Change-Id: I00218bc1606eedb6194a3a7b81fd4d3f75325280 Reviewed-on: https://go-review.googlesource.com/c/go/+/428775 Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Michael Knyszek <mknyszek@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Damien Neil <dneil@google.com>
gopherbot
pushed a commit
to golang/net
that referenced
this issue
Sep 7, 2022
For golang/go#40909 For golang/go#54890 Change-Id: I1de1803f8fd00f54290404a8760d9f704ff766c3 Reviewed-on: https://go-review.googlesource.com/c/net/+/428795 Auto-Submit: Damien Neil <dneil@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com>
WeiminShang
added a commit
to WeiminShang/net
that referenced
this issue
Nov 16, 2022
For golang/go#40909 For golang/go#54890 Change-Id: I1de1803f8fd00f54290404a8760d9f704ff766c3 Reviewed-on: https://go-review.googlesource.com/c/net/+/428795 Auto-Submit: Damien Neil <dneil@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com>
sparrc
added a commit
to sparrc/amazon-ecs-agent
that referenced
this issue
Jan 28, 2023
golang.org/x/net/http/httpproxy changed it's behavior regarding the HTTP_PROXY and HTTPS_PROXY env vars. it was to fix this issue: golang/go#40909 and this is the change: https://go-review.googlesource.com/c/net/+/249440 After this change the HTTP_PROXY env var will be ignored for HTTPS requests, you have to also set HTTPS_PROXY in order for HTTPS requests from the agent to be proxied. This means that if there are customers setting HTTP_PROXY but not HTTPS_PROXY, their requests will no longer be proxied. Pin to an older version of the httpproxy package to avoid this behavior change. Copying the file in-repo so that we can upgrade the rest of golang.org/x/net without issue, and also so that any potential future uses of x/net/http/httpproxy do not collide with maintaining this previous desired behavior.
sparrc
added a commit
to sparrc/amazon-ecs-agent
that referenced
this issue
Jan 28, 2023
golang.org/x/net/http/httpproxy changed it's behavior regarding the HTTP_PROXY and HTTPS_PROXY env vars. it was to fix this issue: golang/go#40909 and this is the change: https://go-review.googlesource.com/c/net/+/249440 After this change the HTTP_PROXY env var will be ignored for HTTPS requests, you have to also set HTTPS_PROXY in order for HTTPS requests from the agent to be proxied. This means that if there are customers setting HTTP_PROXY but not HTTPS_PROXY, their requests will no longer be proxied. Pin to an older version of the httpproxy package to avoid this behavior change. Copying the file in-repo so that we can upgrade the rest of golang.org/x/net without issue, and also so that any potential future uses of x/net/http/httpproxy do not collide with maintaining this previous desired behavior.
sparrc
added a commit
to sparrc/amazon-ecs-agent
that referenced
this issue
Jan 28, 2023
golang.org/x/net/http/httpproxy changed it's behavior regarding the HTTP_PROXY and HTTPS_PROXY env vars. it was to fix this issue: golang/go#40909 and this is the change: https://go-review.googlesource.com/c/net/+/249440 After this change the HTTP_PROXY env var will be ignored for HTTPS requests, you have to also set HTTPS_PROXY in order for HTTPS requests from the agent to be proxied. This means that if there are customers setting HTTP_PROXY but not HTTPS_PROXY, their requests will no longer be proxied. Pin to an older version of the httpproxy package to avoid this behavior change. Copying the file in-repo so that we can upgrade the rest of golang.org/x/net without issue, and also so that any potential future uses of x/net/http/httpproxy do not collide with maintaining this previous desired behavior.
sparrc
added a commit
to aws/amazon-ecs-agent
that referenced
this issue
Jan 30, 2023
golang.org/x/net/http/httpproxy changed it's behavior regarding the HTTP_PROXY and HTTPS_PROXY env vars. it was to fix this issue: golang/go#40909 and this is the change: https://go-review.googlesource.com/c/net/+/249440 After this change the HTTP_PROXY env var will be ignored for HTTPS requests, you have to also set HTTPS_PROXY in order for HTTPS requests from the agent to be proxied. This means that if there are customers setting HTTP_PROXY but not HTTPS_PROXY, their requests will no longer be proxied. Pin to an older version of the httpproxy package to avoid this behavior change. Copying the file in-repo so that we can upgrade the rest of golang.org/x/net without issue, and also so that any potential future uses of x/net/http/httpproxy do not collide with maintaining this previous desired behavior.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
and others
Go handles
http_proxy/https_proxy/no_proxyin non-standard way. According to source commenthttp_proxyis used even for https urls. This is counterintuitive and not-working if it is not overriden.My usecase is that I've local squid running with
http_proxyexported. Nevertheless, squid is configured to handle also https but it is not propagated because it is using untrusted self-signed certificate. Go tries to connect to https via the proxy and fails with the reasonablecertificate signed by unknown authoritymessage. But at first place it shouldn't have used that proxy at all.Code failing on this is referenced here
The text was updated successfully, but these errors were encountered: