New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/net/http/httpproxy: document proxy authentication support #61505
Comments
Moving out of proposals because there's nothing to change. |
Thanks @seankhliao for your review of this issue, and analysis that implementation already exists.
I have looked for existing test coverage of the user info in the proxy url as a substitute for explicit documentation, but did not to find it so far, in http proxy related tests below go/src/net/http/transport_test.go Lines 3111 to 3186 in 7141d1e
The following lines seem to collectively implement client proxy authen from user info in proxy env vars, but they are not convenient to be used as a documentation Lines 859 to 869 in 7141d1e
Lines 1665 to 1668 in 7141d1e
In order to make it easier for the community of tools implicitly relying on |
Change https://go.dev/cl/512555 mentions this issue: |
Many tools built with golang rely on the environment variables documented in https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config to let their users specify the http proxy to use (e.g. HTTPS_PROXY and NO_PROXY), and don't offer other configuration mechanism to configure http proxies used by outgoing http requests they make.
Besides, many CLIs such as curl have adopted the convention of extracting proxy authentication basic auth username and password from the http proxy url such as HTTPS_PROXY=https://user:pwd@fqdn , see https://curl.se/docs/manpage.html#-x
Currently, the x/net/http/httpproxy#Config does not document the explicit support for username and password that would translate in http request made to comply with http proxy client authentication specified in https://datatracker.ietf.org/doc/html/rfc9110#section-11.7
This proposal suggests to document and implement as required such client proxy authentication support in proxy environment variables so that the golang binaries ecosystem relying on environment variables can leverage proxy authentication.
Note that the Deprecation of userinfo in http(s) URIs in RFC9110 (as I understand it), does not preclude using user info in URIs for configuration such as environment variables, but rather aims at preventing propagating Uris with user info from untrusted sources (e.g. in emails messages in the context of phishing attacks).
The text was updated successfully, but these errors were encountered: