tailscale/net/tshttpproxy/tshttpproxy.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

// Package tshttpproxy contains Tailscale additions to httpproxy not available
// in golang.org/x/net/http/httpproxy. Notably, it aims to support Windows better.
package tshttpproxy

import (
	"context"
	"fmt"
	"log"
	"net"
	"net/http"
	"net/url"
	"os"
	"runtime"
	"strings"
	"sync"
	"time"

	"golang.org/x/net/http/httpproxy"
	"tailscale.com/util/mak"
)

// InvalidateCache invalidates the package-level cache for ProxyFromEnvironment.
//
// It's intended to be called on network link/routing table changes.
func InvalidateCache() {
	mu.Lock()
	defer mu.Unlock()
	noProxyUntil = time.Time{}
}

var (
	mu           sync.Mutex
	noProxyUntil time.Time         // if non-zero, time at which ProxyFromEnvironment should check again
	config       *httpproxy.Config // used to create proxyFunc
	proxyFunc    func(*url.URL) (*url.URL, error)
)

func getProxyFunc() func(*url.URL) (*url.URL, error) {
	// Create config/proxyFunc if it's not created
	mu.Lock()
	defer mu.Unlock()
	if config == nil {
		config = httpproxy.FromEnvironment()
	}
	if proxyFunc == nil {
		proxyFunc = config.ProxyFunc()
	}
	return proxyFunc
}

// setNoProxyUntil stops calls to sysProxyEnv (if any) for the provided duration.
func setNoProxyUntil(d time.Duration) {
	mu.Lock()
	defer mu.Unlock()
	noProxyUntil = time.Now().Add(d)
}

var _ = setNoProxyUntil // quiet staticcheck; Windows uses the above, more might later

// SetSelfProxy configures this package to avoid proxying through any of the
// provided addresses–e.g. if they refer to proxies being run by this process.
func SetSelfProxy(addrs ...string) {
	mu.Lock()
	defer mu.Unlock()

	// Ensure we have a valid config
	if config == nil {
		config = httpproxy.FromEnvironment()
	}

	normalizeHostPort := func(s string) string {
		host, portStr, err := net.SplitHostPort(s)
		if err != nil {
			return s
		}

		// Normalize the localhost IP into "localhost", to avoid IPv4/IPv6 confusion.
		if host == "127.0.0.1" || host == "::1" {
			return "localhost:" + portStr
		}

		// On Linux, all 127.0.0.1/8 IPs are also localhost.
		if runtime.GOOS == "linux" && strings.HasPrefix(host, "127.0.0.") {
			return "localhost:" + portStr
		}

		return s
	}

	normHTTP := normalizeHostPort(config.HTTPProxy)
	normHTTPS := normalizeHostPort(config.HTTPSProxy)

	// If any of our proxy variables point to one of the configured
	// addresses, ignore them.
	for _, addr := range addrs {
		normAddr := normalizeHostPort(addr)
		if normHTTP != "" && normHTTP == normAddr {
			log.Printf("tshttpproxy: skipping HTTP_PROXY pointing to self: %q", addr)
			config.HTTPProxy = ""
			normHTTP = ""
		}
		if normHTTPS != "" && normHTTPS == normAddr {
			log.Printf("tshttpproxy: skipping HTTPS_PROXY pointing to self: %q", addr)
			config.HTTPSProxy = ""
			normHTTPS = ""
		}
	}

	// Invalidate to cause it to get re-created
	proxyFunc = nil
}

// sysProxyFromEnv, if non-nil, specifies a platform-specific ProxyFromEnvironment
// func to use if http.ProxyFromEnvironment doesn't return a proxy.
// For example, WPAD PAC files on Windows.
var sysProxyFromEnv func(*http.Request) (*url.URL, error)

// These variables track whether we've printed a log message for a given proxy
// URL; we only print them once to avoid log spam.
var (
	logMessageMu      sync.Mutex
	logMessagePrinted map[string]bool
)

// ProxyFromEnvironment is like the standard library's http.ProxyFromEnvironment
// but additionally does OS-specific proxy lookups if the environment variables
// alone don't specify a proxy.
func ProxyFromEnvironment(req *http.Request) (ret *url.URL, _ error) {
	defer func() {
		if ret == nil {
			return
		}

		ss := ret.String()

		logMessageMu.Lock()
		defer logMessageMu.Unlock()
		if logMessagePrinted[ss] {
			return
		}
		log.Printf("tshttpproxy: using proxy %q for URL: %q", ss, req.URL.String())
		mak.Set(&logMessagePrinted, ss, true)
	}()

	localProxyFunc := getProxyFunc()
	u, err := localProxyFunc(req.URL)
	if u != nil && err == nil {
		return u, nil
	}

	mu.Lock()
	noProxyTime := noProxyUntil
	mu.Unlock()
	if time.Now().Before(noProxyTime) {
		return nil, nil
	}

	if sysProxyFromEnv != nil {
		u, err := sysProxyFromEnv(req)
		if u != nil && err == nil {
			return u, nil
		}
	}

	return nil, err
}

var sysAuthHeader func(*url.URL) (string, error)

// GetAuthHeader returns the Authorization header value to send to proxy u.
func GetAuthHeader(u *url.URL) (string, error) {
	if fake := os.Getenv("TS_DEBUG_FAKE_PROXY_AUTH"); fake != "" {
		return fake, nil
	}
	if user := u.User.Username(); user != "" {
		pass, ok := u.User.Password()
		if !ok {
			return "", nil
		}

		req := &http.Request{Header: make(http.Header)}
		req.SetBasicAuth(user, pass)
		return req.Header.Get("Authorization"), nil
	}
	if sysAuthHeader != nil {
		return sysAuthHeader(u)
	}
	return "", nil
}

const proxyAuthHeader = "Proxy-Authorization"

// SetTransportGetProxyConnectHeader sets the provided Transport's
// GetProxyConnectHeader field, and adds logging of the received response.
func SetTransportGetProxyConnectHeader(tr *http.Transport) {
	tr.GetProxyConnectHeader = func(ctx context.Context, proxyURL *url.URL, target string) (http.Header, error) {
		v, err := GetAuthHeader(proxyURL)
		if err != nil {
			log.Printf("failed to get proxy Auth header for %v; ignoring: %v", proxyURL, err)
			return nil, nil
		}
		if v == "" {
			return nil, nil
		}
		return http.Header{proxyAuthHeader: []string{v}}, nil
	}
	tr.OnProxyConnectResponse = func(ctx context.Context, proxyURL *url.URL, connectReq *http.Request, res *http.Response) error {
		auth := connectReq.Header.Get(proxyAuthHeader)
		const truncLen = 20
		if len(auth) > truncLen {
			auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
		}
		log.Printf("tshttpproxy: CONNECT response from %v for target %q (auth %q): %v", proxyURL, connectReq.Host, auth, res.Status)
		return nil
	}
}
-												all: update copyright and license headers

This updates all source files to use a new standard header for copyright
and license declaration.  Notably, copyright no longer includes a date,
and we now use the standard SPDX-License-Identifier header.

This commit was done almost entirely mechanically with perl, and then
some minimal manual fixes.

Updates #6865

Signed-off-by: Will Norris <will@tailscale.com>

											
										
										
											1 year ago
+								// Copyright (c) Tailscale Inc & AUTHORS
 								// SPDX-License-Identifier: BSD-3-Clause
-												net/tshttpproxy: new package, support WPAD/PAC proxies on Windows

Updates tailscale/corp#553

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

											
										
										
											4 years ago
 								// Package tshttpproxy contains Tailscale additions to httpproxy not available
 								// in golang.org/x/net/http/httpproxy. Notably, it aims to support Windows better.
 								package tshttpproxy
 								import (
-												net/tshttpproxy: more directly use Transport proxy CONNECT hooks

GetProxyConnectHeader (golang/go#41048) was upstreamed in Go 1.16 and
OnProxyConnectResponse (golang/go#54299) in Go 1.20, thus we no longer
need to guard their use by the tailscale_go build tag.

Updates #7123

Signed-off-by: Mihai Parparita <mihai@tailscale.com>

											
										
										
											1 year ago
+									"context"
 									"fmt"
 									"log"
-												net/tshttpproxy: don't proxy through ourselves

When running a SOCKS or HTTP proxy, configure the tshttpproxy package to
drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment
variables.

Fixes #7407

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I6cd7cad7a609c639780484bad521c7514841764b

											
										
										
											1 year ago
+									"net"
-												net/tshttpproxy: new package, support WPAD/PAC proxies on Windows

Updates tailscale/corp#553

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

											
										
										
											4 years ago
+									"net/http"
 									"net/url"
-												net/tshttpproxy: move the TS_DEBUG_FAKE_PROXY_AUTH knob up a level

											
										
										
											4 years ago
+									"os"
-												net/tshttpproxy: don't proxy through ourselves

When running a SOCKS or HTTP proxy, configure the tshttpproxy package to
drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment
variables.

Fixes #7407

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I6cd7cad7a609c639780484bad521c7514841764b

											
										
										
											1 year ago
+									"runtime"
 									"strings"
-												net/tshttpproxy: add GetProxyForURL negative cache

Otherwise when PAC server is down, we log, and each log entry is a new
HTTP request (from logtail) and a new GetProxyForURL call, which again
logs, non-stop. This is also nicer to the WinHTTP service.

Then also hook up link change notifications to the cache to reset it
if there's a chance the network might work sooner.

											
										
										
											4 years ago
+									"sync"
 									"time"
-												net/tshttpproxy: don't proxy through ourselves

When running a SOCKS or HTTP proxy, configure the tshttpproxy package to
drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment
variables.

Fixes #7407

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I6cd7cad7a609c639780484bad521c7514841764b

											
										
										
											1 year ago
 									"golang.org/x/net/http/httpproxy"
-												net/tshttpproxy: log when we're using a proxy

Updates #11196

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Id6334c10f52f4cfbda9f03dc8096ab7a6c54a088

											
										
										
											4 months ago
+									"tailscale.com/util/mak"
-												net/tshttpproxy: new package, support WPAD/PAC proxies on Windows

Updates tailscale/corp#553

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

											
										
										
											4 years ago
+								)
-												net/tshttpproxy: add GetProxyForURL negative cache

Otherwise when PAC server is down, we log, and each log entry is a new
HTTP request (from logtail) and a new GetProxyForURL call, which again
logs, non-stop. This is also nicer to the WinHTTP service.

Then also hook up link change notifications to the cache to reset it
if there's a chance the network might work sooner.

											
										
										
											4 years ago
+								// InvalidateCache invalidates the package-level cache for ProxyFromEnvironment.
 								//
 								// It's intended to be called on network link/routing table changes.
 								func InvalidateCache() {
 									mu.Lock()
 									defer mu.Unlock()
 									noProxyUntil = time.Time{}
 								}
 								var (
 									mu           sync.Mutex
-												net/tshttpproxy: don't proxy through ourselves

When running a SOCKS or HTTP proxy, configure the tshttpproxy package to
drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment
variables.

Fixes #7407

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I6cd7cad7a609c639780484bad521c7514841764b

											
										
										
											1 year ago
+									noProxyUntil time.Time         // if non-zero, time at which ProxyFromEnvironment should check again
 									config       *httpproxy.Config // used to create proxyFunc
 									proxyFunc    func(*url.URL) (*url.URL, error)
-												net/tshttpproxy: add GetProxyForURL negative cache

Otherwise when PAC server is down, we log, and each log entry is a new
HTTP request (from logtail) and a new GetProxyForURL call, which again
logs, non-stop. This is also nicer to the WinHTTP service.

Then also hook up link change notifications to the cache to reset it
if there's a chance the network might work sooner.

											
										
										
											4 years ago
+								)
-												net/tshttpproxy: don't proxy through ourselves

When running a SOCKS or HTTP proxy, configure the tshttpproxy package to
drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment
variables.

Fixes #7407

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I6cd7cad7a609c639780484bad521c7514841764b

											
										
										
											1 year ago
+								func getProxyFunc() func(*url.URL) (*url.URL, error) {
 									// Create config/proxyFunc if it's not created
 									mu.Lock()
 									defer mu.Unlock()
 									if config == nil {
 										config = httpproxy.FromEnvironment()
 									}
 									if proxyFunc == nil {
 										proxyFunc = config.ProxyFunc()
 									}
 									return proxyFunc
 								}
-												net/tshttpproxy: don't ignore env-based HTTP proxies after system lookups fail

There was a mechanism in tshttpproxy to note that a Windows proxy
lookup failed and to stop hitting it so often. But that turns out to
fire a lot (no PAC file configured at all results in a proxy lookup),
so after the first proxy lookup, we were enabling the "omg something's
wrong, stop looking up proxies" bit for awhile, which was then also
preventing the normal Go environment-based proxy lookups from working.

This at least fixes environment-based proxies.

Plenty of other Windows-specific proxy work remains (using
WinHttpGetIEProxyConfigForCurrentUser instead of just PAC files,
ignoring certain types of errors, etc), but this should fix
the regression reported in #4811.

Updates #4811

Change-Id: I665e1891897d58e290163bda5ca51a22a017c5f9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

											
										
										
											2 years ago
+								// setNoProxyUntil stops calls to sysProxyEnv (if any) for the provided duration.
-												net/tshttpproxy: add GetProxyForURL negative cache

Otherwise when PAC server is down, we log, and each log entry is a new
HTTP request (from logtail) and a new GetProxyForURL call, which again
logs, non-stop. This is also nicer to the WinHTTP service.

Then also hook up link change notifications to the cache to reset it
if there's a chance the network might work sooner.

											
										
										
											4 years ago
+								func setNoProxyUntil(d time.Duration) {
 									mu.Lock()
 									defer mu.Unlock()
 									noProxyUntil = time.Now().Add(d)
 								}
-												net/tshttpproxy: appease staticcheck

											
										
										
											4 years ago
+								var _ = setNoProxyUntil // quiet staticcheck; Windows uses the above, more might later
-												net/tshttpproxy: don't proxy through ourselves

When running a SOCKS or HTTP proxy, configure the tshttpproxy package to
drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment
variables.

Fixes #7407

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I6cd7cad7a609c639780484bad521c7514841764b

											
										
										
											1 year ago
+								// SetSelfProxy configures this package to avoid proxying through any of the
 								// provided addresses–e.g. if they refer to proxies being run by this process.
 								func SetSelfProxy(addrs ...string) {
 									mu.Lock()
 									defer mu.Unlock()
 									// Ensure we have a valid config
 									if config == nil {
 										config = httpproxy.FromEnvironment()
 									}
 									normalizeHostPort := func(s string) string {
 										host, portStr, err := net.SplitHostPort(s)
 										if err != nil {
 											return s
 										}
 										// Normalize the localhost IP into "localhost", to avoid IPv4/IPv6 confusion.
 										if host == "127.0.0.1" || host == "::1" {
 											return "localhost:" + portStr
 										}
 										// On Linux, all 127.0.0.1/8 IPs are also localhost.
 										if runtime.GOOS == "linux" && strings.HasPrefix(host, "127.0.0.") {
 											return "localhost:" + portStr
 										}
 										return s
 									}
 									normHTTP := normalizeHostPort(config.HTTPProxy)
 									normHTTPS := normalizeHostPort(config.HTTPSProxy)
 									// If any of our proxy variables point to one of the configured
 									// addresses, ignore them.
 									for _, addr := range addrs {
 										normAddr := normalizeHostPort(addr)
 										if normHTTP != "" && normHTTP == normAddr {
 											log.Printf("tshttpproxy: skipping HTTP_PROXY pointing to self: %q", addr)
 											config.HTTPProxy = ""
 											normHTTP = ""
 										}
 										if normHTTPS != "" && normHTTPS == normAddr {
 											log.Printf("tshttpproxy: skipping HTTPS_PROXY pointing to self: %q", addr)
 											config.HTTPSProxy = ""
 											normHTTPS = ""
 										}
 									}
 									// Invalidate to cause it to get re-created
 									proxyFunc = nil
 								}
-												net/tshttpproxy: new package, support WPAD/PAC proxies on Windows

Updates tailscale/corp#553

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

											
										
										
											4 years ago
+								// sysProxyFromEnv, if non-nil, specifies a platform-specific ProxyFromEnvironment
 								// func to use if http.ProxyFromEnvironment doesn't return a proxy.
 								// For example, WPAD PAC files on Windows.
 								var sysProxyFromEnv func(*http.Request) (*url.URL, error)
-												net/tshttpproxy: log when we're using a proxy

Updates #11196

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Id6334c10f52f4cfbda9f03dc8096ab7a6c54a088

											
										
										
											4 months ago
+								// These variables track whether we've printed a log message for a given proxy
 								// URL; we only print them once to avoid log spam.
 								var (
 									logMessageMu      sync.Mutex
 									logMessagePrinted map[string]bool
 								)
-												net/tshttpproxy: don't ignore env-based HTTP proxies after system lookups fail

There was a mechanism in tshttpproxy to note that a Windows proxy
lookup failed and to stop hitting it so often. But that turns out to
fire a lot (no PAC file configured at all results in a proxy lookup),
so after the first proxy lookup, we were enabling the "omg something's
wrong, stop looking up proxies" bit for awhile, which was then also
preventing the normal Go environment-based proxy lookups from working.

This at least fixes environment-based proxies.

Plenty of other Windows-specific proxy work remains (using
WinHttpGetIEProxyConfigForCurrentUser instead of just PAC files,
ignoring certain types of errors, etc), but this should fix
the regression reported in #4811.

Updates #4811

Change-Id: I665e1891897d58e290163bda5ca51a22a017c5f9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

											
										
										
											2 years ago
+								// ProxyFromEnvironment is like the standard library's http.ProxyFromEnvironment
 								// but additionally does OS-specific proxy lookups if the environment variables
 								// alone don't specify a proxy.
-												net/tshttpproxy: log when we're using a proxy

Updates #11196

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: Id6334c10f52f4cfbda9f03dc8096ab7a6c54a088

											
										
										
											4 months ago
+								func ProxyFromEnvironment(req *http.Request) (ret *url.URL, _ error) {
 									defer func() {
 										if ret == nil {
 											return
 										}
 										ss := ret.String()
 										logMessageMu.Lock()
 										defer logMessageMu.Unlock()
 										if logMessagePrinted[ss] {
 											return
 										}
 										log.Printf("tshttpproxy: using proxy %q for URL: %q", ss, req.URL.String())
 										mak.Set(&logMessagePrinted, ss, true)
 									}()
-												net/tshttpproxy: don't proxy through ourselves

When running a SOCKS or HTTP proxy, configure the tshttpproxy package to
drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment
variables.

Fixes #7407

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I6cd7cad7a609c639780484bad521c7514841764b

											
										
										
											1 year ago
+									localProxyFunc := getProxyFunc()
 									u, err := localProxyFunc(req.URL)
-												net/tshttpproxy: don't ignore env-based HTTP proxies after system lookups fail

There was a mechanism in tshttpproxy to note that a Windows proxy
lookup failed and to stop hitting it so often. But that turns out to
fire a lot (no PAC file configured at all results in a proxy lookup),
so after the first proxy lookup, we were enabling the "omg something's
wrong, stop looking up proxies" bit for awhile, which was then also
preventing the normal Go environment-based proxy lookups from working.

This at least fixes environment-based proxies.

Plenty of other Windows-specific proxy work remains (using
WinHttpGetIEProxyConfigForCurrentUser instead of just PAC files,
ignoring certain types of errors, etc), but this should fix
the regression reported in #4811.

Updates #4811

Change-Id: I665e1891897d58e290163bda5ca51a22a017c5f9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

											
										
										
											2 years ago
+									if u != nil && err == nil {
 										return u, nil
 									}
-												net/tshttpproxy: add GetProxyForURL negative cache

Otherwise when PAC server is down, we log, and each log entry is a new
HTTP request (from logtail) and a new GetProxyForURL call, which again
logs, non-stop. This is also nicer to the WinHTTP service.

Then also hook up link change notifications to the cache to reset it
if there's a chance the network might work sooner.

											
										
										
											4 years ago
+									mu.Lock()
 									noProxyTime := noProxyUntil
 									mu.Unlock()
 									if time.Now().Before(noProxyTime) {
 										return nil, nil
 									}
-												net/tshttpproxy: new package, support WPAD/PAC proxies on Windows

Updates tailscale/corp#553

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

											
										
										
											4 years ago
+									if sysProxyFromEnv != nil {
 										u, err := sysProxyFromEnv(req)
 										if u != nil && err == nil {
 											return u, nil
 										}
 									}
 									return nil, err
 								}
-												net/tshttpproxy: add start of Kerberos Negotiate auth to proxies on Windows

For now only used by a new cmd/tailscale debug --get-url
subcommand. Not yet wired up to the places making HTTP requests.

Updates tailscale/corp#583

											
										
										
											4 years ago
 								var sysAuthHeader func(*url.URL) (string, error)
 								// GetAuthHeader returns the Authorization header value to send to proxy u.
 								func GetAuthHeader(u *url.URL) (string, error) {
-												net/tshttpproxy: move the TS_DEBUG_FAKE_PROXY_AUTH knob up a level

											
										
										
											4 years ago
+									if fake := os.Getenv("TS_DEBUG_FAKE_PROXY_AUTH"); fake != "" {
 										return fake, nil
 									}
-												net/tshttpproxy: support basic auth when available (#1354)

This allows proxy URLs such as:

    http://azurediamond:hunter2@192.168.122.154:38274

to be used in order to dial out to control, logs or derp servers.

Signed-off-by: Christine Dodrill <xe@tailscale.com>
											
										
										
											3 years ago
+									if user := u.User.Username(); user != "" {
 										pass, ok := u.User.Password()
 										if !ok {
 											return "", nil
 										}
 										req := &http.Request{Header: make(http.Header)}
 										req.SetBasicAuth(user, pass)
 										return req.Header.Get("Authorization"), nil
 									}
-												net/tshttpproxy: support HTTP proxy environment credentials on Windows too

and some minor style nits.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

											
										
										
											3 years ago
+									if sysAuthHeader != nil {
 										return sysAuthHeader(u)
 									}
-												net/tshttpproxy: add start of Kerberos Negotiate auth to proxies on Windows

For now only used by a new cmd/tailscale debug --get-url
subcommand. Not yet wired up to the places making HTTP requests.

Updates tailscale/corp#583

											
										
										
											4 years ago
+									return "", nil
 								}
-												tshttpproxy, controlclient, derphttp, logpolicy: send Negotiate auth to proxies

For Windows only, and only when built with Tailscale's Go tree.

Updates tailscale/corp#583

											
										
										
											4 years ago
-												net/tshttpproxy: more directly use Transport proxy CONNECT hooks

GetProxyConnectHeader (golang/go#41048) was upstreamed in Go 1.16 and
OnProxyConnectResponse (golang/go#54299) in Go 1.20, thus we no longer
need to guard their use by the tailscale_go build tag.

Updates #7123

Signed-off-by: Mihai Parparita <mihai@tailscale.com>

											
										
										
											1 year ago
+								const proxyAuthHeader = "Proxy-Authorization"
-												tshttpproxy, controlclient, derphttp, logpolicy: send Negotiate auth to proxies

For Windows only, and only when built with Tailscale's Go tree.

Updates tailscale/corp#583

											
										
										
											4 years ago
-												all: fix spelling mistakes

Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>

											
										
										
											2 years ago
+								// SetTransportGetProxyConnectHeader sets the provided Transport's
-												net/tshttpproxy: more directly use Transport proxy CONNECT hooks

GetProxyConnectHeader (golang/go#41048) was upstreamed in Go 1.16 and
OnProxyConnectResponse (golang/go#54299) in Go 1.20, thus we no longer
need to guard their use by the tailscale_go build tag.

Updates #7123

Signed-off-by: Mihai Parparita <mihai@tailscale.com>

											
										
										
											1 year ago
+								// GetProxyConnectHeader field, and adds logging of the received response.
-												tshttpproxy, controlclient, derphttp, logpolicy: send Negotiate auth to proxies

For Windows only, and only when built with Tailscale's Go tree.

Updates tailscale/corp#583

											
										
										
											4 years ago
+								func SetTransportGetProxyConnectHeader(tr *http.Transport) {
-												net/tshttpproxy: more directly use Transport proxy CONNECT hooks

GetProxyConnectHeader (golang/go#41048) was upstreamed in Go 1.16 and
OnProxyConnectResponse (golang/go#54299) in Go 1.20, thus we no longer
need to guard their use by the tailscale_go build tag.

Updates #7123

Signed-off-by: Mihai Parparita <mihai@tailscale.com>

											
										
										
											1 year ago
+									tr.GetProxyConnectHeader = func(ctx context.Context, proxyURL *url.URL, target string) (http.Header, error) {
 										v, err := GetAuthHeader(proxyURL)
 										if err != nil {
 											log.Printf("failed to get proxy Auth header for %v; ignoring: %v", proxyURL, err)
 											return nil, nil
 										}
 										if v == "" {
 											return nil, nil
 										}
 										return http.Header{proxyAuthHeader: []string{v}}, nil
 									}
 									tr.OnProxyConnectResponse = func(ctx context.Context, proxyURL *url.URL, connectReq *http.Request, res *http.Response) error {
 										auth := connectReq.Header.Get(proxyAuthHeader)
 										const truncLen = 20
 										if len(auth) > truncLen {
 											auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
 										}
 										log.Printf("tshttpproxy: CONNECT response from %v for target %q (auth %q): %v", proxyURL, connectReq.Host, auth, res.Status)
 										return nil
-												tshttpproxy, controlclient, derphttp, logpolicy: send Negotiate auth to proxies

For Windows only, and only when built with Tailscale's Go tree.

Updates tailscale/corp#583

											
										
										
											4 years ago
+									}
 								}