Add support for HTTP_PROXY, HTTPS_PROXY, and NO_PROXY

[peterguy]

Adds support for the standard environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

SRC_PROXY still takes precedence, including over NO_PROXY.

Also added fixes for connecting to TLS-enabled proxies, where we want to connect to the SG API using HTTP/2, but many proxies support only HTTP/1.1, so we need to connect to the proxy via HTTP/1.1, then connect through the proxy to the SG API using HTTP/2.

Moved endpoint and proxy parsing to the config building so that typos and malformed urls are caught early and errors returned immediately.

Test plan

Added CI tests validating proxy behavior.

Manual testing

Install mitmproxy and squid.

Create an SSL cert for squid:

openssl req -x509 -newkey rsa:2048 \
  -keyout squid-key.pem -out squid-cert.pem \
  -days 365 -nodes -subj "/CN=localhost"
cat squid-key.pem squid-cert.pem > squid-proxy.pem

Create a config for squid:

cat << EOF >squid.conf
https_port 8445 cert=./squid-proxy.pem
sslproxy_session_cache_size 0
acl localnet src 127.0.0.1/32
http_access allow localhost
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 1025-65535
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_port 3128
EOF

Run mitmproxy - mitmproxy -v - in one terminal.

Run squid - squid -f ./squid.conf -N -d 1 - in another terminal.

In a third terminal, in the src-cli repo, build the binary: go build -o ./src-cli ./cmd/src

Ensure you have SRC_ENDPOINT and SRC_ACCESS_TOKEN set in your environment, and unset SRC_PROXY.

Try connecting with each proxy (mitmproxy is 8080, squid is 8445):

for x in http://localhost:8080 https://localhost:8445
do
HTTPS_PROXY=${x} ./src-cli login --insecure-skip-verify=true
SRC_PROXY=${x} ./src-cli login --insecure-skip-verify=true
done

You should get "Authenticated as [USER] on [ENDPOINT]" messages in your terminal, and in the mitmproxy and squid terminals, you should see activity.

This tests connecting through a proxy that connects with http (mitmproxy), and one that is TLS-enabled (squid).

Ensure that NO_PROXY is ignored when using SRC_PROXY and honored when using HTTPS_PROXY:

HTTPS_PROXY=http://localhost:8080 NO_PROXY=[HOSTNAME FROM ENDPOINT] ./src-cli login

You should get a successful login, but no entry in the mitmproxy log.

SRC_PROXY=http://localhost:8080 NO_PROXY=[HOSTNAME FROM ENDPOINT] ./src-cli login

You should get a successful login and also see an entry in the mitmproxy log.

Closes https://linear.app/sourcegraph/issue/CPL-236/src-cli-support-standard-http-proxy

[bahrmichael]

What do you think about logging the error here?

[peterguy]

Great idea. I re-did the URL parsing for both the endpoint and the proxy - pushing that out to main.go when the program loads, so that users get notified immediately if there are parsing problems for either of them.

[bahrmichael]

What do you think about logging the error here?

[peterguy]

Great idea. I re-did the URL parsing for both the endpoint and the proxy - pushing that out to main.go when the program loads, so that users get notified immediately if there are parsing problems for either of them.

[keegancsmith]

Nice! Inline comments, but otherwise LGTM

[keegancsmith]

why does https:// not work without intervention? (as documented below for http and socks5)

[peterguy]

Since we're connecting to the SG API using HTTP/2, the standard transport tries to connect to the TLS-enabled proxy using HTTP/2 also, which fails if the proxy doesn't support HTTP/2. I haven't found a proxy for local testing that does support HTTP/2; I suspect that most/all proxies that are TLS-enabled don't support HTTP/2.

[keegancsmith]

why are you ignoring the host here and instead assuming addr is just the host? I think this could be a bug right? IE if your proxy url has a port specified won't this break?

[peterguy]

Yeah, that's confusing. I wonder if I goofed and deleted a line or something. All the tests were passing; guess I'd better revisit those also! 😊

[keegancsmith]

I think you should be using the Hostname and Port methods instead of net.SplitHostPort. For example, I think ipv6 addresses would break since the way they are represented in a URL are different to net.SplitHostPort expects.

[peterguy]

Hmmmm, the docs for net.SplitHostPort mention IPV6; I'll add some test cases to see if it does work.

[keegancsmith]

I think you can greatly simplify code here (and remove helpers like waitForServerReady and generateTestCert) by using the httptest package. It already provides functions to listen on TLS/etc and does things like wait for the server to be listening.

[keegancsmith]

This advice still stands

[keegancsmith]

get our favourite AI's to generate some example with ipv4, ipv6 and localhost.

[keegancsmith]

You might wanna rebase, I think william just did some CI updates which include things like go-lint/etc.

[peterguy]

Thanks for all of your commentary; I forgot to open this PR in draft mode! Been trying to address what looks like flakey tests in the Ubuntu CI runner; I'll go through your very helpful comments soon.

[peterguy]

This change is part of the following stack:

• Add support for HTTP_PROXY, HTTPS_PROXY, and NO_PROXY #1260 ◀

_{Change managed by git-spice.}

[keegancsmith]

@peterguy alright just re-request review when ready.

[keegancsmith]

Requesting changes since I just wanna re-review once you have addressed the comments. FYI I pushed some commits to resolve the CI issues.

[keegancsmith]

you changed this is some other places as well. go convention is lowercase on error messages since they get combined. eg My outer error: My inner error doesn't read as nicely as my outer error: my inner error

[keegancsmith]

if I set SRC_PROXY to a http:// or socks5:// though, won't the default transport ignore it?

[keegancsmith]

This advice still stands

[keegancsmith]

given you are doing TrimRight before you should probably do it here as well.

[keegancsmith]

net.Conn documents all methods to be concurrency safe. However, bufio.Reader is not. You need to add in a mutex here.

> Multiple goroutines may invoke methods on a Conn simultaneously.

[keegancsmith]

It isn't clear to me why you introduced the buffered reader?

[keegancsmith]

minor: but these fields should probably all not be exported. Looks like we don't want to marshal them / they are internally read/set.

[keegancsmith]

is it worth updating all these test cases for this? I'd consider just not comparing this field in the comparsion in the test.

[keegancsmith]

[Re: line +130]

I think you should marshal into a struct with just the json fields here. Then from your readConfig function return something which just contains the fields you want to read. Then you don't have both Endpoint and EndpointURL in this struct which is a bit weird.

See this comment inline on Graphite.

[keegancsmith]

I think you need to call tlsConn.Close here to cleanup.