Add HTTP proxy support for tunnel connections

Author: shayonj

ingress/origin_dialer.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/rs/zerolog"
+	"golang.org/x/net/proxy"
 )
 
 // OriginTCPDialer provides a TCP dial operation to a requested address.
@@ -115,20 +116,33 @@ func (d *OriginDialerService) DialUDP(addr netip.AddrPort) (net.Conn, error) {
 }
 
 type Dialer struct {
-	Dialer net.Dialer
+	Dialer proxy.Dialer
 }
 
 func NewDialer(config WarpRoutingConfig) *Dialer {
+	// Create proxy-aware dialer for warp routing
+	proxyDialer := createProxyDialer(config.ConnectTimeout.Duration, config.TCPKeepAlive.Duration, nil)
 	return &Dialer{
-		Dialer: net.Dialer{
-			Timeout:   config.ConnectTimeout.Duration,
-			KeepAlive: config.TCPKeepAlive.Duration,
-		},
+		Dialer: proxyDialer,
 	}
 }
 
+// createProxyDialer creates a proxy.Dialer that respects proxy environment variables
+func createProxyDialer(timeout, keepAlive time.Duration, logger *zerolog.Logger) proxy.Dialer {
+	// Reuse the unified proxy logic from origin_service.go
+	return newProxyAwareDialer(timeout, keepAlive, logger)
+}
+
 func (d *Dialer) DialTCP(ctx context.Context, dest netip.AddrPort) (net.Conn, error) {
-	conn, err := d.Dialer.DialContext(ctx, "tcp", dest.String())
+	var conn net.Conn
+	var err error
+
+	if contextDialer, ok := d.Dialer.(proxy.ContextDialer); ok {
+		conn, err = contextDialer.DialContext(ctx, "tcp", dest.String())
+	} else {
+		conn, err = d.Dialer.Dial("tcp", dest.String())
+	}
+
 	if err != nil {
 		return nil, fmt.Errorf("unable to dial tcp to origin %s: %w", dest, err)
 	}

ingress/origin_proxy.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 
 	"github.com/rs/zerolog"
+	"golang.org/x/net/proxy"
 )
 
 // HTTPOriginProxy can be implemented by origin services that want to proxy http requests.
@@ -86,7 +87,15 @@ func (o *statusCode) RoundTrip(_ *http.Request) (*http.Response, error) {
 }
 
 func (o *rawTCPService) EstablishConnection(ctx context.Context, dest string, logger *zerolog.Logger) (OriginConnection, error) {
-	conn, err := o.dialer.DialContext(ctx, "tcp", dest)
+	var conn net.Conn
+	var err error
+
+	if contextDialer, ok := o.dialer.(proxy.ContextDialer); ok {
+		conn, err = contextDialer.DialContext(ctx, "tcp", dest)
+	} else {
+		conn, err = o.dialer.Dial("tcp", dest)
+	}
+
 	if err != nil {
 		return nil, err
 	}
@@ -105,7 +114,13 @@ func (o *tcpOverWSService) EstablishConnection(ctx context.Context, dest string,
 		dest = o.dest
 	}
 
-	conn, err := o.dialer.DialContext(ctx, "tcp", dest)
+	var conn net.Conn
+	if contextDialer, ok := o.dialer.(proxy.ContextDialer); ok {
+		conn, err = contextDialer.DialContext(ctx, "tcp", dest)
+	} else {
+		conn, err = o.dialer.Dial("tcp", dest)
+	}
+
 	if err != nil {
 		return nil, err
 	}

ingress/origin_proxy_test.go

@@ -8,7 +8,9 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -24,7 +26,10 @@ func TestRawTCPServiceEstablishConnection(t *testing.T) {
 	listenerClosed := make(chan struct{})
 	tcpListenRoutine(originListener, listenerClosed)
 
-	rawTCPService := &rawTCPService{name: ServiceWarpRouting}
+	rawTCPService := &rawTCPService{
+		name:   ServiceWarpRouting,
+		dialer: newProxyAwareDialer(30*time.Second, 30*time.Second, nil),
+	}
 
 	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://%s", originListener.Addr()), nil)
 	require.NoError(t, err)
@@ -40,6 +45,148 @@ func TestRawTCPServiceEstablishConnection(t *testing.T) {
 	require.Error(t, err)
 }
 
+func TestProxyAwareDialer(t *testing.T) {
+	tests := []struct {
+		name        string
+		httpProxy   string
+		httpsProxy  string
+		socksProxy  string
+		expectDirect bool
+		expectProxy  bool
+	}{
+		{
+			name:         "no proxy configured",
+			expectDirect: true,
+		},
+		{
+			name:        "HTTP proxy configured",
+			httpProxy:   "http://proxy.example.com:8080",
+			expectProxy: true,
+		},
+		{
+			name:        "HTTPS proxy configured",
+			httpsProxy:  "http://proxy.example.com:8080",
+			expectProxy: true,
+		},
+		{
+			name:       "SOCKS proxy configured",
+			socksProxy: "socks5://proxy.example.com:1080",
+			expectProxy: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			origHTTP := os.Getenv("HTTP_PROXY")
+			origHTTPS := os.Getenv("HTTPS_PROXY")
+			origSOCKS := os.Getenv("ALL_PROXY")
+
+			defer func() {
+				os.Setenv("HTTP_PROXY", origHTTP)
+				os.Setenv("HTTPS_PROXY", origHTTPS)
+				os.Setenv("ALL_PROXY", origSOCKS)
+			}()
+
+			os.Setenv("HTTP_PROXY", tt.httpProxy)
+			os.Setenv("HTTPS_PROXY", tt.httpsProxy)
+			os.Setenv("ALL_PROXY", tt.socksProxy)
+
+			dialer := newProxyAwareDialer(30*time.Second, 30*time.Second, TestLogger)
+			assert.NotNil(t, dialer)
+
+			if tt.expectDirect {
+				_, ok := dialer.(*net.Dialer)
+				assert.True(t, ok, "Expected net.Dialer when no proxy configured")
+			} else if tt.expectProxy {
+				assert.NotNil(t, dialer, "Expected proxy dialer when proxy configured")
+			}
+		})
+	}
+}
+
+func TestProxyAwareDialerHTTPConnect(t *testing.T) {
+	proxyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "CONNECT" {
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer proxyServer.Close()
+
+	origHTTP := os.Getenv("HTTP_PROXY")
+	defer os.Setenv("HTTP_PROXY", origHTTP)
+
+	os.Setenv("HTTP_PROXY", proxyServer.URL)
+
+	dialer := newProxyAwareDialer(5*time.Second, 5*time.Second, TestLogger)
+	assert.NotNil(t, dialer)
+
+	// Test actual dial (this will fail because our mock proxy doesn't handle the full protocol)
+	// but we can verify the proxy detection logic works
+	proxyAwareDialer, ok := dialer.(*proxyAwareDialer)
+	assert.True(t, ok, "Expected proxyAwareDialer when HTTP proxy configured")
+	assert.NotNil(t, proxyAwareDialer.baseDialer)
+}
+
+func TestGetEnvProxy(t *testing.T) {
+	tests := []struct {
+		name     string
+		upper    string
+		lower    string
+		upperVal string
+		lowerVal string
+		expected string
+	}{
+		{
+			name:     "upper case takes priority",
+			upper:    "TEST_PROXY",
+			lower:    "test_proxy",
+			upperVal: "upper_value",
+			lowerVal: "lower_value",
+			expected: "upper_value",
+		},
+		{
+			name:     "lower case when upper not set",
+			upper:    "TEST_PROXY",
+			lower:    "test_proxy",
+			lowerVal: "lower_value",
+			expected: "lower_value",
+		},
+		{
+			name:     "empty when neither set",
+			upper:    "TEST_PROXY",
+			lower:    "test_proxy",
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Save and restore environment
+			origUpper := os.Getenv(tt.upper)
+			origLower := os.Getenv(tt.lower)
+			defer func() {
+				os.Setenv(tt.upper, origUpper)
+				os.Setenv(tt.lower, origLower)
+			}()
+
+			os.Unsetenv(tt.upper)
+			os.Unsetenv(tt.lower)
+
+			if tt.upperVal != "" {
+				os.Setenv(tt.upper, tt.upperVal)
+			}
+			if tt.lowerVal != "" {
+				os.Setenv(tt.lower, tt.lowerVal)
+			}
+
+			result := getEnvProxy(tt.upper, tt.lower)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
 func TestTCPOverWSServiceEstablishConnection(t *testing.T) {
 	originListener, err := net.Listen("tcp", "127.0.0.1:0")
 	require.NoError(t, err)