Fix command output, proxy setup, and HTTPS forwarding (#47)

* fix: always pipe command to stdout

* basic fixes

* Fix CONNECT handling in TLS termination path

CONNECT requests coming through TLS termination were incorrectly
forwarded as regular HTTP requests instead of being handled by
handleConnect. This caused 400 errors when clients used CONNECT.

The fix adds proper CONNECT detection in handleDecryptedHTTPS,
matching the behavior in handleHTTP.

* Use http:// for HTTPS_PROXY in unprivileged mode

HTTPS_PROXY should use http:// to establish CONNECT tunnels
to the proxy, not https://. This is the standard approach
for HTTP proxies handling HTTPS traffic via CONNECT.

The proxy will still perform TLS termination on the tunneled
connections for full request visibility.

* Add debugging for TLS connection hangs in CONNECT handling

- Add read timeout to detect clients that don't send HTTP requests
- Add detailed TLS connection state logging
- Better error handling for timeout scenarios

This should help diagnose why CONNECT tunnels hang after TLS handshake.

* Fix SetReadTimeout compilation error

Replace SetReadTimeout (which doesn't exist) with SetReadDeadline.
Also reset the deadline after each successful request to allow
multiple requests on the same TLS connection.

* fix

---------

Co-authored-by: blink-so[bot] <211532188+blink-so[bot]@users.noreply.github.com>

Author: f0ssel

cli/cli.go

@@ -180,7 +180,13 @@ func Run(ctx context.Context, config Config, args []string) error {
 	// Execute command in boundary
 	go func() {
 		defer cancel()
-		err := boundaryInstance.Command(args).Run()
+		cmd := boundaryInstance.Command(args)
+		cmd.Stderr = os.Stderr
+		cmd.Stdout = os.Stdout
+		cmd.Stdin = os.Stdin
+
+		logger.Debug("Executing command in boundary", "command", strings.Join(args, " "))
+		err := cmd.Run()
 		if err != nil {
 			logger.Error("Command execution failed", "error", err)
 		}
@@ -292,4 +298,4 @@ func createJailer(config jail.Config, unprivileged bool) (jail.Jailer, error) {
 
 	// Use the DefaultOS function for platform-specific jail creation
 	return jail.DefaultOS(config)
-}
+}

jail/unprivileged.go

@@ -1,6 +1,7 @@
 package jail
 
 import (
+	"fmt"
 	"log/slog"
 	"os/exec"
 )
@@ -33,10 +34,15 @@ func NewUnprivileged(config Config) (*Unprivileged, error) {
 func (u *Unprivileged) Start() error {
 	u.logger.Debug("Starting in unprivileged mode")
 	e := getEnvs(u.configDir, u.caCertPath)
+	p := fmt.Sprintf("http://localhost:%d", u.httpProxyPort)
 	u.commandEnv = mergeEnvs(e, map[string]string{
-		"HOME":    u.homeDir,
-		"USER":    u.username,
-		"LOGNAME": u.username,
+		"HOME":        u.homeDir,
+		"USER":        u.username,
+		"LOGNAME":     u.username,
+		"HTTP_PROXY":  p,
+		"HTTPS_PROXY": p,
+		"http_proxy":  p,
+		"https_proxy": p,
 	})
 	return nil
 }
@@ -53,4 +59,4 @@ func (u *Unprivileged) Command(command []string) *exec.Cmd {
 func (u *Unprivileged) Close() error {
 	u.logger.Debug("Closing unprivileged jail")
 	return nil
-}
+}

proxy/proxy.go

@@ -133,16 +133,20 @@ func (p *Server) handleHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Forward regular HTTP request
-	p.forwardHTTPRequest(w, r)
+	p.forwardRequest(w, r, false)
 }
 
-// forwardHTTPRequest forwards a regular HTTP request
-func (p *Server) forwardHTTPRequest(w http.ResponseWriter, r *http.Request) {
+// forwardRequest forwards a regular HTTP request
+func (p *Server) forwardRequest(w http.ResponseWriter, r *http.Request, https bool) {
 	p.logger.Debug("forwardHTTPRequest called", "method", r.Method, "url", r.URL.String(), "host", r.Host)
 
+	s := "http"
+	if https {
+		s = "https"
+	}
 	// Create a new request to the target server
 	targetURL := &url.URL{
-		Scheme:   "http",
+		Scheme:   s,
 		Host:     r.Host,
 		Path:     r.URL.Path,
 		RawQuery: r.URL.RawQuery,
@@ -303,6 +307,10 @@ func (p *Server) handleConnect(w http.ResponseWriter, r *http.Request) {
 	}
 	p.logger.Debug("TLS handshake successful", "hostname", hostname)
 
+	// Log connection state after handshake
+	state := tlsConn.ConnectionState()
+	p.logger.Debug("TLS connection established", "hostname", hostname, "version", state.Version, "cipher_suite", state.CipherSuite, "negotiated_protocol", state.NegotiatedProtocol)
+
 	// Now we have a TLS connection - handle HTTPS requests
 	p.logger.Debug("Starting HTTPS request handling", "hostname", hostname)
 	p.handleTLSConnection(tlsConn, hostname)
@@ -313,6 +321,9 @@ func (p *Server) handleConnect(w http.ResponseWriter, r *http.Request) {
 func (p *Server) handleTLSConnection(tlsConn *tls.Conn, hostname string) {
 	p.logger.Debug("Creating HTTP server for TLS connection", "hostname", hostname)
 
+	// Set read timeout to detect hanging connections
+	tlsConn.SetReadDeadline(time.Now().Add(5 * time.Second))
+
 	// Use ReadRequest to manually read HTTP requests from the TLS connection
 	bufReader := bufio.NewReader(tlsConn)
 	for {
@@ -321,6 +332,8 @@ func (p *Server) handleTLSConnection(tlsConn *tls.Conn, hostname string) {
 		if err != nil {
 			if err == io.EOF {
 				p.logger.Debug("TLS connection closed by client", "hostname", hostname)
+			} else if netErr, ok := err.(net.Error); ok && netErr.Timeout() {
+				p.logger.Debug("TLS connection read timeout - client not sending HTTP requests", "hostname", hostname)
 			} else {
 				p.logger.Debug("Failed to read HTTP request", "hostname", hostname, "error", err)
 			}
@@ -350,20 +363,37 @@ func (p *Server) handleTLSConnection(tlsConn *tls.Conn, hostname string) {
 			p.logger.Debug("Failed to write response", "hostname", hostname, "error", err)
 			break
 		}
+
+		// Reset read deadline for next request
+		tlsConn.SetReadDeadline(time.Now().Add(5 * time.Second))
 	}
 
 	p.logger.Debug("TLS connection handling completed", "hostname", hostname)
 }
 
 // handleDecryptedHTTPS handles decrypted HTTPS requests and applies rules
 func (p *Server) handleDecryptedHTTPS(w http.ResponseWriter, r *http.Request) {
+	// Handle CONNECT method for HTTPS tunneling
+	if r.Method == "CONNECT" {
+		p.handleConnect(w, r)
+		return
+	}
+
+	fullURL := r.URL.String()
+	if r.URL.Host == "" {
+		// Fallback: construct URL from Host header
+		fullURL = fmt.Sprintf("https://%s%s", r.Host, r.URL.Path)
+		if r.URL.RawQuery != "" {
+			fullURL += "?" + r.URL.RawQuery
+		}
+	}
 	// Check if request should be allowed
-	result := p.ruleEngine.Evaluate(r.Method, r.URL.String())
+	result := p.ruleEngine.Evaluate(r.Method, fullURL)
 
 	// Audit the request
 	p.auditor.AuditRequest(audit.Request{
 		Method:  r.Method,
-		URL:     r.URL.String(),
+		URL:     fullURL,
 		Allowed: result.Allowed,
 		Rule:    result.Rule,
 	})
@@ -374,7 +404,7 @@ func (p *Server) handleDecryptedHTTPS(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Forward the HTTPS request (now handled same as HTTP after TLS termination)
-	p.forwardHTTPRequest(w, r)
+	p.forwardRequest(w, r, true)
 }
 
 // handleConnectionWithTLSDetection detects TLS vs HTTP and handles appropriately
@@ -493,4 +523,4 @@ func (sl *singleConnectionListener) Addr() net.Addr {
 		return nil
 	}
 	return sl.conn.LocalAddr()
-}
+}