Skip to content

Commit a78d858

Browse files
blink-so[bot]f0ssel
blink-so[bot]
and
f0ssel
committed
Remove CONNECT tunneling support from HTTP proxy
Removes handleConnect, relayConnections functions and CONNECT method handling from the HTTP proxy. Now only supports TLS termination via the HTTPS proxy for content inspection. Co-authored-by: f0ssel <[email protected]>
1 parent 0d8c8c8 commit a78d858

File tree

1 file changed

+0
-73
lines changed

1 file changed

+0
-73
lines changed

proxy/proxy.go

Lines changed: 0 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,8 @@ import (
66
"fmt"
77
"io"
88
"log/slog"
9-
"net"
109
"net/http"
1110
"net/url"
12-
"strings"
1311
"time"
1412

1513
"boundary/rules"
@@ -110,12 +108,6 @@ func (p *ProxyServer) handleHTTP(w http.ResponseWriter, r *http.Request) {
110108
return
111109
}
112110

113-
// Handle CONNECT method for HTTPS tunneling
114-
if r.Method == http.MethodConnect {
115-
p.handleConnect(w, r)
116-
return
117-
}
118-
119111
// Forward regular HTTP request
120112
p.forwardHTTPRequest(w, r)
121113
}
@@ -139,51 +131,6 @@ func (p *ProxyServer) handleHTTPS(w http.ResponseWriter, r *http.Request) {
139131
p.forwardHTTPSRequest(w, r)
140132
}
141133

142-
// handleConnect handles CONNECT requests for HTTPS tunneling
143-
func (p *ProxyServer) handleConnect(w http.ResponseWriter, r *http.Request) {
144-
// Extract host and port
145-
host := r.URL.Host
146-
if !strings.Contains(host, ":") {
147-
host += ":443" // Default HTTPS port
148-
}
149-
150-
// Check if CONNECT should be allowed
151-
connectURL := fmt.Sprintf("https://%s", strings.Split(host, ":")[0])
152-
action := p.ruleEngine.Evaluate("CONNECT", connectURL)
153-
if action == rules.Deny {
154-
p.writeBlockedResponse(w, r)
155-
return
156-
}
157-
158-
// Establish connection to target server
159-
targetConn, err := net.DialTimeout("tcp", host, 10*time.Second)
160-
if err != nil {
161-
http.Error(w, fmt.Sprintf("Failed to connect to %s: %v", host, err), http.StatusBadGateway)
162-
return
163-
}
164-
defer targetConn.Close()
165-
166-
// Send 200 Connection Established
167-
w.WriteHeader(http.StatusOK)
168-
169-
// Get the underlying connection
170-
hijacker, ok := w.(http.Hijacker)
171-
if !ok {
172-
http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
173-
return
174-
}
175-
176-
clientConn, _, err := hijacker.Hijack()
177-
if err != nil {
178-
http.Error(w, fmt.Sprintf("Failed to hijack connection: %v", err), http.StatusInternalServerError)
179-
return
180-
}
181-
defer clientConn.Close()
182-
183-
// Relay data between client and target
184-
p.relayConnections(clientConn, targetConn)
185-
}
186-
187134
// forwardHTTPRequest forwards a regular HTTP request
188135
func (p *ProxyServer) forwardHTTPRequest(w http.ResponseWriter, r *http.Request) {
189136
// Create a new request to the target server
@@ -322,24 +269,4 @@ To allow this request, restart boundary with:
322269
For more help: https://github.com/coder/boundary
323270
`,
324271
r.Method, r.URL.Path, host, host, r.Method, host, r.Method)
325-
}
326-
327-
// relayConnections relays data between two connections
328-
func (p *ProxyServer) relayConnections(client, target net.Conn) {
329-
done := make(chan struct{}, 2)
330-
331-
// Client to target
332-
go func() {
333-
defer func() { done <- struct{}{} }()
334-
io.Copy(target, client)
335-
}()
336-
337-
// Target to client
338-
go func() {
339-
defer func() { done <- struct{}{} }()
340-
io.Copy(client, target)
341-
}()
342-
343-
// Wait for one direction to finish
344-
<-done
345272
}

0 commit comments

Comments
 (0)