Fixes case where NetDialTLS is set with HTTPS proxy

seans3 · seans3 · commit 865c975b4316 · 2025-02-27T23:03:37.000Z
diff --git a/client.go b/client.go
@@ -426,7 +426,7 @@ func (d *Dialer) proxyNetDial(req *http.Request, netDial netDialerFunc) (netDial
 	if err != nil {
 		return nil, err
 	}
-	// Request should not be proxied; use originial dial function.
+	// Request should *not* be proxied; use originial dial function.
 	if proxyURL == nil {
 		return netDial, nil
 	}
@@ -439,6 +439,8 @@ func (d *Dialer) proxyNetDial(req *http.Request, netDial netDialerFunc) (netDial
 	if proxyURL.Scheme == "https" {
 		if d.NetDialTLSContext != nil {
 			netDial = d.NetDialTLSContext
+			// Ensures later TLS handshake occurs to backend over proxied connection.
+			d.NetDialTLSContext = nil
 		} else if d.TLSClientConfig == nil {
 			return nil, errors.New("HTTPS proxy requires TLS dial function or TLS client config")
 		} else {
diff --git a/client_proxy_server_test.go b/client_proxy_server_test.go
@@ -101,6 +101,10 @@ var proxyHandler = http.HandlerFunc(func(w http.ResponseWriter, req *http.Reques
 	<-done
 })
 
+// Permutation 1
+//
+//	Proxy:   HTTP
+//	Backend: HTTP
 func TestHTTPProxyAndBackend(t *testing.T) {
 	// Start the websocket server, which echoes data back to sender.
 	websocketServer := httptest.NewServer(websocketEchoHandler)
@@ -151,6 +155,11 @@ func TestHTTPProxyAndBackend(t *testing.T) {
 	}
 }
 
+// Permutation 2
+//
+//	Proxy:   HTTP
+//	Backend: HTTP
+//	DialFn:  NetDial (dials proxy)
 func TestHTTPProxyWithNetDial(t *testing.T) {
 	// Start the websocket server, which echoes data back to sender.
 	websocketServer := httptest.NewServer(websocketEchoHandler)
@@ -209,6 +218,11 @@ func TestHTTPProxyWithNetDial(t *testing.T) {
 	}
 }
 
+// Permutation 3
+//
+//	Proxy:   HTTP
+//	Backend: HTTP
+//	DialFn:  NetDialContext (dials proxy)
 func TestHTTPProxyWithNetDialContext(t *testing.T) {
 	// Start the websocket server, which echoes data back to sender.
 	websocketServer := httptest.NewServer(websocketEchoHandler)
@@ -267,6 +281,11 @@ func TestHTTPProxyWithNetDialContext(t *testing.T) {
 	}
 }
 
+// Permutation 4
+//
+//	Proxy:   HTTPS
+//	Backend: HTTPS
+//	TLS Config: set (used for both proxy and backend TLS)
 func TestHTTPSProxyAndBackend(t *testing.T) {
 	// Start the websocket server running TLS.
 	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
@@ -335,6 +354,12 @@ func TestHTTPSProxyAndBackend(t *testing.T) {
 	}
 }
 
+// Permutation 5
+//
+//	Proxy:      HTTPS
+//	Backend:    HTTPS
+//	DialFn:     NetDial (used to dial proxy)
+//	TLS Config: set (used for both proxy and backend TLS)
 func TestHTTPSProxyUsingNetDial(t *testing.T) {
 	// Start the websocket server running TLS.
 	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
@@ -413,6 +438,12 @@ func TestHTTPSProxyUsingNetDial(t *testing.T) {
 	}
 }
 
+// Permutation 6
+//
+//	Proxy:      HTTPS
+//	Backend:    HTTPS
+//	DialFn:     NetDialContext (used to dial proxy)
+//	TLS Config: set (used for both proxy and backend TLS)
 func TestHTTPSProxyUsingNetDialContext(t *testing.T) {
 	// Start the websocket server running TLS.
 	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
@@ -491,6 +522,168 @@ func TestHTTPSProxyUsingNetDialContext(t *testing.T) {
 	}
 }
 
+// Permutation 7
+//
+//	Proxy:      HTTPS
+//	Backend:    HTTPS
+//	DialFn:     NetDialTLSContext (used for proxy TLS)
+//	TLS Config: set (used for backend TLS)
+func TestHTTPSProxyUsingNetDialTLSContext(t *testing.T) {
+	// Start the websocket server running TLS.
+	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
+	if err != nil {
+		t.Fatalf("error creating TLS key pair: %v", err)
+	}
+	websocketServer := httptest.NewUnstartedServer(websocketEchoHandler)
+	websocketServer.TLS = &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+	websocketServer.StartTLS()
+	defer websocketServer.Close()
+	websocketURL, err := url.Parse(websocketServer.URL)
+	if err != nil {
+		t.Fatalf("error parsing websocket server URL: %v", err)
+	}
+	// Start the proxy server running TLS.
+	var proxyCalled atomic.Int64
+	proxyServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		proxyCalled.Add(1)
+		proxyHandler.ServeHTTP(w, req)
+	}))
+	proxyServer.TLS = &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+	proxyServer.StartTLS()
+	defer proxyServer.Close()
+	proxyServerURL, err := url.Parse(proxyServer.URL)
+	if err != nil {
+		t.Fatalf("error parsing websocket server URL: %v", err)
+	}
+	// Dial the websocket server to create the websocket connection through
+	// the proxy. The "NetDialTLSContext" function to dials the proxy and
+	// performs the TLS handshake. NOTE: Subsequent TLS handshake to backend
+	// (over proxied connection) uses TLSClientConfig for handshake.
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(localhostCert)
+	tlsConfig := &tls.Config{RootCAs: certPool}
+	var netDialCalled atomic.Int64
+	dialer := Dialer{
+		Proxy: http.ProxyURL(proxyServerURL),
+		// Dial and TLS handshake function to proxy.
+		NetDialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			netDialCalled.Add(1)
+			return tls.Dial(network, addr, tlsConfig)
+		},
+		// Used for second TLS handshake to backend server over previously
+		// established proxied connection.
+		TLSClientConfig: tlsConfig,
+		Subprotocols:    []string{subprotocolv1},
+	}
+	websocketURL.Scheme = "wss"
+	wsClient, _, err := dialer.Dial(websocketURL.String(), nil)
+	if err != nil {
+		t.Fatalf("websocket dial error: %v", err)
+	}
+	// Generate random data to send/receive over websocket connection.
+	randomSize := 128 * 1024
+	randomData := make([]byte, randomSize)
+	if _, err := rand.Read(randomData); err != nil {
+		t.Errorf("unexpected error reading random data: %v", err)
+	}
+	err = wsClient.WriteMessage(BinaryMessage, randomData)
+	if err != nil {
+		t.Errorf("websocket write error: %v", err)
+	}
+	// Read all the data from the websocket connection, then verify
+	_, received, err := wsClient.ReadMessage()
+	if !bytes.Equal(randomData, received) {
+		t.Errorf("unexpected data received: %d bytes sent, %d bytes received",
+			len(received), len(randomData))
+	}
+	if e, a := int64(1), netDialCalled.Load(); e != a {
+		t.Errorf("netDial not called")
+	}
+	if e, a := int64(1), proxyCalled.Load(); e != a {
+		t.Errorf("proxy not called")
+	}
+}
+
+// Permutation 8
+//
+//	Proxy:      HTTPS
+//	Backend:    HTTP
+//	DialFn:     NetDialTLSContext (used for proxy TLS)
+func TestHTTPSProxyUsingNetDialTLSContextWithHTTPBackend(t *testing.T) {
+	// Start the websocket server.
+	websocketServer := httptest.NewUnstartedServer(websocketEchoHandler)
+	websocketServer.Start()
+	defer websocketServer.Close()
+	websocketURL, err := url.Parse(websocketServer.URL)
+	if err != nil {
+		t.Fatalf("error parsing websocket server URL: %v", err)
+	}
+	// Start the proxy server running TLS.
+	cert, err := tls.X509KeyPair(localhostCert, localhostKey)
+	if err != nil {
+		t.Fatalf("error creating TLS key pair: %v", err)
+	}
+	var proxyCalled atomic.Int64
+	proxyServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		proxyCalled.Add(1)
+		proxyHandler.ServeHTTP(w, req)
+	}))
+	proxyServer.TLS = &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+	proxyServer.StartTLS()
+	defer proxyServer.Close()
+	proxyServerURL, err := url.Parse(proxyServer.URL)
+	if err != nil {
+		t.Fatalf("error parsing websocket server URL: %v", err)
+	}
+	// Dials websocket backend through HTTPS proxy, using NetDialTLSContext.
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(localhostCert)
+	tlsConfig := &tls.Config{RootCAs: certPool}
+	var netDialCalled atomic.Int64
+	dialer := Dialer{
+		Proxy: http.ProxyURL(proxyServerURL),
+		// Dial and TLS handshake function to proxy.
+		NetDialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			netDialCalled.Add(1)
+			return tls.Dial(network, addr, tlsConfig)
+		},
+		Subprotocols: []string{subprotocolv1},
+	}
+	websocketURL.Scheme = "ws"
+	wsClient, _, err := dialer.Dial(websocketURL.String(), nil)
+	if err != nil {
+		t.Fatalf("websocket dial error: %v", err)
+	}
+	// Generate random data to send/receive over websocket connection.
+	randomSize := 128 * 1024
+	randomData := make([]byte, randomSize)
+	if _, err := rand.Read(randomData); err != nil {
+		t.Errorf("unexpected error reading random data: %v", err)
+	}
+	err = wsClient.WriteMessage(BinaryMessage, randomData)
+	if err != nil {
+		t.Errorf("websocket write error: %v", err)
+	}
+	// Read all the data from the websocket connection, then verify
+	_, received, err := wsClient.ReadMessage()
+	if !bytes.Equal(randomData, received) {
+		t.Errorf("unexpected data received: %d bytes sent, %d bytes received",
+			len(received), len(randomData))
+	}
+	if e, a := int64(1), netDialCalled.Load(); e != a {
+		t.Errorf("netDial not called")
+	}
+	if e, a := int64(1), proxyCalled.Load(); e != a {
+		t.Errorf("proxy not called")
+	}
+}
+
 // localhostCert was generated from crypto/tls/generate_cert.go with the following command:
 //
 //	go run generate_cert.go  --rsa-bits 2048 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
