Skip to content

Fix non-tls forward-proxy #848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 8, 2025
Merged

Fix non-tls forward-proxy #848

merged 3 commits into from
Jul 8, 2025

Conversation

@karlseguin
Copy link
Collaborator

@karlseguin karlseguin commented Jul 7, 2025

Also renamed isSimpleProxy -> isForwardProxy for consistent with the proxy type name.

karlseguin
karlseguin commented Jul 7, 2025
View reviewed changes
src/http/client.zig
}
}
if (self._request_secure and !self._proxy_secure) {
if (self._request_secure and !self._proxy_secure and !self._client.isForwardProxy()) {
Copy link
Collaborator Author

@karlseguin karlseguin Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only real change.

sjorsdonkers
sjorsdonkers reviewed Jul 7, 2025
View reviewed changes
src/http/client.zig
}
}
if (self._request_secure and !self._proxy_secure) {
if (self._request_secure and !self._proxy_secure and !self._client.isForwardProxy()) {
Copy link
Contributor

@sjorsdonkers sjorsdonkers Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we would need this to support a secure forward proxy (proxy_tls_config need to be put in scope)

Suggested change
if (self._request_secure and !self._proxy_secure and !self._client.isForwardProxy()) {
if (self._client.isForwardProxy()) {
if (self._proxy_secure) {
self._connection.?.tls = .{
.blocking = try tls.client(std.net.Stream{ .handle = socket }, proxy_tls_config),
};
}
} else if (self._request_secure and !self._proxy_secure) { // handles both insecure connect proxy and no proxy case
self._connection.?.tls = .{
.blocking = try tls.client(std.net.Stream{ .handle = socket }, tls_config),
};
}

Starting to think the refactored version would have been better here anyway.
#815 (comment)

Copy link
Collaborator Author

@karlseguin karlseguin Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now it's:

if (
    (self._request_secure and !self._proxy_secure) and
    (!self._client.isForwardProxy() or self._proxy_secure)
) {

Copy link
Contributor

@sjorsdonkers sjorsdonkers Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the tls_config be changed to point to the right endpoint? if it is the tls for the proxy?

Copy link
Contributor

@sjorsdonkers sjorsdonkers Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or self._proxy_secure can never make the whole statement true since and !self._proxy_secure is also part of it

@sjorsdonkers sjorsdonkers self-requested a review July 7, 2025 12:34
@karlseguin karlseguin merged commit 7b46fe9 into main Jul 8, 2025
10 checks passed
@karlseguin karlseguin deleted the fix_insecure_forward_proxy branch July 8, 2025 01:52
@github-actions github-actions bot locked and limited conversation to collaborators Jul 8, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@sjorsdonkers sjorsdonkers Awaiting requested review from sjorsdonkers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@karlseguin @sjorsdonkers