fix(proxy): support HTTP CONNECT dialer
This commit is contained in:
sususu98
+122
-1
@@ -1,7 +1,10 @@
|
||||
package proxyutil
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
@@ -50,7 +53,7 @@ func Parse(raw string) (Setting, error) {
|
||||
parsedURL, errParse := url.Parse(trimmed)
|
||||
if errParse != nil {
|
||||
setting.Mode = ModeInvalid
|
||||
return setting, fmt.Errorf("parse proxy URL failed: %w", errParse)
|
||||
return setting, fmt.Errorf("parse proxy URL failed")
|
||||
}
|
||||
if parsedURL.Scheme == "" || parsedURL.Host == "" {
|
||||
setting.Mode = ModeInvalid
|
||||
@@ -134,6 +137,9 @@ func BuildDialer(raw string) (proxy.Dialer, Mode, error) {
|
||||
case ModeDirect:
|
||||
return proxy.Direct, setting.Mode, nil
|
||||
case ModeProxy:
|
||||
if setting.URL.Scheme == "http" || setting.URL.Scheme == "https" {
|
||||
return &httpConnectDialer{proxyURL: setting.URL, dialer: proxy.Direct}, setting.Mode, nil
|
||||
}
|
||||
dialer, errDialer := proxy.FromURL(setting.URL, proxy.Direct)
|
||||
if errDialer != nil {
|
||||
return nil, setting.Mode, fmt.Errorf("create proxy dialer failed: %w", errDialer)
|
||||
@@ -143,3 +149,118 @@ func BuildDialer(raw string) (proxy.Dialer, Mode, error) {
|
||||
return nil, setting.Mode, nil
|
||||
}
|
||||
}
|
||||
|
||||
type httpConnectDialer struct {
|
||||
proxyURL *url.URL
|
||||
dialer proxy.Dialer
|
||||
}
|
||||
|
||||
func (d *httpConnectDialer) Dial(network, addr string) (net.Conn, error) {
|
||||
proxyConn, errDial := d.dialer.Dial(network, proxyDialAddr(d.proxyURL))
|
||||
if errDial != nil {
|
||||
return nil, fmt.Errorf("dial HTTP proxy failed: %w", errDial)
|
||||
}
|
||||
|
||||
conn := proxyConn
|
||||
if d.proxyURL.Scheme == "https" {
|
||||
tlsConn := tls.Client(conn, &tls.Config{ServerName: d.proxyURL.Hostname()})
|
||||
if errHandshake := tlsConn.Handshake(); errHandshake != nil {
|
||||
if errClose := conn.Close(); errClose != nil {
|
||||
return nil, fmt.Errorf("HTTPS proxy TLS handshake failed: %w; close failed: %v", errHandshake, errClose)
|
||||
}
|
||||
return nil, fmt.Errorf("HTTPS proxy TLS handshake failed: %w", errHandshake)
|
||||
}
|
||||
conn = tlsConn
|
||||
}
|
||||
|
||||
req := &http.Request{
|
||||
Method: http.MethodConnect,
|
||||
URL: &url.URL{Host: addr},
|
||||
Host: addr,
|
||||
Header: make(http.Header),
|
||||
}
|
||||
if d.proxyURL.User != nil {
|
||||
req.Header.Set("Proxy-Authorization", proxyAuthorization(d.proxyURL.User))
|
||||
}
|
||||
if errWrite := req.Write(conn); errWrite != nil {
|
||||
if errClose := conn.Close(); errClose != nil {
|
||||
return nil, fmt.Errorf("write CONNECT request failed: %w; close failed: %v", errWrite, errClose)
|
||||
}
|
||||
return nil, fmt.Errorf("write CONNECT request failed: %w", errWrite)
|
||||
}
|
||||
|
||||
reader := bufio.NewReader(conn)
|
||||
resp, errRead := http.ReadResponse(reader, req)
|
||||
if errRead != nil {
|
||||
if errClose := conn.Close(); errClose != nil {
|
||||
return nil, fmt.Errorf("read CONNECT response failed: %w; close failed: %v", errRead, errClose)
|
||||
}
|
||||
return nil, fmt.Errorf("read CONNECT response failed: %w", errRead)
|
||||
}
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
if resp.Body != nil {
|
||||
_ = resp.Body.Close()
|
||||
}
|
||||
if errClose := conn.Close(); errClose != nil {
|
||||
return nil, fmt.Errorf("proxy CONNECT returned status %s; close failed: %v", resp.Status, errClose)
|
||||
}
|
||||
return nil, fmt.Errorf("proxy CONNECT returned status %s", resp.Status)
|
||||
}
|
||||
|
||||
if reader.Buffered() > 0 {
|
||||
return &bufferedConn{Conn: conn, reader: reader}, nil
|
||||
}
|
||||
return conn, nil
|
||||
}
|
||||
|
||||
func proxyDialAddr(proxyURL *url.URL) string {
|
||||
port := proxyURL.Port()
|
||||
if port == "" {
|
||||
port = "80"
|
||||
if proxyURL.Scheme == "https" {
|
||||
port = "443"
|
||||
}
|
||||
}
|
||||
return net.JoinHostPort(proxyURL.Hostname(), port)
|
||||
}
|
||||
|
||||
func proxyAuthorization(user *url.Userinfo) string {
|
||||
username := user.Username()
|
||||
password, _ := user.Password()
|
||||
encoded := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
|
||||
return "Basic " + encoded
|
||||
}
|
||||
|
||||
// Redact returns a log-safe proxy URL with credentials and path-like data removed.
|
||||
func Redact(raw string) string {
|
||||
trimmed := strings.TrimSpace(raw)
|
||||
if trimmed == "" {
|
||||
return ""
|
||||
}
|
||||
|
||||
parsedURL, errParse := url.Parse(trimmed)
|
||||
if errParse != nil || parsedURL.Scheme == "" || parsedURL.Host == "" {
|
||||
return "<invalid proxy URL>"
|
||||
}
|
||||
|
||||
redacted := &url.URL{
|
||||
Scheme: parsedURL.Scheme,
|
||||
Host: parsedURL.Host,
|
||||
}
|
||||
if parsedURL.User != nil {
|
||||
redacted.User = url.User("redacted")
|
||||
}
|
||||
return redacted.String()
|
||||
}
|
||||
|
||||
type bufferedConn struct {
|
||||
net.Conn
|
||||
reader *bufio.Reader
|
||||
}
|
||||
|
||||
func (c *bufferedConn) Read(p []byte) (int, error) {
|
||||
if c.reader.Buffered() > 0 {
|
||||
return c.reader.Read(p)
|
||||
}
|
||||
return c.Conn.Read(p)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user