fix(proxy): support HTTP CONNECT dialer

This commit is contained in:
sususu98
2026-05-18 12:18:21 +08:00
parent 24602055a8
commit ec79951e7f
5 changed files with 286 additions and 4 deletions
+161
View File
@@ -1,8 +1,15 @@
package proxyutil
import (
"bufio"
"encoding/base64"
"fmt"
"io"
"net"
"net/http"
"strings"
"testing"
"time"
)
func mustDefaultTransport(t *testing.T) *http.Transport {
@@ -159,3 +166,157 @@ func TestBuildHTTPTransportSOCKS5HProxy(t *testing.T) {
t.Fatal("expected SOCKS5H transport to have custom DialContext")
}
}
func TestBuildDialerHTTPProxyCONNECT(t *testing.T) {
t.Parallel()
listener, errListen := net.Listen("tcp", "127.0.0.1:0")
if errListen != nil {
t.Fatalf("net.Listen returned error: %v", errListen)
}
defer func() {
if errClose := listener.Close(); errClose != nil {
t.Errorf("listener.Close returned error: %v", errClose)
}
}()
done := make(chan error, 1)
go func() {
conn, errAccept := listener.Accept()
if errAccept != nil {
done <- errAccept
return
}
defer func() { _ = conn.Close() }()
if errDeadline := conn.SetDeadline(time.Now().Add(5 * time.Second)); errDeadline != nil {
done <- errDeadline
return
}
req, errRead := http.ReadRequest(bufio.NewReader(conn))
if errRead != nil {
done <- fmt.Errorf("read CONNECT request failed: %w", errRead)
return
}
if req.Method != http.MethodConnect {
done <- fmt.Errorf("method = %s, want CONNECT", req.Method)
return
}
if req.Host != "target.example.com:443" {
done <- fmt.Errorf("host = %s, want target.example.com:443", req.Host)
return
}
wantAuth := "Basic " + base64.StdEncoding.EncodeToString([]byte("user:pass"))
if gotAuth := req.Header.Get("Proxy-Authorization"); gotAuth != wantAuth {
done <- fmt.Errorf("Proxy-Authorization = %q, want %q", gotAuth, wantAuth)
return
}
if _, errWrite := io.WriteString(conn, "HTTP/1.1 200 Connection Established\r\n\r\nok"); errWrite != nil {
done <- fmt.Errorf("write CONNECT response failed: %w", errWrite)
return
}
buf := make([]byte, 4)
n, errReadTunnel := io.ReadFull(conn, buf)
if errReadTunnel != nil {
done <- fmt.Errorf("read tunneled payload failed after %d bytes: %w", n, errReadTunnel)
return
}
if string(buf) != "ping" {
done <- fmt.Errorf("tunneled payload = %q, want ping", string(buf))
return
}
done <- nil
}()
dialer, mode, errBuild := BuildDialer("http://user:pass@" + listener.Addr().String())
if errBuild != nil {
t.Fatalf("BuildDialer returned error: %v", errBuild)
}
if mode != ModeProxy {
t.Fatalf("mode = %d, want %d", mode, ModeProxy)
}
if dialer == nil {
t.Fatal("expected dialer, got nil")
}
conn, errDial := dialer.Dial("tcp", "target.example.com:443")
if errDial != nil {
t.Fatalf("dialer.Dial returned error: %v", errDial)
}
defer func() {
if errClose := conn.Close(); errClose != nil {
t.Errorf("conn.Close returned error: %v", errClose)
}
}()
buf := make([]byte, 2)
n, errRead := io.ReadFull(conn, buf)
if errRead != nil {
t.Fatalf("conn.Read returned error after %d bytes: %v", n, errRead)
}
if string(buf) != "ok" {
t.Fatalf("buffered tunnel payload = %q, want ok", string(buf))
}
if _, errWrite := conn.Write([]byte("ping")); errWrite != nil {
t.Fatalf("conn.Write returned error: %v", errWrite)
}
if errServer := <-done; errServer != nil {
t.Fatalf("proxy server returned error: %v", errServer)
}
}
func TestRedactProxyURL(t *testing.T) {
t.Parallel()
tests := []struct {
name string
input string
want string
}{
{
name: "with credentials",
input: "http://user:pass@proxy.example.com:8080/path?token=secret",
want: "http://redacted@proxy.example.com:8080",
},
{
name: "without credentials",
input: "socks5://proxy.example.com:1080",
want: "socks5://proxy.example.com:1080",
},
{
name: "invalid",
input: "bad-value",
want: "<invalid proxy URL>",
},
}
for _, tt := range tests {
tt := tt
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
if got := Redact(tt.input); got != tt.want {
t.Fatalf("Redact() = %q, want %q", got, tt.want)
}
})
}
}
func TestParseErrorDoesNotExposeProxyCredentials(t *testing.T) {
t.Parallel()
input := "http://user:secret%@proxy.example.com:8080"
_, errParse := Parse(input)
if errParse == nil {
t.Fatal("expected Parse to return an error")
}
if strings.Contains(errParse.Error(), input) ||
strings.Contains(errParse.Error(), "user") ||
strings.Contains(errParse.Error(), "secret") {
t.Fatalf("parse error exposes proxy credentials: %q", errParse.Error())
}
}