tailscale/net/tshttpproxy/tshttpproxy.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

// Package tshttpproxy contains Tailscale additions to httpproxy not available
// in golang.org/x/net/http/httpproxy. Notably, it aims to support Windows better.
package tshttpproxy

import (
	"context"
	"fmt"
	"log"
	"net"
	"net/http"
	"net/url"
	"os"
	"runtime"
	"strings"
	"sync"
	"time"

	"golang.org/x/net/http/httpproxy"
	"tailscale.com/util/mak"
)

// InvalidateCache invalidates the package-level cache for ProxyFromEnvironment.
//
// It's intended to be called on network link/routing table changes.
func InvalidateCache() {
	mu.Lock()
	defer mu.Unlock()
	noProxyUntil = time.Time{}
}

var (
	mu           sync.Mutex
	noProxyUntil time.Time         // if non-zero, time at which ProxyFromEnvironment should check again
	config       *httpproxy.Config // used to create proxyFunc
	proxyFunc    func(*url.URL) (*url.URL, error)
)

func getProxyFunc() func(*url.URL) (*url.URL, error) {
	// Create config/proxyFunc if it's not created
	mu.Lock()
	defer mu.Unlock()
	if config == nil {
		config = httpproxy.FromEnvironment()
	}
	if proxyFunc == nil {
		proxyFunc = config.ProxyFunc()
	}
	return proxyFunc
}

// setNoProxyUntil stops calls to sysProxyEnv (if any) for the provided duration.
func setNoProxyUntil(d time.Duration) {
	mu.Lock()
	defer mu.Unlock()
	noProxyUntil = time.Now().Add(d)
}

var _ = setNoProxyUntil // quiet staticcheck; Windows uses the above, more might later

// SetSelfProxy configures this package to avoid proxying through any of the
// provided addresses–e.g. if they refer to proxies being run by this process.
func SetSelfProxy(addrs ...string) {
	mu.Lock()
	defer mu.Unlock()

	// Ensure we have a valid config
	if config == nil {
		config = httpproxy.FromEnvironment()
	}

	normalizeHostPort := func(s string) string {
		host, portStr, err := net.SplitHostPort(s)
		if err != nil {
			return s
		}

		// Normalize the localhost IP into "localhost", to avoid IPv4/IPv6 confusion.
		if host == "127.0.0.1" || host == "::1" {
			return "localhost:" + portStr
		}

		// On Linux, all 127.0.0.1/8 IPs are also localhost.
		if runtime.GOOS == "linux" && strings.HasPrefix(host, "127.0.0.") {
			return "localhost:" + portStr
		}

		return s
	}

	normHTTP := normalizeHostPort(config.HTTPProxy)
	normHTTPS := normalizeHostPort(config.HTTPSProxy)

	// If any of our proxy variables point to one of the configured
	// addresses, ignore them.
	for _, addr := range addrs {
		normAddr := normalizeHostPort(addr)
		if normHTTP != "" && normHTTP == normAddr {
			log.Printf("tshttpproxy: skipping HTTP_PROXY pointing to self: %q", addr)
			config.HTTPProxy = ""
			normHTTP = ""
		}
		if normHTTPS != "" && normHTTPS == normAddr {
			log.Printf("tshttpproxy: skipping HTTPS_PROXY pointing to self: %q", addr)
			config.HTTPSProxy = ""
			normHTTPS = ""
		}
	}

	// Invalidate to cause it to get re-created
	proxyFunc = nil
}

// sysProxyFromEnv, if non-nil, specifies a platform-specific ProxyFromEnvironment
// func to use if http.ProxyFromEnvironment doesn't return a proxy.
// For example, WPAD PAC files on Windows.
var sysProxyFromEnv func(*http.Request) (*url.URL, error)

// These variables track whether we've printed a log message for a given proxy
// URL; we only print them once to avoid log spam.
var (
	logMessageMu      sync.Mutex
	logMessagePrinted map[string]bool
)

// ProxyFromEnvironment is like the standard library's http.ProxyFromEnvironment
// but additionally does OS-specific proxy lookups if the environment variables
// alone don't specify a proxy.
func ProxyFromEnvironment(req *http.Request) (ret *url.URL, _ error) {
	defer func() {
		if ret == nil {
			return
		}

		ss := ret.String()

		logMessageMu.Lock()
		defer logMessageMu.Unlock()
		if logMessagePrinted[ss] {
			return
		}
		log.Printf("tshttpproxy: using proxy %q for URL: %q", ss, req.URL.String())
		mak.Set(&logMessagePrinted, ss, true)
	}()

	localProxyFunc := getProxyFunc()
	u, err := localProxyFunc(req.URL)
	if u != nil && err == nil {
		return u, nil
	}

	mu.Lock()
	noProxyTime := noProxyUntil
	mu.Unlock()
	if time.Now().Before(noProxyTime) {
		return nil, nil
	}

	if sysProxyFromEnv != nil {
		u, err := sysProxyFromEnv(req)
		if u != nil && err == nil {
			return u, nil
		}
	}

	return nil, err
}

var sysAuthHeader func(*url.URL) (string, error)

// GetAuthHeader returns the Authorization header value to send to proxy u.
func GetAuthHeader(u *url.URL) (string, error) {
	if fake := os.Getenv("TS_DEBUG_FAKE_PROXY_AUTH"); fake != "" {
		return fake, nil
	}
	if user := u.User.Username(); user != "" {
		pass, ok := u.User.Password()
		if !ok {
			return "", nil
		}

		req := &http.Request{Header: make(http.Header)}
		req.SetBasicAuth(user, pass)
		return req.Header.Get("Authorization"), nil
	}
	if sysAuthHeader != nil {
		return sysAuthHeader(u)
	}
	return "", nil
}

const proxyAuthHeader = "Proxy-Authorization"

// SetTransportGetProxyConnectHeader sets the provided Transport's
// GetProxyConnectHeader field, and adds logging of the received response.
func SetTransportGetProxyConnectHeader(tr *http.Transport) {
	tr.GetProxyConnectHeader = func(ctx context.Context, proxyURL *url.URL, target string) (http.Header, error) {
		v, err := GetAuthHeader(proxyURL)
		if err != nil {
			log.Printf("failed to get proxy Auth header for %v; ignoring: %v", proxyURL, err)
			return nil, nil
		}
		if v == "" {
			return nil, nil
		}
		return http.Header{proxyAuthHeader: []string{v}}, nil
	}
	tr.OnProxyConnectResponse = func(ctx context.Context, proxyURL *url.URL, connectReq *http.Request, res *http.Response) error {
		auth := connectReq.Header.Get(proxyAuthHeader)
		const truncLen = 20
		if len(auth) > truncLen {
			auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
		}
		log.Printf("tshttpproxy: CONNECT response from %v for target %q (auth %q): %v", proxyURL, connectReq.Host, auth, res.Status)
		return nil
	}
}