abhinavsingh
Reverse proxy ignores ca_file
Check FAQs Please check Frequently Asked Questions before opening a bug report.
Describe the bug
Reverse proxy ignores the ca_file argument.
When the reverse proxy calls upstream.wrap() (https://github.com/abhinavsingh/proxy.py/blob/develop/proxy/http/server/reverse.py#L97) it omits the ca_cert argument. Therefore the SSLContext being created doesn't have the CA file.
This makes it impossible to reverse-proxy to servers with self-signed certificates, which is exactly what I need to do in some cases.
To Reproduce Steps to reproduce the behavior:
- Run
proxy.pyas 'proxy --enable-reverse-proxy --plugins <pointer to MyPlugin> --ca-file <path to CA cert bundle>' - Deploy an HTTPS server with a self-signed certificate listening at https://myserver
- Have
MyPluginlike this:
class MyPlugin(ReverseProxyBasePlugin):
def routes(self) -> List[Union[str, Tuple[str, List[bytes]]]]:
return [
(r"/blah$", [b"https://myserver/"]),
]
- Do
curl http://localhost:8899/blahto trigger error - See error
2022-10-12 19:38:32,768 - pid:45420 [W] handler.handle_readables:234 - Exception when receiving from client connection#29 with reason SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')
Expected behavior Upstream connection succeeds.
Version information
- OS: macOS Monterey
- Browser curl
- Device: MBP
- proxy.py Version 2.4.3
Additional context N/A
Screenshots N/A
The PoC PR https://github.com/abhinavsingh/proxy.py/pull/1280 makes it work as expected.
Looks like #1283 implemented this around 6 months ago, but it still hasn't shipped in a release yet. Are you cutting a new release anytime soon @abhinavsingh ? Thanks!
@ddl-ebrown Thanks for reminding me about it. Just started release workflow for v2.4.4rc4 https://github.com/abhinavsingh/proxy.py/actions/runs/4417674343 , should be out soon.
https://github.com/abhinavsingh/proxy.py/pull/1397 addressed this, closing now.