lua-http icon indicating copy to clipboard operation
lua-http copied to clipboard

Published 20 hours ago verified publisher icon daurnimator

Add unix socket support to http.request

Open aleclarson opened this issue 7 years ago • 7 comments

Or provide an example of using http.client to communicate with a Unix socket.

aleclarson avatar Mar 31 '18 20:03 aleclarson

This isn't supported at the moment because I couldn't figure out how it would work. If you have a usecase could you tell me:

  • What should SNI contain?
  • What host should TLS verify against?
  • What should be in the Host header
  • What the interaction with proxies is

daurnimator avatar Apr 02 '18 02:04 daurnimator

For now, I'm using it in development only, so I haven't considered TLS behavior. Maybe the :authority header should have to be set by the caller? Or default to localhost? I don't have much knowledge of HTTP proxies, so can't offer any opinions on that.

aleclarson avatar Apr 02 '18 04:04 aleclarson

I'm writing a higher level module that wraps lua-http, so no immediate action is necessary on your end.

aleclarson avatar Apr 02 '18 04:04 aleclarson

Added help-wanted label, as answers to the above questions need to be determined before solving this request.

daurnimator avatar Jun 16 '18 19:06 daurnimator

While this is an ancient report, I'd like to share some information for my use case for wanting unix socket support in http.request.

The major reason for it is that I'd like to talk to the Docker API via a unix socket. The API is HTTP over a unix socket, no TLS, the host header is ignored, by the looks of it.

As an experiment, I used socat to proxy between the docker socket and TCP: socat -d -v -d TCP-L:2376,fork UNIX:/var/run/docker.sock. With that set, DOCKER_HOST=localhost:2376 docker version will generate the following HTTP request on the socket:

GET /v1.41/version HTTP/1.1\r
Host: localhost:2376\r
User-Agent: Docker-Client/20.10.14 (linux)\r
\r

To this, the docker API just responds with an ordinary HTTP response with a JSON payload. When connecting via the socket itself, the docker client sets docker as the host, doesn't make a difference.

So pretty much all I want from http.request is to be able to connect to a unix socket, not care about SNI, TLS, proxies, or the host header at all. Just connect, send the request, parse the reply, done. Probably not a complete solution for all use-cases involving unix-sockets (it's not even a complete solution for docker, see below), but it'd be a step forward.

Now, why do I want to connect to the Docker API via a unix socket, rather than telling my docker daemon to listen on tcp too? Because by default, tcp is unencrypted, so any local user would be able to talk to my docker, while the unix socket has permissions. I could, of course, ask Docker to only allow clients that present a TLS cert signed by a trusted CA, but that's a whole lot of work when the client is on the same host anyway. Thus, talking to Docker from Lua is easiest if I can do it over a unix socket.

algernon avatar Apr 15 '22 13:04 algernon

@algernon note that you can use http_client.negotiate(yoursocket, options, timeout) where yoursocket is a unix socket. (but then you don't get all the special handling in http.request)

Perhaps some of the logic in http.request could be factored out so you can enter in with your own socket? But that brings up all sorts of questions on how e.g. redirects should be handled.

daurnimator avatar Apr 20 '22 06:04 daurnimator

There's some interesting discussion over at https://github.com/whatwg/url/issues/577 about how to indicate a unix socket should be used with a URL

daurnimator avatar Apr 20 '22 06:04 daurnimator