goproxy icon indicating copy to clipboard operation
goproxy copied to clipboard
verified publisher icon elazarl

Connect related changes - add optional hooks

Open RomanManz opened this issue 2 years ago • 1 comments

Commit b9ddce5b948fb229126df449803ff0efbe657d66 adding return value to connectReqHandler

  • allows the connectReqHandler to return an error in order to interrupt requests when necessary Commit fff8ef11b152ec436838d748a1796424bcb5fe20 adding optional connectRespHandler
  • introduces optional support for a connectResponseHandler
  • allows to interrupt a connection - our use case was to check for specific headers returned from the chained proxy Commit f0e694013577123774066015f8819a6e8b136bd5 calling Hijack in handleHttps if defined
  • adds hijack support to the connectMitm and connectHTTPMitm actions
  • our use case was to inject additional headers in the connect responses when needed

RomanManz avatar Jul 06 '23 12:07 RomanManz

The use case is, you have a CA that singed another certificate once, and you want to use this certificate to sign websites, right?

Can you please add unit tests for the certificate functions?

elazarl avatar Apr 06 '24 18:04 elazarl

What is the purpose of this Pull Request? Can you explain the problem that you are trying to solve?

ErikPelli avatar Dec 18 '24 18:12 ErikPelli

The use case is, you have a CA that singed another certificate once, and you want to use this certificate to sign websites, right?

Can you please add unit tests for the certificate functions?

Yes @elazarl , happy to add the unit tests. Update: just seen that it's been integrated in another PR :-)

RomanManz avatar Feb 10 '25 19:02 RomanManz

Hello @ErikPelli , the concrete use case was to add an authentication flow at proxy level using 'Proxy-Authorization', and to do it in two steps: client -> proxy 1 resposible for the auth -> proxy 2 in front of service -> service The commits relate to those phases of the auth flow:

  1. adding return value to connectReqHandler => allow proxy 1 reqhandler to perform auth and to be able to fail
  2. adding optional connectRespHandler => in case of chained proxies, allow proxy 1 to intercept replies from proxy 2, for ex. auth rejected/expired
  3. calling Hijack in handleHttps if defined => allow proxy 2 to check Proxy-Authorization header and return a custom auth rejected/expired if needed

This is very specific, but may still help others. Otherwise I am happy to keep it local. Thanks.

RomanManz avatar Feb 10 '25 19:02 RomanManz

@RomanManz can you fix the linting issues reported by the pipeline?

ErikPelli avatar Feb 22 '25 17:02 ErikPelli

There is still a linting error, I think it's because you aren't using the correct number of spaces for the function parameters

ErikPelli avatar Feb 24 '25 11:02 ErikPelli

This pull request changes the public interface of the NewProxy() method, by adding the error return. This will break the existing implementations, so I ported this change to the v2 branch and kept the current implementation in the master branch.

ErikPelli avatar Feb 24 '25 16:02 ErikPelli