TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-01-08 09:07:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

tshttp, derphttp: send Proxy-Authorization, not Authorization, to proxies

Browse Source 
Whoops. But weirdly, sending Authorization sometimes worked?
This commit is contained in:
Brad Fitzpatrick 2020-08-28 20:58:14 -07:00
parent 3af2d671e6
commit 1e0be5a458
3 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/tailscale/cli/debug.go
View File

@ -106,10 +106,14 @@ func getURL(ctx context.Context, urlStr string) error {
} }
if proxyURL != nil { if proxyURL != nil {
auth, err := tshttpproxy.GetAuthHeader(proxyURL) auth, err := tshttpproxy.GetAuthHeader(proxyURL)
log.Printf("tshttpproxy.GetAuthHeader(%v) = %q, %v", proxyURL, auth, err)
if err == nil && auth != "" { if err == nil && auth != "" {
tr.ProxyConnectHeader.Set("Authorization", auth) tr.ProxyConnectHeader.Set("Proxy-Authorization", auth)
} }
const truncLen = 20
if len(auth) > truncLen {
auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
}
log.Printf("tshttpproxy.GetAuthHeader(%v) for Proxy-Auth: = %q, %v", proxyURL, auth, err)
} }
res, err := tr.RoundTrip(req) res, err := tr.RoundTrip(req)
if err != nil { if err != nil {

2
derp/derphttp/derphttp_client.go
View File

@ -594,7 +594,7 @@ func (c *Client) dialNodeUsingProxy(ctx context.Context, n *tailcfg.DERPNode, pr
if v, err := tshttpproxy.GetAuthHeader(pu); err != nil { if v, err := tshttpproxy.GetAuthHeader(pu); err != nil {
c.logf("derphttp: error getting proxy auth header for %v: %v", proxyURL, err) c.logf("derphttp: error getting proxy auth header for %v: %v", proxyURL, err)
} else if v != "" { } else if v != "" {
authHeader = fmt.Sprintf("Authorization: %s\r\n", v) authHeader = fmt.Sprintf("Proxy-Authorization: %s\r\n", v)
} }
if _, err := fmt.Fprintf(proxyConn, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n%s\r\n", target, pu.Hostname(), authHeader); err != nil { if _, err := fmt.Fprintf(proxyConn, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n%s\r\n", target, pu.Hostname(), authHeader); err != nil {

14
net/tshttpproxy/tshttpproxy_future.go
View File

@ -11,11 +11,14 @@
import ( import (
"context" "context"
"fmt"
"log" "log"
"net/http" "net/http"
"net/url" "net/url"
) )
const proxyAuthHeader = "Proxy-Authorization"
func init() { func init() {
condSetTransportGetProxyConnectHeader = func(tr *http.Transport) { condSetTransportGetProxyConnectHeader = func(tr *http.Transport) {
tr.GetProxyConnectHeader = func(ctx context.Context, proxyURL *url.URL, target string) (http.Header, error) { tr.GetProxyConnectHeader = func(ctx context.Context, proxyURL *url.URL, target string) (http.Header, error) {
@ -27,7 +30,16 @@ func init() {
if v == "" { if v == "" {
return nil, nil return nil, nil
} }
return http.Header{"Authorization": []string{v}}, nil return http.Header{proxyAuthHeader: []string{v}}, nil
}
tr.OnProxyConnectResponse = func(ctx context.Context, proxyURL *url.URL, connectReq *http.Request, res *http.Response) error {
auth := connectReq.Header.Get(proxyAuthHeader)
const truncLen = 20
if len(auth) > truncLen {
auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
}
log.Printf("tshttpproxy: CONNECT response from %v for target %q (auth %q): %v", proxyURL, connectReq.Host, auth, res.Status)
return nil
} }
} }
} }