net/tshttpproxy: don't proxy through ourselves

When running a SOCKS or HTTP proxy, configure the tshttpproxy package to drop those addresses from any HTTP_PROXY or HTTPS_PROXY environment variables. Fixes #7407 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I6cd7cad7a609c639780484bad521c7514841764b
2025-08-14 06:57:31 +00:00 · 2023-03-04 21:49:05 -05:00
parent 62a1e9a44f
commit 38e4d303a2
5 changed files with 207 additions and 4 deletions
--- a/net/tshttpproxy/tshttpproxy_test.go
+++ b/net/tshttpproxy/tshttpproxy_test.go
@@ -81,3 +81,127 @@ func TestProxyFromEnvironment_setNoProxyUntil(t *testing.T) {
 	}

 }
+
+func TestSetSelfProxy(t *testing.T) {
+	// Ensure we clean everything up at the end of our test
+	t.Cleanup(func() {
+		config = nil
+		proxyFunc = nil
+	})
+
+	testCases := []struct {
+		name      string
+		env       map[string]string
+		self      []string
+		wantHTTP  string
+		wantHTTPS string
+	}{
+		{
+			name: "no self proxy",
+			env: map[string]string{
+				"HTTP_PROXY":  "127.0.0.1:1234",
+				"HTTPS_PROXY": "127.0.0.1:1234",
+			},
+			self:      nil,
+			wantHTTP:  "127.0.0.1:1234",
+			wantHTTPS: "127.0.0.1:1234",
+		},
+		{
+			name: "skip proxies",
+			env: map[string]string{
+				"HTTP_PROXY":  "127.0.0.1:1234",
+				"HTTPS_PROXY": "127.0.0.1:5678",
+			},
+			self:      []string{"127.0.0.1:1234", "127.0.0.1:5678"},
+			wantHTTP:  "", // skipped
+			wantHTTPS: "", // skipped
+		},
+		{
+			name: "localhost normalization of env var",
+			env: map[string]string{
+				"HTTP_PROXY":  "localhost:1234",
+				"HTTPS_PROXY": "[::1]:5678",
+			},
+			self:      []string{"127.0.0.1:1234", "127.0.0.1:5678"},
+			wantHTTP:  "", // skipped
+			wantHTTPS: "", // skipped
+		},
+		{
+			name: "localhost normalization of addr",
+			env: map[string]string{
+				"HTTP_PROXY":  "127.0.0.1:1234",
+				"HTTPS_PROXY": "127.0.0.1:1234",
+			},
+			self:      []string{"[::1]:1234"},
+			wantHTTP:  "", // skipped
+			wantHTTPS: "", // skipped
+		},
+		{
+			name: "no ports",
+			env: map[string]string{
+				"HTTP_PROXY":  "myproxy",
+				"HTTPS_PROXY": "myproxy",
+			},
+			self:      []string{"127.0.0.1:1234"},
+			wantHTTP:  "myproxy",
+			wantHTTPS: "myproxy",
+		},
+	}
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			for k, v := range tt.env {
+				oldEnv, found := os.LookupEnv(k)
+				if found {
+					t.Cleanup(func() {
+						os.Setenv(k, oldEnv)
+					})
+				}
+				os.Setenv(k, v)
+			}
+
+			// Reset computed variables
+			config = nil
+			proxyFunc = func(*url.URL) (*url.URL, error) {
+				panic("should not be called")
+			}
+
+			SetSelfProxy(tt.self...)
+
+			if got := config.HTTPProxy; got != tt.wantHTTP {
+				t.Errorf("got HTTPProxy=%q; want %q", got, tt.wantHTTP)
+			}
+			if got := config.HTTPSProxy; got != tt.wantHTTPS {
+				t.Errorf("got HTTPSProxy=%q; want %q", got, tt.wantHTTPS)
+			}
+			if proxyFunc != nil {
+				t.Errorf("wanted nil proxyFunc")
+			}
+
+			// Verify that we do actually proxy through the
+			// expected proxy, if we have one configured.
+			pf := getProxyFunc()
+			if tt.wantHTTP != "" {
+				want := "http://" + tt.wantHTTP
+
+				uu, _ := url.Parse("http://tailscale.com")
+				dest, err := pf(uu)
+				if err != nil {
+					t.Error(err)
+				} else if dest.String() != want {
+					t.Errorf("got dest=%q; want %q", dest, want)
+				}
+			}
+			if tt.wantHTTPS != "" {
+				want := "http://" + tt.wantHTTPS
+
+				uu, _ := url.Parse("https://tailscale.com")
+				dest, err := pf(uu)
+				if err != nil {
+					t.Error(err)
+				} else if dest.String() != want {
+					t.Errorf("got dest=%q; want %q", dest, want)
+				}
+			}
+		})
+	}
+}