Re: [PATCH] FEATURE/MAJOR: Add upstream-proxy-tunnel feature

Wed, 12 Jun 2024 11:37:18 -0700 

On Wed, 12 Jun 2024, at 13:04, Aleksandar Lazic wrote:
> Hi.
>
> Attached a new version with updated upstream-proxy.cfg.
>
> This Patch have also the feature `upstream-proxy-target` to get rid of the 
> dependency for the srv->hostname.
>
> ```
> tcp-request content upstream-proxy-target www.test1.com
> ```
>
> Now have I tested the setup with `0.0.0.0` as server.
>
> ```
> server https_Via_Proxy1 0.0.0.0:0 upstream-proxy-tunnel 127.0.0.1:3128 
> init-addr 
> 127.0.0.1
> ```
>
> @Dave: Can you use a name for the upstream-proxy-tunnel instead of IP?

Yes, it does the DNS lookup happily, and I can pass secret via env. nice! 

----------- 8< -----------
frontend stream_fe
  bind            :::443        v4v6
  mode tcp
  option tcplog
  default_backend stream_be

backend stream_be
  mode tcp
  tcp-request content upstream-proxy-header Host www.httpbin.org
  tcp-request content upstream-proxy-header "$AUTH" "$TOKEN"
  tcp-request content upstream-proxy-header Proxy-Connection Keep-Alive
  tcp-request content upstream-proxy-target www.httpbin.org
  server stream www.httpbin.org:443 upstream-proxy-tunnel "$PROXY":10000
----------- 8< -----------

So this looks good, we send the right headers now thank-you!

Upstream proxy replies "HTTP/1.1 200 OK" which seems legit.

But then haproxy sends RST, instead of the buffered proxy data.

After a a bit more tcpdump & code reading, I made a small
modification in conn_recv_upstream_proxy_tunnel_response/2

struct ist upstream_proxy_successful = ist("HTTP/1.1 200 OK");

and then I get actual data back through the proxy - great!

This seems ok according to 
https://datatracker.ietf.org/doc/html/rfc9110#name-connect

"Any 2xx (Successful) response indicates that the sender (and all inbound 
proxies) will switch to tunnel mode immediately after the response header 
section ..."

Is it possible to read up to "HTTP/1.1 200" and then ignore everything
up do 0x0d0a ? that should cover the RFC and both our examples.

For me, there are still 2 things I'm not clear on:

- I don't follow yet what upstream-proxy-target provides yet, or is this just
  plumbing for later when we have requests?

- In `server https_Via_Proxy1 0.0.0.0:0 upstream-proxy-tunnel 127.0.0.1:3128`
  from your config, what is 0.0.0.0:0 used for here? This binds to all IPv4
  but on a random free port?

A+
Dave

Reply via email to