Add HTTPS proxy support #495
Conversation
Adding HTTPS proxy support reuses `Stream` for the connection, so nested TlsStreams can be used, one for the proxy and one for the connection to the target host. This comes at the cost of making Stream and parts of the interface public. In addition, the `Sync` trait is required for Errors to continue working (std::io::Error requirement). As all TlsConnectors seem to be generic over the Stream type, replacing the TcpStream type with Stream seems to not be an issue. HTTPS proxy currently uses a default native_tls TlsConnector when the 'native-tls' feature is set, otherwise it falls back to 'default_tls_config()'. Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
Signed-off-by: Mira Limbeck <m.limbeck@proxmox.com>
There was a problem hiding this comment.
Thanks for this PR!
Currently it makes changes that would break implementations for people using ureq. That means we would need to release these changes with a major version bump – and we're not keen to do that right now.
We can park this PR until we are ready to do a major bump. Alternatively if there's some way of preserving the current public API – that would be preferable.
|
@puffi I just had a realisation. Because the fix for #461 was never released, we are actually in a situation where no one can have implemented a TLS provider against 2.4.0. That means we can still change the API from TcpStream to Stream as you are proposing (it's obviously the better choice!). I've pushed two commits to your PR. One that fixes some variable naming (tcp_stream -> stream), and one that again removes the Sync trait bound for Stream. |
|
@jsha Do you have time to look at this? HTTPS proxy support means we need to have a TLS stream inside a TLS stream. That means changing our public API so that However. Because of #461 no one has so far been able to implement a This does mean
pub trait TlsConnector: Send + Sync {
fn connect(
&self,
dns_name: &str,
io: Box<dyn ReadWrite>,
) -> Result<Box<dyn ReadWrite>, crate::error::Error>;
}I.e. keep |
|
#510 explores changing the |
|
I gave some feedback on #510, which seems like a good approach. Would you still like me to look at this implementation? |
|
Now that 2.5.0 is released and I got reminded about this pull request by a coworker, I'll work on this again. |
|
Whatever is easier for you. I think we got all the history we need for the change either way. |
|
I'll open a new request once the code is ready. |
|
Or would it be an option to make the TlsConnector clonable to be able to get a new connector of the same provider? Currently that's not required as part of the trait, and as such not possible. |
|
@puffi not sure i follow here. I don't see how it "can only be used once". An agent can (per definition) issue many requests with the same connector. The #[derive(Clone)]
pub(crate) struct TlsConfig(Arc<dyn TlsConnector>);And let tls_conf = &unit.agent.config.tls_config;
let https_stream = tls_conf.connect(hostname, Box::new(sock))?;Seems like the |
|
Sorry for the noise, it seems to work now. I'll create the new pull request soon, thanks for the help! |
|
Closing this since I've opened a new one (#544). |
This has a lot of interface changes, every change should be mentioned in the commit message.
Some things are still not clear to me, one is how to handle different TLS implementations when the connection to the proxy is made. We can't just reuse the TlsConnector for both the proxy connection as well as the connection to the target.