SPICE-0004: HTTP Proxy Support

[bioball]

This is a continuation of the design discussion started here: apple/pkl#309

Implementation: apple/pkl#472

[translatenix]

I think this is a mistake. Env vars are the way to configure proxy settings for command-line tools. Nobody wants to configure each tool separately. I’m optimistic that the listed concerns have good enough solutions.

[bioball]

I'm open to the argument, but: another concern here is: how does this play with --env-var? What happens if you do:

pkl eval --env-var http_proxy=http://some.proxy foo.pkl

It feels like this shouldn't affect proxy settings, because this is ostensibly just a way to configure what read("env:") will return.

But if that doesn't affect the proxy, this is possibly a strange behavior:

# talk via the proxy
export http_proxy=http://some.proxy pkl eval foo.pkl

# does not talk via the proxy
pkl eval --env-var http_proxy=http://some.proxy foo.pkl

There's also plenty of languages/tools whose proxies aren't configured by env vars. Just some quick skimming (as far as I can tell):

• Node.js
• Java
• Rust, Cargo
• PHP

[translatenix]

Java supports OS proxy settings, and there are signs that env vars will be reconsidered. Honoring neither OS settings nor env vars will force users to script a solution specifically for Pkl.

Regarding --env-var, the behavior you described seems fine to me.

It would be very helpful to get input from frequent proxy users. I haven't used a proxy in over a decade.

[stackoverflow]

Not sure I'm sold on configuring proxies via env vars. Nothing else in Pkl in configured using them, also, It may lead to "works on my machine" problems where you have the right env vars set.

[bioball]

Supporting OS proxy settings sounds more enticing than supporting envvar-based configuration, if that's possible.

[translatenix]

What’s the use case for this?

[bioball]

I am deploying into an environment that needs proxying. Instead of setting it up on my target machine, or setting it up via a script, I can just set it in my PklProject file.

[translatenix]

Do you have evidence that this is useful? Is it practical to only have per-project proxy settings?

[stackoverflow]

I think the rationale here is that settings.pkl is a user specific configuration, which only leaves PklProject and CLI/Evaluator options left for shared configs. Configuring your proxy every time via CLI doesn't seem ideal, so adding this settings to PklProject allows for a project-wide proxy configuration.

[bioball]

Do you have evidence that this is useful? Is it practical to only have per-project proxy settings?

Yeah, this is something that was brought up as a desired use-case from some of our users.

[translatenix]

What’s the use case for Pkl proxy settings that differ from Gradle/JVM proxy settings?

[bioball]

I want to control pkl eval through Gradle, but I want it to otherwise behave exactly like my CLI does.

[translatenix]

The correct proxy settings depend on the network you’re on. Can you think of a use case where having different proxy settings for Gradle and the Gradle Pkl plugin is useful? I can’t.

[translatenix]

Is exposing ProxySelector really necessary? (For certificates, we managed to avoid dependencies on java.net classes.)

[bioball]

I'm open to ideas here!

[translatenix]

What motivated you to expose it?

[bioball]

The goal is to allow users to configure Pkl's proxy the same way their application's proxy is configured. setProxy(proxyAddress, List<URI> noProxy) is our bespoke implementation. Having this method means that those that are already using ProxySelector can configure our client the same way.

Some prior art; both java.net.HttpClient and okhttp accept ProxySelector.

[translatenix]

Of course java.net.HttpClient accepts ProxySelector. But with every java.net type added, it becomes more difficult to ever have another implementation of org.pkl.util.http.HttpClient (say NettyHttpClient). It’s better to wait until there is a proven need for “those that are already using ProxySelector can configure our client the same way”, then make an informed decision. That’s why I didn’t expose HttpClient.sendAsync—it’s not yet needed, and with virtual threads added in Java 21, it may never be needed.

[bioball]

But with every java.net type added, it becomes more difficult to ever have another implementation of org.pkl.util.http.HttpClient (say NettyHttpClient).

I'm not sure why this is desirable. Can you elaborate?

[translatenix]

Having a stdlib module just for proxy settings feels strange.
Can’t this be part of pkl.settings, even if pkl.Project needs it too (which I’m not convinced of)?

[bioball]

Both pkl.settings and pkl.Project need this, and neither is a logical subset of the other, so it feels cleanest to put it in a separate module.

We can also put it in base.pkl, but that affects the global namespace, which doesn't feel great.

We also possibly should put redirect rules in there, so maybe this intermediary module should be called HttpSettings, with proxy and rewrite rules both being in there.

[translatenix]

If a new stdlib module is needed, its scope should definitely be wider than proxy settings.

Is any of the following attractive?

1. pkl.Project extends pkl.settings
2. pkl.Project has a property of type pkl.settings
3. pkl.Project and pkl.settings have a common base module

[bioball]

Out of those three, I think the third one might be a reasonable approach; will play around with that a little bit.

[translatenix]

Alternative to what? As far as I can tell, this spice doesn’t propose any auth support. (I believe this is the right way to start given how little is offered by the JDK.)

[bioball]

Originally, I figured we would just use basic auth, but I'm backing off on that idea due to security concerns.

[stackoverflow]

Not sure I'm sold on configuring proxies via env vars. Nothing else in Pkl in configured using them, also, It may lead to "works on my machine" problems where you have the right env vars set.

[stackoverflow]

I think the rationale here is that settings.pkl is a user specific configuration, which only leaves PklProject and CLI/Evaluator options left for shared configs. Configuring your proxy every time via CLI doesn't seem ideal, so adding this settings to PklProject allows for a project-wide proxy configuration.

[stackoverflow]

Calling it pkl.HttpSettings would future-proof if for when URL rewriting arrives, though this can be done in said SPICE.

[stackoverflow]

URL rewriting was a considered alternative, but after some thought we found out they don't fully overlap and there may be a need for both.