proposal: net/http: Proxy: Support authentication that takes multiple rounds

[gogolok]

The Go http client lacks support for proxy authentication that takes multiple rounds, see for example #20053 . This prohibits support for a wider range of proxy authentications, for example NTLM proxy authentication.

Current issues trying to use NTLM proxy authentication:

• NTLM: proxy answers 407, but Go's http client expects 200
• NTLM: requires at least 2 rounds, Go's http client supports one round to setup proxy (HTTPS case with CONNECT)

I suggest to make the proxy connection setup customisable.

One could extend the Transport to specify a setup function to configure the proxy connection:

ProxySetup func(ctx ProxySetupContext) error

A context (in this example ProxySetupContext) needs to provide all necessary information to setup a proxy connection, that is:

• the target scheme, http vs. https
• the target addr
• proxy auth information
• proxy connect header (https case)
• the TCP connection (net.Conn)

A default proxy setup function would be provided. The default proxy setup function would handle the HTTPS+CONNECT case.

An attempt :

• master...anynines:http_proxy_setup
• NTLM proxy setup: https://github.com/anynines/go-proxy-setup-ntlm/blob/master/proxysetup/ntlm/ntlm.go

[ianlancetaylor]

CC @tombergan

[tombergan]

Can you explain why you cannot use a custom dialer as Brad suggested here?
#20053 (comment)

[gogolok]

I can use a custom dialer as Brad suggested:
https://github.com/anynines/go-ntlm-client-using-dialcontext/blob/master/main.go

[tombergan]

In that case I'd prefer to close this request. NTLM is a specific and narrow use case. It does not seem worth adding API for this one use case. If it turns out there many other protocols that use multi-round authentication, we can reconsider.