Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: net/http: Proxy: Support authentication that takes multiple rounds #22288

Closed
gogolok opened this issue Oct 16, 2017 · 4 comments

Comments

Projects
None yet
5 participants
@gogolok
Copy link

commented Oct 16, 2017

The Go http client lacks support for proxy authentication that takes multiple rounds, see for example #20053 . This prohibits support for a wider range of proxy authentications, for example NTLM proxy authentication.

Current issues trying to use NTLM proxy authentication:

  • NTLM: proxy answers 407, but Go's http client expects 200
  • NTLM: requires at least 2 rounds, Go's http client supports one round to setup proxy (HTTPS case with CONNECT)

I suggest to make the proxy connection setup customisable.

One could extend the Transport to specify a setup function to configure the proxy connection:

ProxySetup func(ctx ProxySetupContext) error

A context (in this example ProxySetupContext) needs to provide all necessary information to setup a proxy connection, that is:

  • the target scheme, http vs. https
  • the target addr
  • proxy auth information
  • proxy connect header (https case)
  • the TCP connection (net.Conn)

A default proxy setup function would be provided. The default proxy setup function would handle the HTTPS+CONNECT case.

An attempt :

@gopherbot gopherbot added this to the Proposal milestone Oct 16, 2017

@gopherbot gopherbot added the Proposal label Oct 16, 2017

@gbbr gbbr added the FeatureRequest label Oct 16, 2017

@ianlancetaylor ianlancetaylor changed the title Proposal: net/http: Proxy: Support authentication that takes multiple rounds proposal: net/http: Proxy: Support authentication that takes multiple rounds Oct 16, 2017

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

commented Oct 16, 2017

@tombergan

This comment has been minimized.

Copy link
Contributor

commented Oct 16, 2017

Can you explain why you cannot use a custom dialer as Brad suggested here?
#20053 (comment)

@gogolok

This comment has been minimized.

Copy link
Author

commented Oct 17, 2017

@tombergan

This comment has been minimized.

Copy link
Contributor

commented Oct 17, 2017

In that case I'd prefer to close this request. NTLM is a specific and narrow use case. It does not seem worth adding API for this one use case. If it turns out there many other protocols that use multi-round authentication, we can reconsider.

@tombergan tombergan closed this Oct 17, 2017

gogolok added a commit to anynines/cli-OLD that referenced this issue Nov 17, 2017

experimental: NTLM proxy authentication using NTLM_PROXY environment …
…variable

Go does not support NTLM proxy authentication by default.

An attempt golang/go#22288 to add NTLM
proxy authentication to Go's code base has not been accepted.

But there is a workaround/hack overwriting http.Transport.DialContext
to do NTLM proxy authentication.

Experimental:
Returns NTLM proxy authentication handler if NTLM_PROXY is set.
The environment variable NTLM_PROXY contains the proxy to be used.
Works on Windows only.

gogolok added a commit to anynines/cli-OLD that referenced this issue Nov 17, 2017

experimental: NTLM proxy authentication using NTLM_PROXY environment …
…variable

Go does not support NTLM proxy authentication by default.

An attempt golang/go#22288 to add NTLM
proxy authentication to Go's code base has not been accepted.

But there is a workaround/hack overwriting http.Transport.DialContext
to do NTLM proxy authentication.

Experimental:
Returns NTLM proxy authentication handler if NTLM_PROXY is set.
The environment variable NTLM_PROXY contains the proxy to be used.
Works on Windows only.

gogolok added a commit to anynines/cli-OLD that referenced this issue Nov 17, 2017

experimental: NTLM proxy authentication using NTLM_PROXY environment …
…variable

Go does not support NTLM proxy authentication by default.

An attempt golang/go#22288 to add NTLM
proxy authentication to Go's code base has not been accepted.

But there is a workaround/hack overwriting http.Transport.DialContext
to do NTLM proxy authentication.

gogolok added a commit to anynines/cli-OLD that referenced this issue Nov 17, 2017

experimental: NTLM proxy authentication using NTLM_PROXY environment …
…variable

Go does not support NTLM proxy authentication by default.

An attempt golang/go#22288 to add NTLM
proxy authentication to Go's code base has not been accepted.

But there is a workaround/hack overwriting http.Transport.DialContext
to do NTLM proxy authentication.

gogolok added a commit to anynines/cli-OLD that referenced this issue Nov 17, 2017

experimental: NTLM proxy authentication using NTLM_PROXY environment …
…variable

Go does not support NTLM proxy authentication by default.

An attempt golang/go#22288 to add NTLM
proxy authentication to Go's code base has not been accepted.

But there is a workaround/hack overwriting http.Transport.DialContext
to do NTLM proxy authentication.

@golang golang locked and limited conversation to collaborators Oct 17, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.