BUGFIX | Teleport ALPN Proxy doesn't respect HTTP CONNECT Proxy (#18993

) (#19039)

lib/srv/alpnproxy/conn_upgrade.go

@@ -23,12 +23,12 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"time"
 
-	"github.com/gravitational/teleport"
 	"github.com/gravitational/trace"
 	"github.com/sirupsen/logrus"
 
+	"github.com/gravitational/teleport"
+	apiclient "github.com/gravitational/teleport/api/client"
 	"github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/lib/srv/alpnproxy/common"
 )
@@ -77,31 +77,29 @@ func IsALPNConnUpgradeRequired(addr string, insecure bool) bool {
 // alpnConnUpgradeDialer makes an "HTTP" upgrade call to the Proxy Service then
 // tunnels the connection with this connection upgrade.
 type alpnConnUpgradeDialer struct {
-	netDialer *net.Dialer
-	insecure  bool
+	dialer   apiclient.ContextDialer
+	insecure bool
 }
 
 // newALPNConnUpgradeDialer creates a new alpnConnUpgradeDialer.
-func newALPNConnUpgradeDialer(keepAlivePeriod, dialTimeout time.Duration, insecure bool) ContextDialer {
+func newALPNConnUpgradeDialer(dialer apiclient.ContextDialer, insecure bool) ContextDialer {
 	return &alpnConnUpgradeDialer{
 		insecure: insecure,
-		netDialer: &net.Dialer{
-			KeepAlive: keepAlivePeriod,
-			Timeout:   dialTimeout,
-		},
+		dialer:   dialer,
 	}
 }
 
 // DialContext implements ContextDialer
 func (d alpnConnUpgradeDialer) DialContext(ctx context.Context, network, addr string) (net.Conn, error) {
 	logrus.Debugf("ALPN connection upgrade for %v.", addr)
 
-	tlsConn, err := tls.DialWithDialer(d.netDialer, network, addr, &tls.Config{
-		InsecureSkipVerify: d.insecure,
-	})
+	conn, err := d.dialer.DialContext(ctx, network, addr)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
+	tlsConn := tls.Client(conn, &tls.Config{
+		InsecureSkipVerify: d.insecure,
+	})
 
 	err = upgradeConnThroughWebAPI(tlsConn, url.URL{
 		Host:   addr,

lib/srv/alpnproxy/conn_upgrade_test.go

@@ -31,6 +31,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/gravitational/teleport"
+	apiclient "github.com/gravitational/teleport/api/client"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/srv/alpnproxy/common"
 	"github.com/gravitational/teleport/lib/tlsca"
@@ -77,8 +78,10 @@ func TestALPNConUpgradeDialer(t *testing.T) {
 		addr, err := url.Parse(server.URL)
 		require.NoError(t, err)
 
-		dialer := newALPNConnUpgradeDialer(0, 5*time.Second, true)
-		conn, err := dialer.DialContext(context.TODO(), "tcp", addr.Host)
+		ctx := context.TODO()
+		preDialer := apiclient.NewDialer(ctx, 0, 5*time.Second)
+		dialer := newALPNConnUpgradeDialer(preDialer, true)
+		conn, err := dialer.DialContext(ctx, "tcp", addr.Host)
 		require.NoError(t, err)
 
 		data := make([]byte, 100)
@@ -92,8 +95,10 @@ func TestALPNConUpgradeDialer(t *testing.T) {
 		addr, err := url.Parse(server.URL)
 		require.NoError(t, err)
 
-		dialer := newALPNConnUpgradeDialer(0, 5*time.Second, true)
-		_, err = dialer.DialContext(context.TODO(), "tcp", addr.Host)
+		ctx := context.TODO()
+		preDialer := apiclient.NewDialer(ctx, 0, 5*time.Second)
+		dialer := newALPNConnUpgradeDialer(preDialer, true)
+		_, err = dialer.DialContext(ctx, "tcp", addr.Host)
 		require.Error(t, err)
 	})
 }

lib/srv/alpnproxy/dialer.go

@@ -23,6 +23,8 @@ import (
 	"time"
 
 	"github.com/gravitational/trace"
+
+	apiclient "github.com/gravitational/teleport/api/client"
 )
 
 // ContextDialer represents network dialer interface that uses context
@@ -64,12 +66,9 @@ func (d ALPNDialer) DialContext(ctx context.Context, network, addr string) (net.
 		return nil, trace.BadParameter("missing TLS config")
 	}
 
-	var dialer ContextDialer = &net.Dialer{
-		KeepAlive: d.cfg.KeepAlivePeriod,
-		Timeout:   d.cfg.DialTimeout,
-	}
+	dialer := apiclient.NewDialer(ctx, d.cfg.DialTimeout, d.cfg.DialTimeout)
 	if d.cfg.ALPNConnUpgradeRequired {
-		dialer = newALPNConnUpgradeDialer(d.cfg.KeepAlivePeriod, d.cfg.DialTimeout, d.cfg.TLSConfig.InsecureSkipVerify)
+		dialer = newALPNConnUpgradeDialer(dialer, d.cfg.TLSConfig.InsecureSkipVerify)
 	}
 
 	conn, err := dialer.DialContext(ctx, network, addr)