-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support CIDRs in NO_PROXY #23003
support CIDRs in NO_PROXY #23003
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,6 +23,7 @@ import ( | |
"net" | ||
"net/http" | ||
"net/url" | ||
"os" | ||
"strconv" | ||
"strings" | ||
) | ||
|
@@ -55,8 +56,10 @@ var defaultTransport = http.DefaultTransport.(*http.Transport) | |
// SetTransportDefaults applies the defaults from http.DefaultTransport | ||
// for the Proxy, Dial, and TLSHandshakeTimeout fields if unset | ||
func SetTransportDefaults(t *http.Transport) *http.Transport { | ||
if t.Proxy == nil { | ||
t.Proxy = defaultTransport.Proxy | ||
if t.Proxy == nil || isDefault(t.Proxy) { | ||
// http.ProxyFromEnvironment doesn't respect CIDRs and that makes it impossible to exclude things like pod and service IPs from proxy settings | ||
// ProxierWithNoProxyCIDR allows CIDR rules in NO_PROXY | ||
t.Proxy = NewProxierWithNoProxyCIDR(http.ProxyFromEnvironment) | ||
} | ||
if t.Dial == nil { | ||
t.Dial = defaultTransport.Dial | ||
|
@@ -153,3 +156,56 @@ func GetClientIP(req *http.Request) net.IP { | |
ip := net.ParseIP(req.RemoteAddr) | ||
return ip | ||
} | ||
|
||
var defaultProxyFuncPointer = fmt.Sprintf("%p", http.ProxyFromEnvironment) | ||
|
||
// isDefault checks to see if the transportProxierFunc is pointing to the default one | ||
func isDefault(transportProxier func(*http.Request) (*url.URL, error)) bool { | ||
transportProxierPointer := fmt.Sprintf("%p", transportProxier) | ||
return transportProxierPointer == defaultProxyFuncPointer | ||
} | ||
|
||
// NewProxierWithNoProxyCIDR constructs a Proxier function that respects CIDRs in NO_PROXY and delegates if | ||
// no matching CIDRs are found | ||
func NewProxierWithNoProxyCIDR(delegate func(req *http.Request) (*url.URL, error)) func(req *http.Request) (*url.URL, error) { | ||
// we wrap the default method, so we only need to perform our check if the NO_PROXY envvar has a CIDR in it | ||
noProxyEnv := os.Getenv("NO_PROXY") | ||
noProxyRules := strings.Split(noProxyEnv, ",") | ||
|
||
cidrs := []*net.IPNet{} | ||
for _, noProxyRule := range noProxyRules { | ||
_, cidr, _ := net.ParseCIDR(noProxyRule) | ||
if cidr != nil { | ||
cidrs = append(cidrs, cidr) | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What if it's just an IP and not a CIDR? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ah, I see your comment above. |
||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: maybe, There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Updated. |
||
|
||
if len(cidrs) == 0 { | ||
return delegate | ||
} | ||
|
||
return func(req *http.Request) (*url.URL, error) { | ||
host := req.URL.Host | ||
// for some urls, the Host is already the host, not the host:port | ||
if net.ParseIP(host) == nil { | ||
var err error | ||
host, _, err = net.SplitHostPort(req.URL.Host) | ||
if err != nil { | ||
return delegate(req) | ||
} | ||
} | ||
|
||
ip := net.ParseIP(host) | ||
if ip == nil { | ||
return delegate(req) | ||
} | ||
|
||
for _, cidr := range cidrs { | ||
if cidr.Contains(ip) { | ||
return nil, nil | ||
} | ||
} | ||
|
||
return delegate(req) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm in favor of this, but it was apparently contentious when this package was created. Would like agreement from @krousey and @lavalamp