Add support for HTTP_PROXY, HTTPS_PROXY, and NO_PROXY

[peterguy]

Adds support for the standard environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

SRC_PROXY still takes precedence, including over NO_PROXY.

Also added fixes for connecting to TLS-enabled proxies, where we want to connect to the SG API using HTTP/2, but many proxies support only HTTP/1.1, so we need to connect to the proxy via HTTP/1.1, then connect through the proxy to the SG API using HTTP/2.

Moved endpoint and proxy parsing to the config building so that typos and malformed urls are caught early and errors returned immediately.

Test plan

Added CI tests validating proxy behavior.

Manual testing

Install mitmproxy and squid.

Create an SSL cert for squid:

openssl req -x509 -newkey rsa:2048 \
  -keyout squid-key.pem -out squid-cert.pem \
  -days 365 -nodes -subj "/CN=localhost"
cat squid-key.pem squid-cert.pem > squid-proxy.pem

Create a config for squid:

cat << EOF >squid.conf
https_port 8445 cert=./squid-proxy.pem
sslproxy_session_cache_size 0
acl localnet src 127.0.0.1/32
http_access allow localhost
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 1025-65535
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_port 3128
EOF

Run mitmproxy - mitmproxy -v - in one terminal.

Run squid - squid -f ./squid.conf -N -d 1 - in another terminal.

In a third terminal, in the src-cli repo, build the binary: go build -o ./src-cli ./cmd/src

Ensure you have SRC_ENDPOINT and SRC_ACCESS_TOKEN set in your environment, and unset SRC_PROXY.

Try connecting with each proxy (mitmproxy is 8080, squid is 8445):

for x in http://localhost:8080 https://localhost:8445
do
HTTPS_PROXY=${x} ./src-cli login --insecure-skip-verify=true
SRC_PROXY=${x} ./src-cli login --insecure-skip-verify=true
done

You should get "Authenticated as [USER] on [ENDPOINT]" messages in your terminal, and in the mitmproxy and squid terminals, you should see activity.

This tests connecting through a proxy that connects with http (mitmproxy), and one that is TLS-enabled (squid).

Ensure that NO_PROXY is ignored when using SRC_PROXY and honored when using HTTPS_PROXY:

HTTPS_PROXY=http://localhost:8080 NO_PROXY=[HOSTNAME FROM ENDPOINT] ./src-cli login

You should get a successful login, but no entry in the mitmproxy log.

SRC_PROXY=http://localhost:8080 NO_PROXY=[HOSTNAME FROM ENDPOINT] ./src-cli login

You should get a successful login and also see an entry in the mitmproxy log.

Closes https://linear.app/sourcegraph/issue/CPL-236/src-cli-support-standard-http-proxy

[keegancsmith]

Nice! Inline comments, but otherwise LGTM

[keegancsmith]

why does https:// not work without intervention? (as documented below for http and socks5)

[peterguy]

Since we're connecting to the SG API using HTTP/2, the standard transport tries to connect to the TLS-enabled proxy using HTTP/2 also, which fails if the proxy doesn't support HTTP/2. I haven't found a proxy for local testing that does support HTTP/2; I suspect that most/all proxies that are TLS-enabled don't support HTTP/2.

[keegancsmith]

I think you can greatly simplify code here (and remove helpers like waitForServerReady and generateTestCert) by using the httptest package. It already provides functions to listen on TLS/etc and does things like wait for the server to be listening.

[keegancsmith]

This advice still stands

[keegancsmith]

get our favourite AI's to generate some example with ipv4, ipv6 and localhost.

[keegancsmith]

You might wanna rebase, I think william just did some CI updates which include things like go-lint/etc.

[peterguy]

Thanks for all of your commentary; I forgot to open this PR in draft mode! Been trying to address what looks like flakey tests in the Ubuntu CI runner; I'll go through your very helpful comments soon.

[peterguy]

This change is part of the following stack:

• refactor: validate and parse the endpoint and proxy at program load #1267
  • Add support for HTTP_PROXY, HTTPS_PROXY, and NO_PROXY #1260 ◀

_{Change managed by git-spice.}

[keegancsmith]

@peterguy alright just re-request review when ready.

[keegancsmith]

Requesting changes since I just wanna re-review once you have addressed the comments. FYI I pushed some commits to resolve the CI issues.

[keegancsmith]

you changed this is some other places as well. go convention is lowercase on error messages since they get combined. eg My outer error: My inner error doesn't read as nicely as my outer error: my inner error

[keegancsmith]

if I set SRC_PROXY to a http:// or socks5:// though, won't the default transport ignore it?

[peterguy]

I re-worked this section

[keegancsmith]

This advice still stands

[keegancsmith]

given you are doing TrimRight before you should probably do it here as well.

[keegancsmith]

net.Conn documents all methods to be concurrency safe. However, bufio.Reader is not. You need to add in a mutex here.

> Multiple goroutines may invoke methods on a Conn simultaneously.

[peterguy]

oh, thanks!

[keegancsmith]

It isn't clear to me why you introduced the buffered reader?

[peterguy]

Because I didn't want to lose any bytes after the headers that the reader may have buffered, which bytes could be the start of the tunneled connection data. Granted, it's probably not really a problem because the SG endpoint will in nearly every scenario also be TLS, and "TLS server will not speak until spoken to.", so there will not be any bytes beyond the header. But if the SG endpoint is plain http, we could lose bytes if we discard the buffered reader.

[keegancsmith]

is it worth updating all these test cases for this? I'd consider just not comparing this field in the comparsion in the test.

[bahrmichael]

I would wait for an update for Keegan's requested changes before doing my review pass if that's okay.