Add no_proxy support

[arthurpassos]

Changelog category (leave one):

• New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Allow proxy to be bypassed for hosts specified in no_proxy env variable and ClickHouse proxy configuration.

Documentation entry for user-facing changes

• [ X ] Documentation is written (mandatory for new features)

Information about CI checks: https://clickhouse.com/docs/en/development/continuous-integration/

Modify your CI run

NOTE: If your merge the PR with modified CI you MUST KNOW what you are doing
NOTE: Checked options will be applied if set before CI RunConfig/PrepareRunConfig step

Include tests (required builds will be added automatically):

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Unit tests
• Performance tests
• All with ASAN
• All with TSAN
• All with Analyzer
• All with Azure
• Add your option here

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• Add your option here

Extra options:

• do not test (only style check)
• disable merge-commit (no merge from master before tests)
• disable CI cache (job reuse)

Only specified batches in multi-batch jobs:

• 1
• 2
• 3
• 4

[alexey-milovidov]

Missing escaping.

[alexey-milovidov]

This feature looks too ad-hoc. Missing motivation about use cases. Why environment variables?

[arthurpassos]

This feature looks too ad-hoc. Missing motivation about use cases.

Consider the scenario where a ClickHouse instance uses two different S3 installations: AWS and a private one. For the AWS one, the user wants all requests to go through their proxy, while for the private one, no. With the current implementation, there is no way to achieve this.

Why environment variables?

ClickHouse currently supports proxy configuration in two different places: env variables and configuration files. This PR will add the functionality to both, but I haven't had the time to implement for configuration files yet. Plus, it's pretty standard to support NO_PROXY through environment variables.

[filimonov]

Why environment variables?

Not invited by us, just most tools in linux support that.

https://stackoverflow.com/questions/62632642/how-to-use-no-proxy-on-linux-machines-wildcards-leading-dots
https://stackoverflow.com/questions/13559377/curl-bypass-proxy-for-localhost

You
Looking for some documentation about NO_PROXY env variable, and who support that.

ChatGPT
The NO_PROXY environment variable is used to specify a list of domain names, IP addresses, or subnets that should be excluded from proxying. When using a proxy server, all traffic is generally redirected through the proxy unless specified otherwise in NO_PROXY. This is particularly useful in environments where you want to avoid the overhead of proxying local or intranet communications.

How NO_PROXY Works:

• Format: The NO_PROXY variable is a comma-separated list of domains and IP addresses that should bypass the proxy. For example: NO_PROXY=localhost,127.0.0.1,example.com,*.mycompany.com.
• Wildcards: You can use an asterisk (*) as a wildcard to match any subdomain. For example, *.example.com would apply to subdomain.example.com, another.example.com, etc.
• Ports: You can specify ports in NO_PROXY to exclude specific port traffic from being proxied. For example: example.com:8080.

Support for NO_PROXY:

• Operating Systems: Most Unix-like operating systems, including Linux and macOS, support the NO_PROXY variable natively. Windows also supports environment variables for proxy settings, though the behavior can vary slightly depending on the implementation.
• Programming Languages: Many programming languages and their standard libraries respect the NO_PROXY setting. For instance:
  • Python: The urllib library respects NO_PROXY.
  • Node.js: The request module and others respect NO_PROXY.
• Tools and Applications: Most command-line tools and applications that use network requests support NO_PROXY. This includes tools like curl, wget, and many others.

Documentation and Standards:

While there isn't a formal RFC that defines the behavior of NO_PROXY, its usage is largely consistent across different environments due to convention. The best place to find documentation on how NO_PROXY is implemented in a specific tool or library is typically the official documentation for that tool or library.

If you're using a specific tool or programming environment and need to know how it handles NO_PROXY, it would be a good idea to look at the official documentation or the configuration settings related to proxy handling in that environment.

Curl: https://curl.se/libcurl/c/CURLOPT_NOPROXY.html
wget: https://www.gnu.org/software/wget/manual/html_node/Proxies.html
etc.

Discussion about standardizing that.

https://about.gitlab.com/blog/2021/01/27/we-need-to-talk-no-proxy/

[arthurpassos]

@alexey-milovidov can you enable CI?

[arthurpassos]

We should merge #63427 first

[robot-ch-test-poll]

This is an automated comment for commit f026cc4 with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Check name	Description	Status
Integration tests	The integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests	❌ failure
Stress test	Runs stateless functional tests concurrently from several clients to detect concurrency-related errors	❌ failure

Successful checks

Check name	Description	Status
A Sync	If it fails, ask a maintainer for help	✅ success
AST fuzzer	Runs randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help	✅ success
CI running	A meta-check that indicates the running CI. Normally, it's in success or pending state. The failed status indicates some problems with the PR	✅ success
ClickBench	Runs [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table	✅ success
ClickHouse build check	Builds ClickHouse in various configurations for use in further steps. You have to fix the builds that fail. Build logs often has enough information to fix the error, but you might have to reproduce the failure locally. The cmake options can be found in the build log, grepping for cmake. Use these options and follow the general build process	✅ success
Compatibility check	Checks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help	✅ success
Docker keeper image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docker server image	The check to build and optionally push the mentioned image to docker hub	✅ success
Docs check	Builds and tests the documentation	✅ success
Fast test	Normally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here	✅ success
Flaky tests	Checks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integration tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc	✅ success
Install packages	Checks that the built packages are installable in a clear environment	✅ success
Mergeable Check	Checks if all other necessary checks are successful	✅ success
PR Check	Checks correctness of the PR's body	✅ success
Performance Comparison	Measure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests	✅ success
Stateful tests	Runs stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Stateless tests	Runs stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc	✅ success
Style check	Runs a set of checks to keep the code style clean. If some of tests failed, see the related log from the report	✅ success
Unit tests	Runs the unit tests for different release types	✅ success
Upgrade check	Runs stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts	✅ success

[arthurpassos]

@evillique can you also enable ci on #63427? That pr needs to be merged before this one

[CheSema]

This list is constructed from env. It is immutable for the rest of the program live.

Why we copy it to each connection?
Why do we leave it in raw format and parse each time?

[arthurpassos]

hm... if I had to argue, I would say simplicity and consistency with other types of resolvers that do not rely on environment variables. They always read stuff on the fly and generate a new configuration.

It is not a strong argument, tho. I could introduce some sort of static variable in EnvironmentProxyConfigurationResolver so that it reads only once from the environment and always returns that.

As for the native format, mostly because DB::ProxyConfiguration is 3rd party agnostic. Meaning it has no dependencies on Poco or AWS SDK. In any case, I am fine with converting it only once and storing the poco format in DB::ProxyConfiguration. If the need to abstract that ever appears, we can do it. For now, we can make this change.

What do you think?

[arthurpassos]

The last commit is a possible implementation of the above idea, please take a look: 3ae8176.

[arthurpassos]

@CheSema what dou you think of the current approach? env variables are queried only once. Poco regexp is build only once as well

[arthurpassos]

I believe the stress test failure is already being tracked -- #65043

Failing everywhere - test_checking_s3_blobs_paranoid