Move HTTP proxy CONNECT logic before ConnectionFactoryFilters
#2697
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
idelpivnitskiy
added a commit
to idelpivnitskiy/servicetalk
that referenced
this pull request
Sep 19, 2023
Motivation: After apple#2697 moved HTTP proxy `CONNECT` logic before user-defined `ConnectionFactoryFilter`s, users lost ability to intercept `CONNECT` requests for the purpose of adding custom headers, like auth. Modifications: - Add `SingleAddressHttpClientBuilder.proxyAddress(...)` overload that takes `Consumer<StreamingHttpRequest>` as a 2nd argument; - Recompute `HttpExecutionStrategy` after `CONNECT` request initializer is invoked in `ProxyConnectLBHttpConnectionFactory`; - Enhance `ProxyTunnel` and `HttpsProxyTest` to verify that new API can be used to send `Proxy-Authorization` header; Result: Users have explicit API to alter HTTP `CONNECT` request if necessary.
idelpivnitskiy
added a commit
to idelpivnitskiy/servicetalk
that referenced
this pull request
Sep 19, 2023
Motivation: After apple#2697 moved HTTP proxy `CONNECT` logic before user-defined `ConnectionFactoryFilter`s, users lost ability to intercept `CONNECT` requests for the purpose of adding custom headers, like auth. Modifications: - Add `SingleAddressHttpClientBuilder.proxyAddress(...)` overload that takes `Consumer<StreamingHttpRequest>` as a 2nd argument; - Recompute `HttpExecutionStrategy` after `CONNECT` request initializer is invoked in `ProxyConnectLBHttpConnectionFactory`; - Enhance `ProxyTunnel` and `HttpsProxyTest` to verify that new API can be used to send `Proxy-Authorization` header; Result: Users have explicit API to alter HTTP `CONNECT` request if necessary.
idelpivnitskiy
added a commit
to idelpivnitskiy/servicetalk
that referenced
this pull request
Sep 19, 2023
Motivation: After apple#2697 moved HTTP proxy `CONNECT` logic before user-defined `ConnectionFactoryFilter`s, users lost ability to intercept `CONNECT` requests for the purpose of adding custom headers, like auth. Modifications: - Add `SingleAddressHttpClientBuilder.proxyAddress(...)` overload that takes `Consumer<StreamingHttpRequest>` as a 2nd argument; - Recompute `HttpExecutionStrategy` after `CONNECT` request initializer is invoked in `ProxyConnectLBHttpConnectionFactory`; - Enhance `ProxyConnectLBHttpConnectionFactoryTest` to verify that the initializer is invoked and users can alter execution strategy; - Enhance `ProxyTunnel` and `HttpsProxyTest` to verify that new API can be used to send `Proxy-Authorization` header; Result: Users have explicit API to alter HTTP `CONNECT` request if necessary.
This was referenced Sep 19, 2023
daschl
reviewed
Sep 19, 2023
...-http-netty/src/main/java/io/servicetalk/http/netty/ProxyConnectLBHttpConnectionFactory.java
Outdated
Show resolved
Hide resolved
...-http-netty/src/main/java/io/servicetalk/http/netty/ProxyConnectLBHttpConnectionFactory.java
Show resolved
Hide resolved
...-http-netty/src/main/java/io/servicetalk/http/netty/ProxyConnectLBHttpConnectionFactory.java
Outdated
Show resolved
Hide resolved
...-http-netty/src/main/java/io/servicetalk/http/netty/ProxyConnectLBHttpConnectionFactory.java
Show resolved
Hide resolved
...-http-netty/src/main/java/io/servicetalk/http/netty/ProxyConnectLBHttpConnectionFactory.java
Show resolved
Hide resolved
idelpivnitskiy
added a commit
to idelpivnitskiy/servicetalk
that referenced
this pull request
Sep 19, 2023
Motivation: After apple#2697 moved HTTP proxy `CONNECT` logic before user-defined `ConnectionFactoryFilter`s, users lost ability to intercept `CONNECT` requests for the purpose of adding custom headers, like auth. Modifications: - Add `SingleAddressHttpClientBuilder.proxyAddress(...)` overload that takes `Consumer<StreamingHttpRequest>` as a 2nd argument; - Recompute `HttpExecutionStrategy` after `CONNECT` request initializer is invoked in `ProxyConnectLBHttpConnectionFactory`; - Enhance `ProxyConnectLBHttpConnectionFactoryTest` to verify that the initializer is invoked and users can alter execution strategy; - Enhance `ProxyTunnel` and `HttpsProxyTest` to verify that new API can be used to send `Proxy-Authorization` header; Result: Users have explicit API to alter HTTP `CONNECT` request if necessary.
daschl
approved these changes
Sep 20, 2023
Motivation: Currently, HTTP proxy `CONNECT` logic is prepended before user-defined `ConnectionFactoryFilter`s. Because user filters can wrap `FilterableStreamingHttpConnection`: 1. It makes it hard to upgrade connection protocol if ALPN agrees on a different protocol. 2. `ProxyConnectConnectionFactoryFilter` can not access Netty's `Channel` to trigger TLS handshake. Modifications: - Create `ProxyConnectLBHttpConnectionFactory` as an alternative to `PipelinedLBHttpConnectionFactory` that makes HTTP proxy `CONNECT` request after `PipelinedStreamingHttpConnection` is created; - Keep `ProxyConnectConnectionFactoryFilter` only for the purpose of propagating `HTTP_TARGET_ADDRESS_BEHIND_PROXY` key upstream; - Add internal `NettyFilterableStreamingHttpConnection` to get access to Netty `Channel` without type cast; - Enhance `StacklessClosedChannelException` to carry a message; Result: 1. No need to worry that HTTP CONNECT won't work if users wrapped `FilterableStreamingHttpConnection` in their `ConnectionFactoryFilter`s. 2. Makes it possible to change protocol based on ALPN (will be done in a follow-up PRs). Behavior change: - Because user-defined `ConnectionFactoryFilter`s can not intercept HTTP `CONNECT` request anymore, they loose ability to alter the request (for example, to set auth or debug headers). Follow-up PRs will add new API to let users intercept such requests.
idelpivnitskiy
force-pushed
the
move-proxy-connect
branch
from
cd19695 to
93179ef
Compare
daschl
approved these changes
Sep 29, 2023
idelpivnitskiy
added a commit
to idelpivnitskiy/servicetalk
that referenced
this pull request
Nov 8, 2023
Motivation: After apple#2697 moved HTTP proxy `CONNECT` logic before user-defined `ConnectionFactoryFilter`s, users lost the ability to intercept `CONNECT` requests for the purpose of adding custom headers, like auth, tracing, etc. Modifications: - Introduce `ProxyConfig` and `ProxyConfigBuilder` in `http-api` that can be used to provide additional options for proxy behavior; - Add `SingleAddressHttpClientBuilder.proxyConfig(...)` overload that takes `ProxyConfig`; - Deprecate pre-existing `SingleAddressHttpClientBuilder.proxyAddress()` method, recommend switching to new API; - Enhance `HttpsProxyTest` to verify that new API can be used to send `Proxy-Authorization` header; Result: Users have explicit API to alter HTTP `CONNECT` request headers, if necessary.
idelpivnitskiy
added a commit
that referenced
this pull request
Nov 13, 2023
Motivation: After #2697 moved HTTP proxy `CONNECT` logic before user-defined `ConnectionFactoryFilter`s, users lost the ability to intercept `CONNECT` requests for the purpose of adding custom headers, like auth, tracing, etc. Modifications: - Introduce `ProxyConfig` and `ProxyConfigBuilder` in `http-api` that can be used to provide additional options for proxy behavior; - Add `SingleAddressHttpClientBuilder.proxyConfig(...)` overload that takes `ProxyConfig`; - Deprecate pre-existing `SingleAddressHttpClientBuilder.proxyAddress()` method, recommend switching to new API; - Enhance `HttpsProxyTest` to verify that new API can be used to send `Proxy-Authorization` header; Result: Users have explicit API to alter HTTP `CONNECT` request headers, if necessary.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
Currently, HTTP proxy
CONNECTlogic is prepended before user-definedConnectionFactoryFilters. Because user filters can wrapFilterableStreamingHttpConnection:ProxyConnectConnectionFactoryFiltercan not access Netty'sChannelto trigger TLS handshake.Modifications:
ProxyConnectLBHttpConnectionFactoryas an alternative toPipelinedLBHttpConnectionFactorythat makes HTTP proxyCONNECTrequest afterPipelinedStreamingHttpConnectionis created;ProxyConnectConnectionFactoryFilteronly for the purpose of propagatingHTTP_TARGET_ADDRESS_BEHIND_PROXYkey upstream;NettyFilterableStreamingHttpConnectionto get access to NettyChannelwithout type cast;StacklessClosedChannelExceptionto carry a message;ProxyConnectConnectionFactoryFilterTesttoProxyConnectLBHttpConnectionFactoryTest, adjust for testingprocessConnectmethod;Result:
FilterableStreamingHttpConnectionin theirConnectionFactoryFilters.Behavior change:
ConnectionFactoryFilters can not intercept HTTPCONNECTrequests anymore, they lose ability to alter the request (for example, to set auth or debug headers). Follow-up PRs will add new API to let users intercept such requests.