gravitational · atburke · Jun 7, 2022 · May 31, 2022 · May 31, 2022 · May 31, 2022
diff --git a/api/client/client.go b/api/client/client.go
@@ -289,12 +289,7 @@ type (
 
 // authConnect connects to the Teleport Auth Server directly.
 func authConnect(ctx context.Context, params connectParams) (*Client, error) {
-	var dialer ContextDialer
-	if params.cfg.IgnoreHTTPProxy {
-		dialer = NewDirectDialer(params.cfg.KeepAlivePeriod, params.cfg.DialTimeout)
-	} else {
-		dialer = NewDialer(params.cfg.KeepAlivePeriod, params.cfg.DialTimeout)
-	}
+	dialer := NewDialer(params.cfg.KeepAlivePeriod, params.cfg.DialTimeout)
 	clt := newClient(params.cfg, dialer, params.tlsConfig)
 	if err := clt.dialGRPC(ctx, params.addr); err != nil {
 		return nil, trace.Wrap(err, "failed to connect to addr %v as an auth server", params.addr)
@@ -474,8 +469,6 @@ type Config struct {
 	// ALPNSNIAuthDialClusterName if present the client will include ALPN SNI routing information in TLS Hello message
 	// allowing to dial auth service through Teleport Proxy directly without using SSH Tunnels.
 	ALPNSNIAuthDialClusterName string
-	// IgnoreHTTPProxy disables support for HTTP proxying when true.
-	IgnoreHTTPProxy bool
 }
 
 // CheckAndSetDefaults checks and sets default config values.

diff --git a/api/client/contextdialer.go b/api/client/contextdialer.go
@@ -46,8 +46,8 @@ func (f ContextDialerFunc) DialContext(ctx context.Context, network, addr string
 	return f(ctx, network, addr)
 }
 
-// NewDirectDialer makes a new dialer to connect directly to an Auth server, ignoring any HTTP proxies.
-func NewDirectDialer(keepAlivePeriod, dialTimeout time.Duration) ContextDialer {
+// newDirectDialer makes a new dialer to connect directly to an Auth server.
+func newDirectDialer(keepAlivePeriod, dialTimeout time.Duration) ContextDialer {
 	return &net.Dialer{
 		Timeout:   dialTimeout,
 		KeepAlive: keepAlivePeriod,
@@ -58,7 +58,7 @@ func NewDirectDialer(keepAlivePeriod, dialTimeout time.Duration) ContextDialer {
 // on the environment.
 func NewDialer(keepAlivePeriod, dialTimeout time.Duration) ContextDialer {
 	return ContextDialerFunc(func(ctx context.Context, network, addr string) (net.Conn, error) {
-		dialer := NewDirectDialer(keepAlivePeriod, dialTimeout)
+		dialer := newDirectDialer(keepAlivePeriod, dialTimeout)
 		if proxyAddr := proxy.GetProxyAddress(addr); proxyAddr != nil {
 			return DialProxyWithDialer(ctx, proxyAddr.Host, addr, dialer)
 		}
@@ -87,7 +87,7 @@ func NewProxyDialer(ssh ssh.ClientConfig, keepAlivePeriod, dialTimeout time.Dura
 
 // newTunnelDialer makes a dialer to connect to an Auth server through the SSH reverse tunnel on the proxy.
 func newTunnelDialer(ssh ssh.ClientConfig, keepAlivePeriod, dialTimeout time.Duration) ContextDialer {
-	dialer := NewDirectDialer(keepAlivePeriod, dialTimeout)
+	dialer := newDirectDialer(keepAlivePeriod, dialTimeout)
 	return ContextDialerFunc(func(ctx context.Context, network, addr string) (conn net.Conn, err error) {
 		conn, err = dialer.DialContext(ctx, network, addr)
 		if err != nil {

diff --git a/api/client/webclient/webclient.go b/api/client/webclient/webclient.go
@@ -60,8 +60,6 @@ type Config struct {
 	// ExtraHeaders is a map of extra HTTP headers to be included in
 	// requests.
 	ExtraHeaders map[string]string
-	// IgnoreHTTPProxy disables support for HTTP proxying when true.
-	IgnoreHTTPProxy bool
 	// Timeout is a timeout for requests.
 	Timeout time.Duration
 }
@@ -91,11 +89,9 @@ func newWebClient(cfg *Config) (*http.Client, error) {
 			InsecureSkipVerify: cfg.Insecure,
 			RootCAs:            cfg.Pool,
 		},
-	}
-	if !cfg.IgnoreHTTPProxy {
-		transport.Proxy = func(req *http.Request) (*url.URL, error) {
+		Proxy: func(req *http.Request) (*url.URL, error) {
 			return httpproxy.FromEnvironment().ProxyFunc()(req.URL)
-		}
+		},
 	}
 	return &http.Client{
 		Transport: otelhttp.NewTransport(proxy.NewHTTPFallbackRoundTripper(&transport, cfg.Insecure)),

diff --git a/api/client/webclient/webclient_test.go b/api/client/webclient/webclient_test.go
@@ -323,19 +323,3 @@ func TestNewWebClientNoProxy(t *testing.T) {
 	require.Contains(t, err.Error(), "lookup fakedomain.example.com")
 	require.Contains(t, err.Error(), "no such host")
 }
-
-func TestNewWebClientIgnoreProxy(t *testing.T) {
-	t.Setenv("HTTPS_PROXY", "fakeproxy.example.com:9999")
-	client, err := newWebClient(&Config{
-		Context:         context.Background(),
-		ProxyAddr:       "localhost:3080",
-		IgnoreHTTPProxy: true,
-	})
-	require.NoError(t, err)
-	//nolint:bodyclose
-	resp, err := client.Get("https://fakedomain.example.com")
-	require.Error(t, err, "GET unexpectedly succeeded: %+v", resp)
-	require.NotContains(t, err.Error(), "proxyconnect")
-	require.Contains(t, err.Error(), "lookup fakedomain.example.com")
-	require.Contains(t, err.Error(), "no such host")
-}
diff --git a/integration/proxy_test.go b/integration/proxy_test.go
@@ -239,11 +239,18 @@ func TestALPNSNIHTTPSProxy(t *testing.T) {
 	require.Greater(t, ps.Count(), 0, "proxy did not intercept any connection")
 }
 
-// TestMultiPortNoProxy tests that the reverse tunnel does NOT use http_proxy
-// when not in single-port mode.
-func TestMultiPortNoProxy(t *testing.T) {
+// TestMultiPortHTTPSProxy tests if the reverse tunnel uses http_proxy
+// on a multiple proxy port setup.
+func TestMultiPortHTTPSProxy(t *testing.T) {
+	// start the http proxy
+	ps := &proxyServer{}
+	ts := httptest.NewServer(ps)
+	defer ts.Close()
+
 	// set the http_proxy environment variable
-	t.Setenv("http_proxy", "fakeproxy.example.com")
+	u, err := url.Parse(ts.URL)
+	require.NoError(t, err)
+	t.Setenv("http_proxy", u.Host)
 
 	username := mustGetCurrentUser(t).Username
 	// httpproxy won't proxy when target address is localhost, so use this instead.
@@ -266,6 +273,8 @@ func TestMultiPortNoProxy(t *testing.T) {
 		"Two clusters do not see each other: tunnels are not working.")
 	require.Eventually(t, waitForClusters(suite.leaf.Tunnel, 1), 10*time.Second, 1*time.Second,
 		"Two clusters do not see each other: tunnels are not working.")
+
+	require.Greater(t, ps.Count(), 0, "proxy did not intercept any connection")
 }
 
 // TestAlpnSniProxyKube tests Kubernetes access with custom Kube API mock where traffic is forwarded via

diff --git a/lib/auth/authclient/authclient.go b/lib/auth/authclient/authclient.go
@@ -55,8 +55,6 @@ func Connect(ctx context.Context, cfg *Config) (auth.ClientI, error) {
 		Credentials: []apiclient.Credentials{
 			apiclient.LoadTLS(cfg.TLS),
 		},
-		// Deliberately ignore HTTP proxies for backwards compatibility.
-		IgnoreHTTPProxy: true,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err, "failed direct dial to auth server: %v", err)

diff --git a/lib/auth/clt.go b/lib/auth/clt.go
@@ -128,12 +128,7 @@ func NewHTTPClient(cfg client.Config, tls *tls.Config, params ...roundtrip.Clien
 		if len(cfg.Addrs) == 0 {
 			return nil, trace.BadParameter("no addresses to dial")
 		}
-		var contextDialer client.ContextDialer
-		if cfg.IgnoreHTTPProxy {
-			contextDialer = client.NewDirectDialer(cfg.KeepAlivePeriod, cfg.DialTimeout)
-		} else {
-			contextDialer = client.NewDialer(cfg.KeepAlivePeriod, cfg.DialTimeout)
-		}
+		contextDialer := client.NewDialer(cfg.KeepAlivePeriod, cfg.DialTimeout)
 		dialer = client.ContextDialerFunc(func(ctx context.Context, network, _ string) (conn net.Conn, err error) {
 			for _, addr := range cfg.Addrs {
 				conn, err = contextDialer.DialContext(ctx, network, addr)

diff --git a/lib/reversetunnel/agent.go b/lib/reversetunnel/agent.go
@@ -266,7 +266,7 @@ func (a *Agent) getHostCheckers() ([]ssh.PublicKey, error) {
 func (a *Agent) getReverseTunnelDetails() *reverseTunnelDetails {
 	pd := reverseTunnelDetails{TLSRoutingEnabled: false}
 	resp, err := webclient.Find(
-		&webclient.Config{Context: a.ctx, ProxyAddr: a.Addr.Addr, Insecure: lib.IsInsecureDevMode(), IgnoreHTTPProxy: true})
+		&webclient.Config{Context: a.ctx, ProxyAddr: a.Addr.Addr, Insecure: lib.IsInsecureDevMode()})
 
 	if err != nil {
 		// If TLS Routing is disabled the address is the proxy reverse tunnel

diff --git a/lib/reversetunnel/resolver.go b/lib/reversetunnel/resolver.go
@@ -58,9 +58,8 @@ func WebClientResolver(ctx context.Context, addrs []utils.NetAddr, insecureTLS b
 		for _, addr := range addrs {
 			// In insecure mode, any certificate is accepted. In secure mode the hosts
 			// CAs are used to validate the certificate on the proxy.
-			// Ignore HTTP proxy for backwards compatibility.
 			tunnelAddr, err := webclient.GetTunnelAddr(
-				&webclient.Config{Context: ctx, ProxyAddr: addr.String(), Insecure: insecureTLS, IgnoreHTTPProxy: true})
+				&webclient.Config{Context: ctx, ProxyAddr: addr.String(), Insecure: insecureTLS})
 
 			if err != nil {
 				errs = append(errs, err)

diff --git a/lib/reversetunnel/transport.go b/lib/reversetunnel/transport.go
@@ -93,7 +93,7 @@ func (t *TunnelAuthDialer) DialContext(ctx context.Context, _, _ string) (net.Co
 
 	// Check if t.ProxyAddr is ProxyWebPort and remote Proxy supports TLS ALPNSNIListener.
 	resp, err := webclient.Find(
-		&webclient.Config{Context: ctx, ProxyAddr: addr.Addr, Insecure: t.InsecureSkipTLSVerify, IgnoreHTTPProxy: true})
+		&webclient.Config{Context: ctx, ProxyAddr: addr.Addr, Insecure: t.InsecureSkipTLSVerify})
 	if err != nil {
 		// If TLS Routing is disabled the address is the proxy reverse tunnel
 		// address thus the ping call will always fail.

diff --git a/lib/service/connect.go b/lib/service/connect.go
@@ -974,8 +974,6 @@ func (process *TeleportProcess) newClientDirect(authServers []utils.NetAddr, tls
 			apiclient.LoadTLS(tlsConfig),
 		},
 		DialOpts: dialOpts,
-		// Deliberately ignore HTTP proxies for backwards compatibility.
-		IgnoreHTTPProxy: true,
 	}, cltParams...)
 	if err != nil {
 		return nil, trace.Wrap(err)