From 464d1eaf4d522aff7bba18522799b94320c5aea2 Mon Sep 17 00:00:00 2001
From: Andrew Burke <31974658+atburke@users.noreply.github.com>
Date: Fri, 22 Apr 2022 12:56:31 -0700
Subject: [PATCH] Ignore HTTP_PROXY for reverse tunnels (#11990) (#12035)

This change disables the HTTP_PROXY support for reverse tunnel connections, as introduced in #10209. This is for backwards compatibility.

Co-authored-by: Roman Tkachenko <roman@goteleport.com>
---
 api/client/webclient/webclient.go      |  8 ++++++--
 api/client/webclient/webclient_test.go | 16 ++++++++++++++++
 lib/reversetunnel/agent.go             |  2 +-
 lib/reversetunnel/transport.go         |  2 +-
 4 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/api/client/webclient/webclient.go b/api/client/webclient/webclient.go
index d6e48b6d2d6ff..56e5b4c36edd4 100644
--- a/api/client/webclient/webclient.go
+++ b/api/client/webclient/webclient.go
@@ -58,6 +58,8 @@ type Config struct {
 	// ExtraHeaders is a map of extra HTTP headers to be included in
 	// requests.
 	ExtraHeaders map[string]string
+	// IgnoreHTTPProxy disables support for HTTP proxying when true.
+	IgnoreHTTPProxy bool
 }
 
 // CheckAndSetDefaults checks and sets defaults
@@ -83,9 +85,11 @@ func newWebClient(cfg *Config) (*http.Client, error) {
 			InsecureSkipVerify: cfg.Insecure,
 			RootCAs:            cfg.Pool,
 		},
-		Proxy: func(req *http.Request) (*url.URL, error) {
+	}
+	if !cfg.IgnoreHTTPProxy {
+		transport.Proxy = func(req *http.Request) (*url.URL, error) {
 			return httpproxy.FromEnvironment().ProxyFunc()(req.URL)
-		},
+		}
 	}
 	return &http.Client{
 		Transport: proxy.NewHTTPFallbackRoundTripper(&transport, cfg.Insecure),
diff --git a/api/client/webclient/webclient_test.go b/api/client/webclient/webclient_test.go
index b908a9777a718..6cbb554394d46 100644
--- a/api/client/webclient/webclient_test.go
+++ b/api/client/webclient/webclient_test.go
@@ -323,3 +323,19 @@ func TestNewWebClientNoProxy(t *testing.T) {
 	require.Contains(t, err.Error(), "lookup fakedomain.example.com")
 	require.Contains(t, err.Error(), "no such host")
 }
+
+func TestNewWebClientIgnoreProxy(t *testing.T) {
+	t.Setenv("HTTPS_PROXY", "fakeproxy.example.com:9999")
+	client, err := newWebClient(&Config{
+		Context:         context.Background(),
+		ProxyAddr:       "localhost:3080",
+		IgnoreHTTPProxy: true,
+	})
+	require.NoError(t, err)
+	//nolint:bodyclose
+	resp, err := client.Get("https://fakedomain.example.com")
+	require.Error(t, err, "GET unexpectedly succeeded: %+v", resp)
+	require.NotContains(t, err.Error(), "proxyconnect")
+	require.Contains(t, err.Error(), "lookup fakedomain.example.com")
+	require.Contains(t, err.Error(), "no such host")
+}
diff --git a/lib/reversetunnel/agent.go b/lib/reversetunnel/agent.go
index a5c8b97fd1162..886f9baaf09c8 100644
--- a/lib/reversetunnel/agent.go
+++ b/lib/reversetunnel/agent.go
@@ -265,7 +265,7 @@ func (a *Agent) getHostCheckers() ([]ssh.PublicKey, error) {
 func (a *Agent) getReverseTunnelDetails() *reverseTunnelDetails {
 	pd := reverseTunnelDetails{TLSRoutingEnabled: false}
 	resp, err := webclient.Find(
-		&webclient.Config{Context: a.ctx, ProxyAddr: a.Addr.Addr, Insecure: lib.IsInsecureDevMode()})
+		&webclient.Config{Context: a.ctx, ProxyAddr: a.Addr.Addr, Insecure: lib.IsInsecureDevMode(), IgnoreHTTPProxy: true})
 
 	if err != nil {
 		// If TLS Routing is disabled the address is the proxy reverse tunnel
diff --git a/lib/reversetunnel/transport.go b/lib/reversetunnel/transport.go
index 923a4a3cf8705..9d4885877691d 100644
--- a/lib/reversetunnel/transport.go
+++ b/lib/reversetunnel/transport.go
@@ -93,7 +93,7 @@ func (t *TunnelAuthDialer) DialContext(ctx context.Context, _, _ string) (net.Co
 
 	// Check if t.ProxyAddr is ProxyWebPort and remote Proxy supports TLS ALPNSNIListener.
 	resp, err := webclient.Find(
-		&webclient.Config{Context: ctx, ProxyAddr: addr.Addr, Insecure: t.InsecureSkipTLSVerify})
+		&webclient.Config{Context: ctx, ProxyAddr: addr.Addr, Insecure: t.InsecureSkipTLSVerify, IgnoreHTTPProxy: true})
 	if err != nil {
 		// If TLS Routing is disabled the address is the proxy reverse tunnel
 		// address thus the ping call will always fail.