Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tsh proxy ssh does not respect HTTP_PROXY #17567

Closed
russjones opened this issue Oct 19, 2022 · 3 comments · Fixed by #18204
Closed

tsh proxy ssh does not respect HTTP_PROXY #17567

russjones opened this issue Oct 19, 2022 · 3 comments · Fixed by #18204
Assignees
@strideynet
Labels
bug c-q7j Internal Customer Reference machine-id

Comments

@russjones
Copy link
Contributor

Customer has reported that tbot does not respect HTTP_PROXY when making connections.
@russjones russjones added bug machine-id c-q7j Internal Customer Reference labels Oct 19, 2022
@strideynet
Copy link
Contributor

strideynet commented Oct 19, 2022
edited
Loading

Potentially useful: #10209

Things to review

  • Any usages of webclient
  • Any usages of API client
  • Registration
    • Through Proxy
    • Through Auth
  • tbot proxy

@strideynet strideynet self-assigned this Oct 27, 2022
@strideynet
Copy link
Contributor

strideynet commented Nov 4, 2022
edited
Loading

Customer reported issue running v9.3.18.

Customer specifically complained about issue when using the generated ssh_config - and hence - tbot proxy ssh.

@strideynet strideynet changed the title tbot does not respect HTTP_PROXY tsh proxy ssh does not respect HTTP_PROXY Nov 4, 2022
@strideynet
Copy link
Contributor

strideynet commented Nov 4, 2022
edited
Loading

dialSSHProxy of tool/tsh/proxy.go does not respect HTTP_PROXY or HTTPS_PROXY:

func dialSSHProxy(ctx context.Context, tc *libclient.TeleportClient, sp sshProxyParams) (net.Conn, error) {
	remoteProxyAddr := net.JoinHostPort(sp.proxyHost, sp.proxyPort)

	if !sp.tlsRouting {
		conn, err := (&net.Dialer{}).DialContext(ctx, "tcp", remoteProxyAddr)
		if err != nil {
			return nil, trace.Wrap(err)
		}
		return conn, nil
	}

	pool, err := tc.LocalAgent().ClientCertPool(sp.clusterName)
	if err != nil {
		return nil, trace.Wrap(err)
	}

	tlsConfig := &tls.Config{
		RootCAs:            pool,
		NextProtos:         []string{string(alpncommon.ProtocolProxySSH)},
		InsecureSkipVerify: tc.InsecureSkipVerify,
		ServerName:         sp.proxyHost,
	}

	conn, err := (&tls.Dialer{Config: tlsConfig}).DialContext(ctx, "tcp", remoteProxyAddr)
	if err != nil {
		return nil, trace.Wrap(err)
	}
	return conn, nil
}

Both dialers here need to use a HTTP Proxy dialer if one has been configured in the environment.

As Machine ID tbot proxy ssh just invokes tsh proxy ssh this is also affected.

@strideynet strideynet mentioned this issue Nov 7, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strideynet strideynet

Labels
bug c-q7j Internal Customer Reference machine-id
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable HTTPS_PROXY support in tsh proxy ssh gravitational/teleport
2 participants
@russjones @strideynet