gravitational · atburke · Mar 23, 2022 · Feb 7, 2022 · Feb 8, 2022 · Feb 9, 2022
diff --git a/api/client/webclient/webclient.go b/api/client/webclient/webclient.go
@@ -46,6 +46,7 @@ func newWebClient(insecure bool, pool *x509.CertPool) *http.Client {
 				RootCAs:            pool,
 				InsecureSkipVerify: insecure,
 			},
+			Proxy: http.ProxyFromEnvironment,
 		},
 	}
 }

diff --git a/api/client/webclient/webclient_test.go b/api/client/webclient/webclient_test.go
@@ -289,3 +289,18 @@ func TestExtract(t *testing.T) {
 		})
 	}
 }
+
+func TestNewWebClientRespectHTTPProxy(t *testing.T) {
+	t.Setenv("HTTPS_PROXY", "fakeproxy.example.com:9999")
+	client := newWebClient(false /* insecure */, nil /* pool */)
+	resp, err := client.Get("https://example.com")
+	defer func() {
+		if resp != nil {
+			resp.Body.Close()
+		}
+	}()
+	// Client should try to proxy through nonexistent server at localhost.
+	require.Error(t, err, "GET unexpectedly succeeded: %+v", resp)
+	require.Contains(t, err.Error(), "proxyconnect")
+	require.Contains(t, err.Error(), "no such host")
+}
diff --git a/lib/client/api.go b/lib/client/api.go
@@ -68,6 +68,7 @@ import (
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/lib/utils/agentconn"
+	"github.com/gravitational/teleport/lib/utils/proxy"
 
 	"github.com/gravitational/trace"
 
@@ -2198,37 +2199,20 @@ func (tc *TeleportClient) connectToProxy(ctx context.Context) (*ProxyClient, err
 	}, nil
 }
 
-func makeProxySSHClientWithTLSWrapper(tc *TeleportClient, sshConfig *ssh.ClientConfig) (*ssh.Client, error) {
-	cfg := tc.Config
-	clientTLSConf, err := tc.loadTLSConfig()
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
-	clientTLSConf.NextProtos = []string{string(alpncommon.ProtocolProxySSH)}
-	clientTLSConf.InsecureSkipVerify = cfg.InsecureSkipVerify
-
-	tlsConn, err := tls.Dial("tcp", cfg.WebProxyAddr, clientTLSConf)
-	if err != nil {
-		return nil, trace.Wrap(err, "failed to dial tls %v", cfg.WebProxyAddr)
-	}
-	c, chans, reqs, err := ssh.NewClientConn(tlsConn, cfg.WebProxyAddr, sshConfig)
-	if err != nil {
-		// tlsConn is closed inside ssh.NewClientConn function
-		return nil, trace.Wrap(err, "failed to authenticate with proxy %v", cfg.WebProxyAddr)
-	}
-	return ssh.NewClient(c, chans, reqs), nil
-}
-
 func makeProxySSHClient(tc *TeleportClient, sshConfig *ssh.ClientConfig) (*ssh.Client, error) {
+	var opts []proxy.DialerOptionFunc
 	if tc.Config.TLSRoutingEnabled {
-		return makeProxySSHClientWithTLSWrapper(tc, sshConfig)
-	}
-	client, err := ssh.Dial("tcp", tc.Config.SSHProxyAddr, sshConfig)
-	if err != nil {
-		return nil, trace.Wrap(err, "failed to authenticate with proxy %v", tc.Config.SSHProxyAddr)
+		tlsConfig, err := tc.loadTLSConfig()
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		tlsConfig.NextProtos = []string{string(alpncommon.ProtocolProxySSH)}
+		tlsConfig.InsecureSkipVerify = tc.Config.InsecureSkipVerify
+		opts = append(opts, proxy.WithALPNDialer(), proxy.WithTLSConfig(tlsConfig))
 	}
-	return client, nil
+	dialer := proxy.DialerFromEnvironment(tc.Config.WebProxyAddr, opts...)
+	client, err := dialer.Dial("tcp", tc.Config.SSHProxyAddr, sshConfig)
+	return client, trace.Wrap(err, "failed to authenticate with proxy %v", tc.Config.SSHProxyAddr)
 }
 
 func (tc *TeleportClient) rootClusterName() (string, error) {

diff --git a/lib/client/https_client.go b/lib/client/https_client.go
@@ -41,6 +41,7 @@ func NewInsecureWebClient() *http.Client {
 	return &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: tlsConfig,
+			Proxy:           http.ProxyFromEnvironment,
 		},
 	}
 }
@@ -54,6 +55,7 @@ func newClientWithPool(pool *x509.CertPool) *http.Client {
 	return &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: tlsConfig,
+			Proxy:           http.ProxyFromEnvironment,
 		},
 	}
 }

diff --git a/lib/client/https_client_test.go b/lib/client/https_client_test.go
@@ -0,0 +1,53 @@
+/*
+Copyright 2022 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package client
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewInsecureWebClientHTTPProxy(t *testing.T) {
+	t.Setenv("HTTPS_PROXY", "fakeproxy.example.com:9999")
+	client := NewInsecureWebClient()
+	resp, err := client.Get("https://example.com")
+	defer func() {
+		if resp != nil {
+			resp.Body.Close()
+		}
+	}()
+	// Client should try to proxy through nonexistent server at localhost.
+	require.Error(t, err, "GET unexpectedly succeeded: %+v", resp)
+	require.Contains(t, err.Error(), "proxyconnect")
+	require.Contains(t, err.Error(), "no such host")
+}
+
+func TestNewClientWithPoolHTTPProxy(t *testing.T) {
+	t.Setenv("HTTPS_PROXY", "fakeproxy.example.com:9999")
+	client := newClientWithPool(nil)
+	resp, err := client.Get("https://example.com")
+	defer func() {
+		if resp != nil {
+			resp.Body.Close()
+		}
+	}()
+	// Client should try to proxy through nonexistent server at localhost.
+	require.Error(t, err, "GET unexpectedly succeeded: %+v", resp)
+	require.Contains(t, err.Error(), "proxyconnect")
+	require.Contains(t, err.Error(), "no such host")
+}
diff --git a/lib/utils/proxy/proxy.go b/lib/utils/proxy/proxy.go
@@ -57,19 +57,23 @@ func dialWithDeadline(network string, addr string, config *ssh.ClientConfig) (*s
 // dialALPNWithDeadline allows connecting to Teleport in single-port mode. SSH protocol is wrapped into
 // TLS connection where TLS ALPN protocol is set to ProtocolReverseTunnel allowing ALPN Proxy to route the
 // incoming connection to ReverseTunnel proxy service.
-func dialALPNWithDeadline(network string, addr string, config *ssh.ClientConfig) (*ssh.Client, error) {
+func dialALPNWithDeadline(network string, addr string, config *ssh.ClientConfig, tlsConfig *tls.Config) (*ssh.Client, error) {
 	dialer := &net.Dialer{
 		Timeout: config.Timeout,
 	}
 	address, err := utils.ParseAddr(addr)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
-	tlsConn, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{
-		NextProtos:         []string{string(alpncommon.ProtocolReverseTunnel)},
-		InsecureSkipVerify: lib.IsInsecureDevMode(),
-		ServerName:         address.Host(),
-	})
+	conf := tlsConfig.Clone()
+	if conf == nil {
+		conf = &tls.Config{
+			NextProtos:         []string{string(alpncommon.ProtocolReverseTunnel)},
+			InsecureSkipVerify: lib.IsInsecureDevMode(),
+		}
+	}
+	conf.ServerName = address.Host()
+	tlsConn, err := tls.DialWithDialer(dialer, network, addr, conf)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -86,13 +90,14 @@ type Dialer interface {
 }
 
 type directDial struct {
-	useTLS bool
+	useTLS    bool
+	tlsConfig *tls.Config
 }
 
 // Dial calls ssh.Dial directly.
 func (d directDial) Dial(network string, addr string, config *ssh.ClientConfig) (*ssh.Client, error) {
 	if d.useTLS {
-		client, err := dialALPNWithDeadline(network, addr, config)
+		client, err := dialALPNWithDeadline(network, addr, config, d.tlsConfig)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
@@ -112,11 +117,15 @@ func (d directDial) DialTimeout(network, address string, timeout time.Duration)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		tlsConn, err := tls.Dial("tcp", address, &tls.Config{
-			NextProtos:         []string{string(alpncommon.ProtocolReverseTunnel)},
-			InsecureSkipVerify: lib.IsInsecureDevMode(),
-			ServerName:         addr.Host(),
-		})
+		conf := d.tlsConfig.Clone()
+		if conf == nil {
+			conf = &tls.Config{
+				NextProtos:         []string{string(alpncommon.ProtocolReverseTunnel)},
+				InsecureSkipVerify: lib.IsInsecureDevMode(),
+			}
+		}
+		conf.ServerName = addr.Host()
+		tlsConn, err := tls.Dial("tcp", address, conf)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
@@ -132,6 +141,7 @@ func (d directDial) DialTimeout(network, address string, timeout time.Duration)
 type proxyDial struct {
 	proxyHost string
 	useTLS    bool
+	tlsConfig *tls.Config
 }
 
 // DialTimeout acts like Dial but takes a timeout.
@@ -152,11 +162,15 @@ func (d proxyDial) DialTimeout(network, address string, timeout time.Duration) (
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		conn = tls.Client(conn, &tls.Config{
-			NextProtos:         []string{string(alpncommon.ProtocolReverseTunnel)},
-			InsecureSkipVerify: lib.IsInsecureDevMode(),
-			ServerName:         address.Host(),
-		})
+		conf := d.tlsConfig.Clone()
+		if conf == nil {
+			conf = &tls.Config{
+				NextProtos:         []string{string(alpncommon.ProtocolReverseTunnel)},
+				InsecureSkipVerify: lib.IsInsecureDevMode(),
+			}
+		}
+		conf.ServerName = address.Host()
+		conn = tls.Client(conn, conf)
 	}
 	return conn, nil
 }
@@ -177,11 +191,15 @@ func (d proxyDial) Dial(network string, addr string, config *ssh.ClientConfig) (
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		pconn = tls.Client(pconn, &tls.Config{
-			NextProtos:         []string{string(alpncommon.ProtocolReverseTunnel)},
-			InsecureSkipVerify: lib.IsInsecureDevMode(),
-			ServerName:         address.Host(),
-		})
+		conf := d.tlsConfig.Clone()
+		if conf == nil {
+			conf = &tls.Config{
+				NextProtos:         []string{string(alpncommon.ProtocolReverseTunnel)},
+				InsecureSkipVerify: lib.IsInsecureDevMode(),
+			}
+		}
+		conf.ServerName = address.Host()
+		pconn = tls.Client(pconn, conf)
 	}
 
 	// Do the same as ssh.Dial but pass in proxy connection.
@@ -196,7 +214,8 @@ func (d proxyDial) Dial(network string, addr string, config *ssh.ClientConfig) (
 }
 
 type dialerOptions struct {
-	dialTLS bool
+	dialTLS   bool
+	tlsConfig *tls.Config
 }
 
 // DialerOptionFunc allows setting options as functional arguments to DialerFromEnvironment
@@ -209,6 +228,13 @@ func WithALPNDialer() DialerOptionFunc {
 	}
 }
 
+// WithTLSConfig creates a dialer that uses a specific tls config.
+func WithTLSConfig(tlsConfig *tls.Config) DialerOptionFunc {
+	return func(options *dialerOptions) {
+		options.tlsConfig = tlsConfig
+	}
+}
+
 // DialerFromEnvironment returns a Dial function. If the https_proxy or http_proxy
 // environment variable are set, it returns a function that will dial through
 // said proxy server. If neither variable is set, it will connect to the SSH
@@ -226,10 +252,10 @@ func DialerFromEnvironment(addr string, opts ...DialerOptionFunc) Dialer {
 	// otherwise return a proxy dialer.
 	if proxyAddr == "" {
 		log.Debugf("No proxy set in environment, returning direct dialer.")
-		return directDial{useTLS: options.dialTLS}
+		return directDial{useTLS: options.dialTLS, tlsConfig: options.tlsConfig}
 	}
 	log.Debugf("Found proxy %q in environment, returning proxy dialer.", proxyAddr)
-	return proxyDial{proxyHost: proxyAddr, useTLS: options.dialTLS}
+	return proxyDial{proxyHost: proxyAddr, useTLS: options.dialTLS, tlsConfig: options.tlsConfig}
 }
 
 type DirectDialerOptFunc func(dial *directDial)
-Original file line number
+Diff line change
@@ Expand Up @@
     				RootCAs:            pool,
     				InsecureSkipVerify: insecure,
     			},
+    			Proxy: http.ProxyFromEnvironment,
     		},
     	}
     }
@@ Expand Down @@