-
-
Notifications
You must be signed in to change notification settings - Fork 853
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPS proxies support #1434
Comments
Hi there. In #1428 a had a problem with 3rd type of proxies not indicated here and called "reverse proxy" with SSL termination
It's very useful when we're talking about load balancing for example. Client doesn't even know that he speaks to the proxy. |
@ech0-py Well, then it seems like you don't want to use Just send a request to the target host, as you would if there was no reverse proxy in place. I assume things must be setup in your infra so that the DNS hostname resolves to the reverse proxy IP so that traffic is directed there, but the reverse proxy isn't really a "proxy" in the sense that we're discussing in this issue. Reverse proxies aren't supposed to be passed as proxies specifically because they're not really web proxies, but servers that defer requests to other servers, eg for the sake of load balancing, as you mentioned. Or am I missing something? |
@florimondmanca I think you're right. But in such case I need to setup NSS (nsswitch.conf) at least which requires sudo. |
Hi. Any update on this? |
Note to self that This project README has a useful set of past issues referencing this... https://github.com/phuslu/requests_httpsproxy However Am currently doing some digging into this, and looking into what it'll take in order for us to support tls-in-tls across all our backends. |
There's a PR to add support to this for I'm going to document an example of what's needed in order to demo Generate keys/certs for the proxy itself to use, with
|
@florimondmanca , do you have a time schedule or at least some general understanding when the HTTPS proxy mode (TLS-in-TLS) will be implemented? We have a client that needs it because of their security measures, and we are a bit in troubles not being able to provide them with the software that can connect to APNs via their proxy server. |
i am working on this.Made fair progress .Will raise pr in next 1-2 weeks for sure.The tls-in-tls concept is roughly working. |
If it helps in any way, we have added secure proxies support in the latest version of httpx-socks |
Awesome!! |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Needs an up to date, but still valid thx bot. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Steady on, bot. |
Would love to see this implemented. |
We have support for this in We should extend this into proxy = httpx.Proxy("https://", ssl_context=...)
client = httpx.Client(proxies=proxy) Aside... Do I dislike the |
Should we provide low-level proxy_ssl_context access rather than high-level verify, certs arguments? |
We should add a |
Refs #1424, #1428
Terminology
CONNECT
). — HTTPX has good support for those, no questions asked. ✅Problem statement
We've seen reports of issues recently such as #1424 and #1428 that reveal that our proxies implementation does not properly support HTTPS proxies yet.
My understanding right now is that supporting this requires implementing a technique known as "TLS-in-TLS" (or perhaps "nested TLS"). Here's how that works:
CONNECT
request to the proxy, athttps://proxy.org
. This may use a dedicatedproxy_ssl_context
with proxy-specific certs, that I'll mark as TLS(p) ("p" as "proxy").target
. The HTTPX-proxy "half" of the TCP connection is over TLS(p), and the other one is not TLS-enabled yet.✅ Right now we can do steps 1/ and 2/, with the nuance that we have a single
ssl_context
option that's used for both proxy CONNECT and the handshake (we'd want to haveproxy_ssl_context
andssl_context
).❌ What is definitely missing is step 3/.
Right now we attempt to do
start_tls()
, as if we were tunneling over a standard HTTP connection with the proxy — and generally that fais in a variety of ways depending on sync / async, async library, custom certs, HTTP/1.1 vs HTTP/2, proxy server implementation, etc.To reproduce
Right now the following would fail:
TODO: full
pproxy
setup (or perhapsproxy.py
, which seems to support HTTPS proxying fully), full sample tracebacks.Additional context
Marked this as "requests-compat" because this is now supported in
urllib3
as of 1.26. It landed via this pull request: urllib3/urllib3#1923. AFAICT they had to implement TLS-in-TLS themselves, overriding the standardhttp.client
connection implementation because that one doesn't support TLS-in-TLS.Marked this as "httpcore" because our proxy implementation lives there: https://github.com/encode/httpcore
The text was updated successfully, but these errors were encountered: