Page MenuHomePhabricator

Provide an extension point for HTTP behaviors (proxies, SSL trust)
Closed, ResolvedPublic

Description

Installs occasionally have complex HTTP environments that require specialized proxying rules and SSL trust behaviors. Probably? At least one install does.

We can reasonably offer a PhutilHTTPEngineExtension to support these behaviors. Two useful callbacks would be:

  • getProxyURIForURI($uri, ...) - Allows the extension to select an HTTP proxy to use to connect to a given URI.
  • shouldBlindlyTrustDomain($uri, ...) - Allows the extension to disable certificate validation for a given URI.

There are likely a handful of other behaviors which could live here eventually (we very occasionally see issues with timeout behavior, for example) and this could clean up the messy https.blindly-trust-domains implementation at least somewhat.


Original Report

In some setups egress traffic from the hosts that run phabricator is not allowed. Instead access must be done via a, possibly authenticated, SOCKS or HTTP proxy. It would be nice if phabricator supported configuration variables that allowed it to access remote URLs (such as when creating a macro or importing a git repo) via a proxy.

Event Timeline

eadler added a project: Restricted Project.Feb 18 2016, 9:49 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Feb 18 2016, 10:09 PM

for future people: git seems to ignore ~/.curlrc but you can pass a proxy using -chttp.proxy or using the https_proxy variable.

epriestley renamed this task from Authenticated proxy for remote URLs to Provide an extension point for HTTP behaviors (proxies, SSL trust).Apr 4 2016, 9:43 PM
epriestley updated the task description. (Show Details)
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 7 2016, 6:41 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 23 2016, 6:11 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 23 2016, 6:13 PM
epriestley added a subscriber: epriestley.

This is about two hours of work.

I think this should work now. I tested it locally with HTTP and SOCKS proxies via Charles and those both seemed to behave properly.

I only implemented proxy support for git in Phabricator since it's not clear that anyone has a SVN/Mercurial use case, although those are likely straightforward if anyone does.

Here are a couple of rough examples of how you might use this. See PhutilHTTPEngineExtension for slightly more detailed documentation. You can be more surgical by examining the content of $uri, see PhutilURI for available methods.

{P1990}

{P1991}

This took 2 hours.

epriestley claimed this task.

We haven't seen issues with this and it's now accounted for (I believe it's also in production).