Page MenuHomePhabricator
Create Task
Maniphest T10227

Provide an extension point for HTTP behaviors (proxies, SSL trust)
Closed, ResolvedPublic
Actions

Description

Installs occasionally have complex HTTP environments that require specialized proxying rules and SSL trust behaviors. Probably? At least one install does.

We can reasonably offer a PhutilHTTPEngineExtension to support these behaviors. Two useful callbacks would be:

  • getProxyURIForURI($uri, ...) - Allows the extension to select an HTTP proxy to use to connect to a given URI.
  • shouldBlindlyTrustDomain($uri, ...) - Allows the extension to disable certificate validation for a given URI.

There are likely a handful of other behaviors which could live here eventually (we very occasionally see issues with timeout behavior, for example) and this could clean up the messy https.blindly-trust-domains implementation at least somewhat.

Original Report

In some setups egress traffic from the hosts that run phabricator is not allowed. Instead access must be done via a, possibly authenticated, SOCKS or HTTP proxy. It would be nice if phabricator supported configuration variables that allowed it to access remote URLs (such as when creating a macro or importing a git repo) via a proxy.

Revisions and Commits

rPHU libphutil
D16090rPHU01d14978d08e Introduce PhutilHTTPEngineExtension, for flexibly compromising SSL
rARC Arcanist
D16091rARCc13e5a629535 Use an HTTPEngineExtension to implement "https.blindly-trust-domains" in…
rP Phabricator
D16092rP55a698a28a75 Use HTTPEngineExtension proxy for `git` HTTP operations

Related Objects

Event Timeline

eadler created this task.Jan 27 2016, 1:25 AM
joshuaspence added a subscriber: joshuaspence.Jan 28 2016, 9:56 AM
eadler added a project: Restricted Project.Feb 18 2016, 9:49 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Feb 18 2016, 10:09 PM
eadler updated the task description. (Show Details)Apr 4 2016, 8:33 PM
eadler added a comment.Apr 4 2016, 9:26 PM

for future people: git seems to ignore ~/.curlrc but you can pass a proxy using -chttp.proxy or using the https_proxy variable.

epriestley renamed this task from Authenticated proxy for remote URLs to Provide an extension point for HTTP behaviors (proxies, SSL trust).Apr 4 2016, 9:43 PM
epriestley updated the task description. (Show Details)
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.Apr 7 2016, 6:41 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 23 2016, 6:11 PM
eadler moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 23 2016, 6:13 PM
epriestley added a project: Prioritized.May 23 2016, 6:25 PM
epriestley added a subscriber: epriestley.

This is about two hours of work.

epriestley moved this task from Backlog to Preflight on the Prioritized board.May 23 2016, 6:25 PM
epriestley added a revision: D16090: Introduce PhutilHTTPEngineExtension, for flexibly compromising SSL.Jun 9 2016, 6:45 PM
epriestley added a revision: D16091: Use an HTTPEngineExtension to implement "https.blindly-trust-domains" in Arcanist.
epriestley added a revision: D16092: Use HTTPEngineExtension proxy for `git` HTTP operations.Jun 9 2016, 6:50 PM
epriestley added a commit: rPHU01d14978d08e: Introduce PhutilHTTPEngineExtension, for flexibly compromising SSL.Jun 9 2016, 7:01 PM
epriestley added a commit: rARCc13e5a629535: Use an HTTPEngineExtension to implement "https.blindly-trust-domains" in….
epriestley added a commit: rP55a698a28a75: Use HTTPEngineExtension proxy for `git` HTTP operations.Jun 9 2016, 7:17 PM
epriestley moved this task from Preflight to Paused on the Prioritized board.Jun 9 2016, 7:20 PM

I think this should work now. I tested it locally with HTTP and SOCKS proxies via Charles and those both seemed to behave properly.

I only implemented proxy support for git in Phabricator since it's not clear that anyone has a SVN/Mercurial use case, although those are likely straightforward if anyone does.

Here are a couple of rough examples of how you might use this. See PhutilHTTPEngineExtension for slightly more detailed documentation. You can be more surgical by examining the content of $uri, see PhutilURI for available methods.

{P1990}

{P1991}

This took 2 hours.

epriestley mentioned this in T11137: Unable to update Git repositories with latest stable.Jun 13 2016, 12:39 PM
epriestley closed this task as Resolved.Jul 2 2016, 3:10 PM
epriestley claimed this task.

We haven't seen issues with this and it's now accounted for (I believe it's also in production).

epriestley mentioned this in T7616: Arcanist to be able to access site requiring client side SSL certificate.Jul 21 2016, 11:58 AM
epriestley mentioned this in T11359: "httpoxy" HTTP Proxy Environmental Vulnerability.Jul 22 2016, 12:36 AM
Phabricator · Built by Phacility