Add support for HTTPS over HTTP on Node.js #5037
Conversation
| @@ -47,6 +48,56 @@ function dispatchBeforeRedirect(options) { | |||
| } | |||
| } | |||
|
|
|||
| /** | |||
| * Provides an HTTP tunnel socket via an HTTP CONNECT request. | |||
| * The tunnel socket is used for sending HTTPS requests via an HTTP proxy. | |||
There was a problem hiding this comment.
HTTP requests can be made via an HTTP proxy using the CONNECT method as well. Shouldn't this only create the TlsSocket in case the destination is using HTTPS, and otherwise return the original socket that was used to make the CONNECT request?
EDIT: Oh I see further down that this is only used when the target is HTTPS. So for an HTTP proxy with a target that's not using TLS, it assumes it's not gonna use the connect method, which is quite reasonable for an HTTP client.
There was a problem hiding this comment.
@Nevon exactly, CONNECT is only used if the destination uses TLS. I figured it would not make that much sense for non-TLS destinations because of the extra round trip.
|
Will probably get back to this PR after #5097, which will cause some conflicts. |
|
Any plan or target release version to merge this upstream @ppati000 ? We also happen to stumble on the same https-over-http-proxy issue. It would be great to have this fix in the official release. |
|
We have encountered this problem in our project, do you know when it will be added? As soon as possible please! |
|
@ppati000 please can you let me know if you will be able to complete this PR? The other PR you mentioned has been merged. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| proxy.listen(4000, async () => { | ||
| try { | ||
| const httpsAgent = new https.Agent({ | ||
| rejectUnauthorized: false, |
Check failure
Code scanning / CodeQL
Disabling certificate validation
|
@mikaelfs @ferranmuntada @jasonsaayman Hey everyone, thanks for your interest :) Will look into this pull request again over the holidays. |
|
@ppati000 could you share latest news on this please? Really interested in having this asap. |
|
+1 |
|
Great job on the PR, @ppati000. It appears that this issue is widely spread, as many 3rd party SDKs use axios. Is there a target release version for a fix so it's just a matter of updating the version dependency? |
| } | ||
|
|
||
| options._httpsOverHttp = proxy.protocol === "http:" && options.protocol === "https:"; |
There was a problem hiding this comment.
What about https over https? You still need a tunnel in that case because you need end-to-end encryption with the intended recipient.
Just for reference, here's how I fixed HTTP CONNECT support for secure HTTPS proxying. My solution relies on the underlying agents (I mentioned it here but I found it a bit too hacky and it required introducing an unmaintained dependency, which I wasn't comfortable with).
You could also check out my fork directly for ideas : mbargiel/axios@e6f9026...feature/fix-proxy/http-connect
There was a problem hiding this comment.
The nice thing with agents is that you don't have to worry about problems with follow-redirects: the tunnel is established in a lower abstraction layer, and once Axios has the socket, it's established properly to the end server. Redirects work over the tunnel.
This is actually how we resolved the proxy issue. With custom http/https agent, https-over-http proxy or https-over-https proxy is properly handled by the agent and is independent of proxy handling by axios. If time permits, I will share some write-up explaining our method. |
Did you use any other library for that? Our own solution was to use https-proxy-agent, but it's a somewhat overly complicated and unmaintained package that isn't self-contained (so, more dependencies...). We were considering keeping the exact same pattern but changing the agent class to hpagent. I was just hoping to have time to actually open an Axios PR. |
|
I'm really not the "is there any update?" comment guy, but this looks like the one last problem with proxies in axios, so would be awesome to get this merged if everything seems ready. Sooo.. is there any update on this? :) |
|
This PR seems dead. I created #5781 which also works with HTTPS proxies. |
So far, Axios did not support HTTPS requests over HTTP proxies.
This pull request implements of
CONNECTrequests to establish a tunnel through the proxy. The implementation works with bothConnection: closeandConnection: keep-alive, so that multiple HTTPS requests can be sent after oneCONNECT. Only Node.js is supported for now.This pull request should fix the following issues, which still seem to be unresolved:
Feedback is highly appreciated!
Caveats
If the upstream server closes the connection first (e.g., when keep-alive is disabled), the proxy may send an RST packet to the client. Here's what I believe is happening after some Wireshark debugging:
ECONNRESETalthough the HTTPS response has already been received (res.complete === true).My mitigation for this issue was to ignore
ECONNRESETerrors ifres.complete === true. This mitigation does not work withfollow-redirects, so redirect support is disabled for HTTPS over HTTP.