Use proxy_ssl_context as SSL ctx when forwarding #2651
Conversation
|
(Chiming in here since I've also been thinking about this issue today. Please forgive me if I'm stepping on your toes at all!) I think there's another case when proxy_ssl_context = create_urllib3_context()
proxy_ssl_context.load_verify_locations(DEFAULT_CA)
with proxy_from_url(
self.https_proxy_url,
proxy_ssl_context=proxy_ssl_context,
) as proxy:
proxy.request("GET", f"{self.http_url}/")Hope this is useful. |
|
@matttpt I was completely off-base with my understanding and my previous comments were completely irrelevant. You were right that proxy_ssl_context was being ignored for HTTP destinations. I have corrected that as well and add your test case. |
|
@avi364 sorry I haven't been available the last few days, but thanks for looking into this! Confirming that the latest iteration does what I expected. |
Use proxy_ssl_context when fowarding to both a HTTPS destination
(which occurs when use_forwarding_for_https=True)
and to a HTTP destination.
Raise a warning if both a proxy_ssl_context and a ssl_context
are provided when use_forwarding_for_https=True.
Add tests to verify these cases and modify
test_proxy_https_target_tls_error in test_proxy_poolmanager
to account for this new behavior.
Addresses urllib3#2577
|
@matttpt thanks for confirming. @pquentin no problem and sorry for the noise, I really confused myself for a while, so most of my questions are no longer necessary to answer. My only remaining question is about emitting a DeprecationWarning in 1.26.X and a ValueError in 2.x. I assume main will eventually be the branch used to cut 2.x. To make it easier to cherry pick this change onto the 1.26 branch, I broke the fix into 2 commits, where the first commit emits the warning. Is this the right approach? |
src/urllib3/connection.py
Outdated
| ) | ||
| elif proxy_config.ssl_context is None and ssl_context is not None: | ||
| raise ValueError( | ||
| "The 'ssl_context' parameter cannot be set when use_forwarding_for_https is True. Use the 'proxy_ssl_context' parameter to customizet the connection to the proxy" |
There was a problem hiding this comment.
nit: You have a typo, cutomizet
|
@sethmlarson how do we want to handle the following:
Were we planning on doing another release with 1.26.X? It would be ideal to push the DeprecationWarning first. |
Raise an exception if both a proxy_ssl_context and a ssl_context are provided when use_forwarding_for_https=True, instead of only raising a warning. Modify tests to account for change. Resolves urllib3#2577
|
@jalopezsilva is there anything else you would like me to do? |
Not at the moment. I want to hear @sethmlarson's opinion on the following though.
Should we release the warning with 1.26.X and deprecate it fully with 2.x? |
|
Sorry for taking so long on this @avi364 and @jalopezsilva. Let's emit a |
|
Thanks! From my understanding of how Github pull requests work, the 2 commits can be merged as-is into main, and then a committer can manually cherry-pick commit 929fba8 to 1.26.x to obtained the desired end-state on both branches. |
There was a problem hiding this comment.
Looks good to me! We probably need a review from @sethmlarson as well :)
There was a problem hiding this comment.
@jalopezsilva can you confirm my thinking on these comments?
| @@ -500,6 +515,11 @@ def connect(self) -> None: | |||
| SystemTimeWarning, | |||
| ) | |||
|
|
|||
| if self._connecting_to_proxy and self.proxy_config: | |||
There was a problem hiding this comment.
We should use if self.proxy and self.proxy_config here.
There was a problem hiding this comment.
@sethmlarson this might not work.
self._connecting_to_proxy will remain True when we're using the absolute URI forwarding mode after the block in L486. I suspect that's why @avi364 is relying on it. I don't like relying on it though, seems brittle.
Could we check not self._is_using_tunnel() and self.proxy_config instead? That will default to the absolute UI forwarding mode. It might be better to check if proxy_ssl_context is set as well.
There was a problem hiding this comment.
Makes complete sense to me! @avi364 could you implement these changes and then we can merge?
| ) | ||
| else: | ||
|
|
||
| self.ssl_context = proxy_config.ssl_context |
There was a problem hiding this comment.
Do we need to change the logic of self.ssl_context here? If we're deciding which ssl_context object to use within connect() anyways I think we can unconditionally set self.ssl_context as before.
There was a problem hiding this comment.
I agree with @sethmlarson here. You're already modifying the selection logic within connect(). Keep this simple?
| ) | ||
| else: | ||
|
|
||
| self.ssl_context = proxy_config.ssl_context |
There was a problem hiding this comment.
I agree with @sethmlarson here. You're already modifying the selection logic within connect(). Keep this simple?
| @@ -500,6 +515,11 @@ def connect(self) -> None: | |||
| SystemTimeWarning, | |||
| ) | |||
|
|
|||
| if self._connecting_to_proxy and self.proxy_config: | |||
There was a problem hiding this comment.
@sethmlarson this might not work.
self._connecting_to_proxy will remain True when we're using the absolute URI forwarding mode after the block in L486. I suspect that's why @avi364 is relying on it. I don't like relying on it though, seems brittle.
Could we check not self._is_using_tunnel() and self.proxy_config instead? That will default to the absolute UI forwarding mode. It might be better to check if proxy_ssl_context is set as well.
|
I do not, feel free to take it
|
I think , I there is some missing comment in the issue. @avi364, do you mean that you are not going to pursue this PR further? |
Fixes #2577 by setting ssl_context to be the provided proxy_ssl_context when
use_forwarding_for_httpsis set to True.I enabled the failing test, but because the test doesn't really make sense (I think) for when a forwarding proxy is used, I removed that case from the test. However, I added additional tests to cover the different cases of valid
proxy_ssl_contextandssl_contextbeing either provided or not provided (with the existingtest_https_proxy_tls_errortest covering the case when a validproxy_ssl_contextis not provided).The issue described that providing
ssl_contextshould only be a DeprecationWarning for version 1.26.x. Should that change be done as a separate PR against that branch?