Add http proxy support to TLS helper

archigup · archigup · commit d747de52ae16 · 2025-10-08T17:58:13.000-07:00
diff --git a/docs/spec/tls_helper.md b/docs/spec/tls_helper.md
@@ -36,6 +36,9 @@ The invoking process may additionally set the following args:
 When passed a `--proxy` arg, the TLS helper MUST either use it for the
 connection or exit with a non-zero error code.
 
+The invoking process must applying any no_proxy logic before invoking the TLS
+helper.
+
 The TLS helper will also get a control socket at file descriptor `3`. This will
 be a unix domain socket. Except in case of an error, the helper MUST use the the
 control socket to send a single message with the payload `"socket"`, and with
diff --git a/modules/ggl-tls-helper/bin/ggl-tls-helper.c b/modules/ggl-tls-helper/bin/ggl-tls-helper.c
@@ -13,7 +13,9 @@
 #include <ggl/socket.h>
 #include <netdb.h>
 #include <openssl/bio.h>
+#include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/http.h>
 #include <openssl/opensslv.h>
 #include <openssl/prov_ssl.h>
 #include <openssl/ssl.h>
@@ -222,6 +224,53 @@ static void cleanup_ssl(SSL **ssl) {
     }
 }
 
+static GglError parse_proxy_url(
+    const char *proxy_url, char **host, char **port
+) {
+    int use_ssl = 0;
+
+    if (!OSSL_HTTP_parse_url(
+            proxy_url, &use_ssl, NULL, host, port, NULL, NULL, NULL, NULL
+        )) {
+        GGL_LOGE("Failed to parse proxy URL.");
+        ERR_print_errors_cb(openssl_err_cb, NULL);
+        return GGL_ERR_INVALID;
+    }
+
+    if (use_ssl) {
+        GGL_LOGE("HTTPS proxies are not supported in this task.");
+        return GGL_ERR_INVALID;
+    }
+
+    return GGL_ERR_OK;
+}
+
+static GglError http_proxy_connect(
+    BIO *proxy_bio, const char *target_host, const char *target_port
+) {
+    GGL_LOGD("Sending HTTP CONNECT %s:%s to proxy.", target_host, target_port);
+
+    int proxy_connect_ret = OSSL_HTTP_proxy_connect(
+        proxy_bio,
+        target_host,
+        target_port,
+        NULL, // proxy_user
+        NULL, // proxy_password
+        60, // timeout
+        NULL, // bio_err
+        NULL // prog
+    );
+
+    if (proxy_connect_ret != 1) {
+        GGL_LOGE("Failed HTTP proxy CONNECT.");
+        ERR_print_errors_cb(openssl_err_cb, NULL);
+        return GGL_ERR_FAILURE;
+    }
+
+    GGL_LOGD("HTTP proxy CONNECT successful.");
+    return GGL_ERR_OK;
+}
+
 static GglError tls_handshake(const char *endpoint, BIO *bio, SSL **ssl) {
     SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_client_method());
     if (ssl_ctx == NULL) {
@@ -381,8 +430,26 @@ int main(int argc, char *argv[]) {
     // NOLINTNEXTLINE(concurrency-mt-unsafe)
     argp_parse(&argp, argc, argv, 0, 0, NULL);
 
+    GglError ret;
     int tcp_fd;
-    GglError ret = create_tcp_connection(arg_endpoint, arg_port, &tcp_fd);
+    bool using_proxy = false;
+
+    if (arg_proxy != NULL) {
+        char *parse_host;
+        char *parse_port;
+        ret = parse_proxy_url(arg_proxy, &parse_host, &parse_port);
+        if (ret != GGL_ERR_OK) {
+            return 1;
+        }
+        using_proxy = true;
+        const char *port = (parse_port != NULL) ? parse_port : "80";
+        ret = create_tcp_connection(parse_host, port, &tcp_fd);
+
+        OPENSSL_free(parse_host);
+        OPENSSL_free(parse_port);
+    } else {
+        ret = create_tcp_connection(arg_endpoint, arg_port, &tcp_fd);
+    }
     if (ret != GGL_ERR_OK) {
         GGL_LOGE("Failed to create TCP connection.");
         return 1;
@@ -395,6 +462,13 @@ int main(int argc, char *argv[]) {
         return 1;
     }
 
+    if (using_proxy) {
+        ret = http_proxy_connect(bio, arg_endpoint, arg_port);
+        if (ret != GGL_ERR_OK) {
+            return 1;
+        }
+    }
+
     SSL *ssl = NULL;
     ret = tls_handshake(arg_endpoint, bio, &ssl);
     if (ret != GGL_ERR_OK) {
@@ -430,14 +504,14 @@ int main(int argc, char *argv[]) {
         return 0;
     }
 
-    GGL_LOGD("Preparing to proxy socket traffic.");
+    GGL_LOGD("Preparing to relay socket traffic.");
 
     // Close the parent's end of the socketpair
     (void) close(parent_fds[0]);
-    int proxy_fd = parent_fds[1];
+    int relay_fd = parent_fds[1];
 
-    // Proxy data between socketpair and TLS connection
-    struct pollfd fds[2] = { { .fd = proxy_fd, .events = POLLIN },
+    // Relay data between socketpair and TLS connection
+    struct pollfd fds[2] = { { .fd = relay_fd, .events = POLLIN },
                              { .fd = tcp_fd, .events = POLLIN } };
 
     uint8_t buffer[4096];
@@ -449,15 +523,15 @@ int main(int argc, char *argv[]) {
             return 1;
         }
 
-        // Data from proxy socket to TLS
+        // Data from relay socket to TLS
         if (fds[0].revents & POLLIN) {
             GglBuffer buf = GGL_BUF(buffer);
             do {
-                ret = ggl_file_read_partial(proxy_fd, &buf);
+                ret = ggl_file_read_partial(relay_fd, &buf);
             } while (ret == GGL_ERR_RETRY);
 
             if (ret == GGL_ERR_NODATA) {
-                GGL_LOGD("Proxy socket closed.");
+                GGL_LOGD("Relay socket closed.");
                 int shutdown_ret = SSL_shutdown(ssl);
                 if (shutdown_ret < 0) {
                     GGL_LOGE("Openssl shutdown on network socket failed.");
@@ -466,7 +540,7 @@ int main(int argc, char *argv[]) {
                 (void) shutdown(tcp_fd, SHUT_WR);
                 fds[0].fd = -1;
             } else if (ret != GGL_ERR_OK) {
-                GGL_LOGE("Proxy socket read error.");
+                GGL_LOGE("Relay socket read error.");
                 return 1;
             } else {
                 size_t bytes_read = sizeof(buffer) - buf.len;
@@ -488,13 +562,13 @@ int main(int argc, char *argv[]) {
             }
         }
 
-        // Handle proxy socket errors
+        // Handle relay socket errors
         if (fds[0].revents & (POLLHUP | POLLERR)) {
-            GGL_LOGD("Proxy socket closed uncleanly.");
+            GGL_LOGD("Relay socket closed uncleanly.");
             fds[0].fd = -1;
         }
 
-        // Data from TLS to proxy socket
+        // Data from TLS to relay socket
         if (fds[1].revents & POLLIN) {
             int bytes = SSL_read(ssl, buffer, sizeof(buffer));
             if (bytes <= 0) {
@@ -524,16 +598,16 @@ int main(int argc, char *argv[]) {
                     return 1;
                 }
 
-                (void) shutdown(proxy_fd, SHUT_WR);
+                (void) shutdown(relay_fd, SHUT_WR);
                 fds[1].fd = -1;
             } else {
                 GglBuffer buf = { .data = buffer, .len = (size_t) bytes };
-                ret = ggl_socket_write(proxy_fd, buf);
+                ret = ggl_socket_write(relay_fd, buf);
                 if (ret == GGL_ERR_NOCONN) {
-                    GGL_LOGD("Proxy socket closed by peer during write.");
+                    GGL_LOGD("Relay socket closed by peer during write.");
                     fds[1].fd = -1;
                 } else if (ret != GGL_ERR_OK) {
-                    GGL_LOGE("Proxy socket write error.");
+                    GGL_LOGE("Relay socket write error.");
                     return 1;
                 }
             }
@@ -547,7 +621,7 @@ int main(int argc, char *argv[]) {
     }
 
     close(tcp_fd);
-    close(proxy_fd);
+    close(relay_fd);
 
     GGL_LOGD("TLS handling complete.");
 }
