Add secure proxies.

moonrepo · Aug 30, 2024 · 190e831 · 190e831
1 parent b03cca6
commit 190e831
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,10 @@
 
 ## Unreleased
 
+#### 🚀 Updates
+
+- Added a new `settings.http.secure-proxies` setting that always handle https requests.
+
 #### 🐞 Fixes
 
 - Fixed an issue where partially downloaded files would trigger checksum failures.

diff --git a/crates/warpgate/src/client.rs b/crates/warpgate/src/client.rs
@@ -12,9 +12,13 @@ pub struct HttpOptions {
     /// Allow invalid certificates. This is dangerous and should only be used as a last resort!
     pub allow_invalid_certs: bool,
 
-    /// A list of proxy URLs that all requests should pass through.
+    /// A list of proxy URLs that all requests should pass through. URLS that start with
+    /// `http` will handle insecure requests, while `https` will handle secure requests.
     pub proxies: Vec<String>,
 
+    /// A list of proxy URLs that all `https` requests should pass through.
+    pub secure_proxies: Vec<String>,
+
     /// Absolute path to the root certificate. Supports `.pem` and `.der` files.
     pub root_cert: Option<PathBuf>,
 }
@@ -64,18 +68,35 @@ pub fn create_http_client_with_options(options: &HttpOptions) -> miette::Result<
         };
     }
 
-    for proxy in &options.proxies {
-        trace!(proxy, "Adding proxy to http client");
+    let mut insecure_proxies = vec![];
+    let mut secure_proxies = options.secure_proxies.iter().collect::<Vec<_>>();
 
-        if proxy.starts_with("http:") {
-            client = client.proxy(reqwest::Proxy::http(proxy).into_diagnostic()?);
-        } else if proxy.starts_with("https:") {
-            client = client.proxy(reqwest::Proxy::https(proxy).into_diagnostic()?);
+    for proxy in &options.proxies {
+        if proxy.starts_with("https:") || (proxy.starts_with("http:") && proxy.contains(":443")) {
+            secure_proxies.push(proxy);
+        } else if proxy.starts_with("http:") {
+            insecure_proxies.push(proxy);
         } else {
             warn!(proxy, "Invalid proxy, only http or https URLs allowed");
         };
     }
 
+    if !insecure_proxies.is_empty() {
+        trace!(proxies = ?insecure_proxies, "Adding insecure proxies to client");
+
+        for proxy in insecure_proxies {
+            client = client.proxy(reqwest::Proxy::http(proxy).into_diagnostic()?);
+        }
+    }
+
+    if !secure_proxies.is_empty() {
+        trace!(proxies = ?secure_proxies, "Adding secure proxies to client");
+
+        for proxy in secure_proxies {
+            client = client.proxy(reqwest::Proxy::https(proxy).into_diagnostic()?);
+        }
+    }
+
     let client = client.build().into_diagnostic()?;
 
     debug!("Created HTTP client");