From 125679f2e14cdc8a26a147f7e8fd0e5f174fb5cb Mon Sep 17 00:00:00 2001 From: Jason Song Date: Wed, 11 Sep 2024 13:47:00 +0800 Subject: [PATCH] Support allowed hosts for migrations to work with proxy (#32025) --- modules/hostmatcher/http.go | 6 +----- services/migrations/http_client.go | 2 +- services/migrations/migrate.go | 4 ---- services/webhook/deliver.go | 2 +- 4 files changed, 3 insertions(+), 11 deletions(-) diff --git a/modules/hostmatcher/http.go b/modules/hostmatcher/http.go index c743f6efb3..8828902034 100644 --- a/modules/hostmatcher/http.go +++ b/modules/hostmatcher/http.go @@ -13,11 +13,7 @@ import ( ) // NewDialContext returns a DialContext for Transport, the DialContext will do allow/block list check -func NewDialContext(usage string, allowList, blockList *HostMatchList) func(ctx context.Context, network, addr string) (net.Conn, error) { - return NewDialContextWithProxy(usage, allowList, blockList, nil) -} - -func NewDialContextWithProxy(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) { +func NewDialContext(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) { // How Go HTTP Client works with redirection: // transport.RoundTrip URL=http://domain.com, Host=domain.com // transport.DialContext addrOrHost=domain.com:80 diff --git a/services/migrations/http_client.go b/services/migrations/http_client.go index 9e3caec191..0b997e08f4 100644 --- a/services/migrations/http_client.go +++ b/services/migrations/http_client.go @@ -24,6 +24,6 @@ func NewMigrationHTTPTransport() *http.Transport { return &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Migrations.SkipTLSVerify}, Proxy: proxy.Proxy(), - DialContext: hostmatcher.NewDialContext("migration", allowList, blockList), + DialContext: hostmatcher.NewDialContext("migration", allowList, blockList, setting.Proxy.ProxyURLFixed), } } diff --git a/services/migrations/migrate.go b/services/migrations/migrate.go index 21bdc68e73..d0ad6d0139 100644 --- a/services/migrations/migrate.go +++ b/services/migrations/migrate.go @@ -499,9 +499,5 @@ func Init() error { // TODO: at the moment, if ALLOW_LOCALNETWORKS=false, ALLOWED_DOMAINS=domain.com, and domain.com has IP 127.0.0.1, then it's still allowed. // if we want to block such case, the private&loopback should be added to the blockList when ALLOW_LOCALNETWORKS=false - if setting.Proxy.Enabled && setting.Proxy.ProxyURLFixed != nil { - allowList.AppendPattern(setting.Proxy.ProxyURLFixed.Host) - } - return nil } diff --git a/services/webhook/deliver.go b/services/webhook/deliver.go index b2c0a73784..4707602cdf 100644 --- a/services/webhook/deliver.go +++ b/services/webhook/deliver.go @@ -303,7 +303,7 @@ func Init() error { Transport: &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify}, Proxy: webhookProxy(allowedHostMatcher), - DialContext: hostmatcher.NewDialContextWithProxy("webhook", allowedHostMatcher, nil, setting.Webhook.ProxyURLFixed), + DialContext: hostmatcher.NewDialContext("webhook", allowedHostMatcher, nil, setting.Webhook.ProxyURLFixed), }, }