Proposal: HTTP proxy support

[translatenix]

@stackoverflow suggested to have a discussion before I start working on this feature. Here is my proposal:

Features:

• Support HTTP (but not SOCKS or HTTPS) proxies.
• Support bypassing the proxy for specific hosts,
  similar to cURL's --noproxy and Java's -Dhttp.nonProxyHosts.
• Honor http_proxy, HTTPS_PROXY, ALL_PROXY and NO_PROXY environment variables.
  https://everything.curl.dev/usingcurl/proxies/env
  Java does not honor these environment variables:
  https://bugs.openjdk.org/browse/JDK-8292530
• When running on the JVM, default to the JVM's proxy settings.

API:

• Support a small subset of cURL's proxy-related command line arguments:
  • --proxy [http://]host[:port]
    https://curl.se/docs/manpage.html#-x
  • --noproxy <no-proxy-list>
    https://curl.se/docs/manpage.html#--noproxy
• Support corresponding proxy options in the following APIs:
  • CliBaseOptions
  • HttpClient.Builder
• Do not support proxy options in the following APIs:
  • Gradle plugin (seems pointless)
  • org.pkl.executor.Executor (seems fairly pointless)

Testing:

• Use WireMock or MockServer to run a local HTTP proxy in JUnit tests.
  https://wiremock.org/docs/junit-jupiter/
  https://www.mock-server.com/mock_server/running_mock_server.html#junit_test_extension

Open questions:

• Proxy authentication
  The only authentication method that is directly supported by java.net.http.HttpClient is basic authentication.
  Basic proxy authentication is disabled by default (apparently because of the security risk) and can only be enabled via a system property.
• Argument syntax for --noproxy.
  cURL and Java support a slightly different syntax.
• Default for --noproxy.
  Java: "The default value excludes all common variations of the loopback address."
  cURL: None.

Non-goals:

• Support SOCKS proxies.
  java.net.http.HttpClient does not support SOCKS proxies.
  Setting java.net.Proxy.Type.SOCKS has no effect.
  https://bugs.openjdk.org/browse/JDK-8214516
• Support HTTPS proxies (HTTPS between client and proxy).
  java.net.http.HttpClient does not support HTTPS proxies.
  https://dev.to/kdrakon/httpclient-can-t-connect-to-a-tls-proxy-118a
  Usually, SSL tunneling through an HTTP proxy should be good enough.
  However, basic authentication with an HTTP proxy leaks credentials.
• Honor platform-wide proxy settings on Windows, macOS, and GNOME.
  Java supports this feature (only) by using java.net.ProxySelector.getDefault()
  and setting system property java.net.useSystemProxies=true. The default is false.
  Neither cURL nor GraalVM native image supports this feature.
  Using java.net.useSystemProxies has no effect oracle/graal#4285
• Configure proxy settings via a configuration file (PklProject, ~/.pkl/someFile).

[translatenix]

Any feedback from the team before I start implementing this feature?

[bioball]

Sorry for the late response!

Some general thoughts:

Something that we're lacking currently is the ability to use OSS packages through an internal mirror. This is a feature that we would like to land in our next release (0.26).

I'm thinking that what we want here is actually a rewrite rule. As a practical example: it would be good for GET https://pkg.pkl-lang.org/pkl-pantry/[email protected] to be able to be rewritten to GET https://my.proxy.com/github.com/releases/download/pkl/pkl-pantry/[email protected]/[email protected]. It's less important that this follows an existing proxy protocol.

Also: I think we want the rewrite to be configurable on a machine level, via the settings file.

Would also be good if this is configurable on a per-evaluator basis, and as well as a CLI flag, and via the settings in PklProject.

Sidenote: java.net.http.HttpClient not supporting TLS proxies seems like such a 🤦 moment.

It might be good to discuss this in a more high throughput setting. A bunch of us hang out in the pkl-community discord channel.

[bioball]

A rewrite rule seems pretty similar to what a proxy does. What use-cases are there for proxies that a rewrite rule doesn't address?

[translatenix]

The use case is to make Pkl work in environments where the Internet can only be accessed through an HTTP (forward) proxy. A rewrite rule doesn't help there--an HTTP proxy doesn't work like a package mirror.

Your comments sound like you might be confusing forward proxy with reverse proxy. Here is how we'd want Pkl's HttpClient to interact with a forward proxy: https://en.wikipedia.org/wiki/HTTP_tunnel#HTTP_CONNECT_method

[bioball]

Thanks; I'm familiar with what (forward) proxies do. I'm wondering why you'd want a proxy, though? Both proxies and rewrite rules can achieve the goal of "I don't want to talk (directly) to the internet".

The use case is to make Pkl work in environments where the Internet can only be accessed through an HTTP (forward) proxy. A rewrite rule doesn't help there--an HTTP proxy doesn't work like a package mirror.

Yeah, makes sense. In that case, the need for proxying can't be avoided.

[translatenix]

I'm not planning to work on the rewrite rule feature. But let me know if you'd like me to send a PR for the proxy feature.

[bioball]

This seems like something that would be useful, so I think go ahead and send in a PR.

One thing that I'm not sure about here is the lack of HTTPS proxy support (i.e. ability to connect to a proxy under TLS). But, that's something that can always be added later.

Some more notes:

Do not support proxy options in the following APIs:
Gradle plugin (seems pointless)
org.pkl.executor.Executor (seems fairly pointless)

Why do these seem pointless?

Also under non-goals:

Configure proxy settings via a configuration file (PklProject, ~/.pkl/someFile).

Mentioned this earlier, but: I think should have this as a setting in the Pkl settings file. This precedence seems to make the most sense:

1. Directly set via API
2. Directly set using CLI flags
3. Env vars (HTTP_PROXY/NO_PROXY)
4. ~/.pkl/settings file

Also: this should perhaps be an additional option in create evaluator request when Pkl is running in server mode.

[translatenix]

Why do these seem pointless?

Gradle uses the JVM proxy settings, so it should be good enough for Pkl to default to those. (I don't actually know if that's currently the case.) JVM proxy settings should also be good enough for Executor.

Setting a proxy via ~/.pkl/settings or CreateEvaluatorRequest could be useful, but the same could be said for CA certificates. So I think this should be a separate PR.

[bioball]

Thought about proxy env vars: it seems like a nightmare if different applications have a different syntax for what they expect http_proxy, HTTPS_PROXY, NO_PROXY, etc, to look like. Is curl's syntax the canonical syntax that Java happens to differ with? If there's no standard, then it seems like a bad idea to use them.

Also: we try to not use environment variables to control how Pkl works. The only case today is PKL_DEBUG, which is an internal env var that we don't document to users.

[translatenix]

http_proxy etc. is the closest that exists to a standard. There are lots of complaints that Java doesn't honor these env vars.

https://about.gitlab.com/blog/2021/01/27/we-need-to-talk-no-proxy/#http_proxy-and-https_proxy

https://bugs.openjdk.org/browse/JDK-8292530

[bioball]

@translatenix: were you still planning on submitting a PR for this? Absolutely no pressure to do so! If you weren't, let us know and we'll take this one over; this is something we'd like to ship in 0.26.

[translatenix]

I haven’t started working on this, mainly because my HttpClient improvement PR is still open.

[bioball]

This one? #378

[translatenix]

@translatenix: were you still planning on submitting a PR for this? Absolutely no pressure to do so! If you weren't, let us know and we'll take this one over; this is something we'd like to ship in 0.26.

I think it's best if you take over from here.

[bioball]

Sounds good

[bioball]

I went ahead and converted this into a SPICE, up for discussion here: apple/pkl-evolution#5

The main difference is how the proxy is configured; where it is funneled through the normal configuration means.

Authentication is still an open question there