From 4c4b62dd7e7ab59aec12c2c098f2084bdbc2d982 Mon Sep 17 00:00:00 2001 From: yhirose Date: Sun, 24 May 2026 23:50:48 -0400 Subject: [PATCH] Feature 2446 no proxy env (#2448) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Route proxy-enabled checks through is_proxy_enabled_for_host helper In preparation for NO_PROXY support (#2446), centralize the proxy-enabled decision in a single helper so the upcoming bypass logic can be added in one place rather than to six divergent call sites. The helper's body for now is identical to the existing condition; the host parameter is unused until set_no_proxy() lands. Refactored sites: ClientImpl::create_client_socket ClientImpl::handle_request (HTTP request rewrite) ClientImpl::setup_redirect_client ClientImpl::process_request (SSL is_proxy_enabled flag) SSLClient::setup_proxy_connection SSLClient::ensure_socket_connection The two prepare_default_headers Proxy-Authorization injection blocks (currently gated only on proxy auth credentials being set) are intentionally not wrapped here. Doing so would change behavior in the rare misconfiguration case where credentials are set without set_proxy, so the gating is deferred to the NO_PROXY commit where it becomes meaningful. No behavior change. All 608 unit tests and the 22 squid-backed proxy tests pass. * Add detail::parse_proxy_url with control-char and scheme validation Building block for the upcoming set_proxy_from_env (#2446). Parses "http(s)://[user[:pass]@]host[:port][/...]" into a detail::ProxyUrl struct. Rejects: - empty input - any control character (< 0x20 or 0x7F), including CR/LF/NUL — these would otherwise let a malicious env value inject extra header lines into a CONNECT request or Proxy-Authorization header - schemes other than http and https - ports outside [1, 65535] - malformed IPv6 host literals (validated via inet_pton(AF_INET6)) - non-numeric or trailing-garbage port strings Notes: - userinfo is split on the LAST '@' so passwords containing '@' are preserved in the password field - if no port is present, defaults to 80 (http) / 443 (https) - integer parse goes through detail::from_chars to stay compatible with -fno-exceptions builds The helper has no callers yet; it lands consumer-side when set_proxy_from_env arrives. All 608 unit tests pass. * Add NO_PROXY parsing and matching helpers in detail namespace Building blocks for the upcoming Client::set_no_proxy (#2446): - NoProxyEntry / NoProxyKind: parsed list entry (wildcard, hostname suffix, IPv4 CIDR, IPv6 CIDR) - NormalizedTarget: pre-normalized form of the connection's target host (lowercase, brackets stripped, trailing dot stripped, with inet_pton already attempted) - parse_no_proxy_entry / parse_no_proxy_list: token / list parsing. Port-specific entries are rejected by design — cpp-httplib's other host-keyed APIs (e.g. set_hostname_addr_map) are hostname-only, so supporting host:port for NO_PROXY alone would be inconsistent. - ipv4_in_cidr / ipv6_in_cidr: CIDR membership. IPv4 special-cases prefix=0 to avoid the (1u << 32) shift UB. IPv6 uses byte-wise memcmp plus a masked partial-byte compare. - normalize_target: prepares the target host for matching. Routes every IP literal through inet_pton so "127.0.0.1" vs "127.000.000.001" vs decimal-form integers cannot be used to bypass a NO_PROXY entry via alternate string forms. - host_matches_no_proxy: matches a normalized target against an entry list. Hostname suffix matching uses a dot-boundary rule so "evilexample.com" does NOT match the entry "example.com". IPv4 and IPv6 entries match only their own address family — IPv4-mapped IPv6 ("::ffff:1.2.3.4") is not cross-matched against IPv4 entries. These helpers have no callers yet; they land consumer-side in the upcoming set_no_proxy / set_proxy_from_env commits. All 608 unit tests pass. * Add Client::set_no_proxy and wire NO_PROXY into proxy decision Implements the user-facing half of #2446 (set_proxy_from_env follows in the next commit). When a NO_PROXY pattern matches the target host, the client now bypasses the configured proxy and the corresponding Proxy-Authorization header is suppressed. Public API: - Client::set_no_proxy(const std::vector &patterns) Patterns: "*", hostname suffix (e.g. "example.com" or ".example.com"), IPv4/IPv6 CIDR (e.g. "10.0.0.0/8", "fe80::/10"), or single IP literals. Replaces any previous list. Malformed entries are silently dropped. Internals: - is_proxy_enabled_for_host now consults no_proxy_entries_, normalizing the target through inet_pton so leading-zero or alternate-form IPs cannot be used to bypass an entry. - prepare_default_headers gates both Proxy-Authorization injection blocks (basic and bearer) on is_proxy_enabled_for_host(host_). Previously, Proxy-Authorization was sent whenever proxy auth credentials were configured, even when the request was going direct to the target. With NO_PROXY now in play, that path would leak proxy credentials to the destination server — analog of the redirect-leak class of bugs (cf. CVE-2023-32681 in Python requests, GHSA-6hrp-7fq9-3qv2 in cpp-httplib). - setup_redirect_client now takes the redirect target host as a parameter and re-evaluates is_proxy_enabled_for_host against it. no_proxy_entries_ is always copied to the redirect client so the bypass policy follows across redirects. This is the cross-origin leak surface that GHSA-c3h8-fqq4-xm4g lives in; centralizing the decision through is_proxy_enabled_for_host removes the chance of branch divergence. - copy_settings copies no_proxy_entries_. The slight behavior change for the rare misconfiguration "set proxy_basic_auth without set_proxy" — Proxy-Authorization is no longer sent in that case — is deliberate. The header has no addressee when the proxy is unset. All 608 unit tests and 22 squid-backed proxy integration tests pass. * Add Client::set_proxy_from_env with httpoxy mitigation Final user-facing piece for #2446. Reads proxy-related environment variables and configures the client. - HTTPS clients (SSLClient) read https_proxy / HTTPS_PROXY - HTTP clients read http_proxy (lowercase only — see below) - Both also read no_proxy / NO_PROXY - Returns true if at least one variable was found and applied The lowercase-only http_proxy rule mitigates httpoxy / CVE-2016-5385. In CGI / FastCGI environments the uppercase HTTP_PROXY collides with the HTTP_* namespace used to expose request headers, so a remote attacker controlling the "Proxy:" header can inject a proxy URL. cpp-httplib follows curl, Go, and Python requests in honoring only the lowercase form. https_proxy/HTTPS_PROXY and no_proxy/NO_PROXY do not have this problem because their names don't begin with HTTP_. Scheme dispatch uses virtual is_ssl(): an SSLClient picks https_proxy and a plain ClientImpl picks http_proxy. There is intentionally no cross-scheme fallback — the two variables describe different traffic. set_proxy_from_env() reads getenv() synchronously and is documented as "call once at startup" — concurrent setenv from other threads is undefined. All 608 unit tests pass. * Add NO_PROXY behavior tests 27 black-box tests exercising the public Client API only (no detail:: calls, BORDER-friendly; no EXPECT_NO_THROW, -fno-exceptions-friendly). In-process proxy mock + target server. Each test asserts which side of the routing decision each request landed on, and what headers (in particular Proxy-Authorization) the receiving side saw. Coverage: Suffix matching (dot-boundary rule) - exact-host match - subdomain match - "evilexample.com" does NOT match "example.com" ← regression guard for the classic NO_PROXY suffix-match pitfall - "example.com.evil.com" does NOT match - leading-dot pattern still matches the bare domain (Go/curl convention) - case-insensitive - trailing-dot host normalization Wildcard - "*" bypasses everything IP normalization - exact IPv4 match - "::1" matches "0:0:0:0:0:0:0:1" via inet_pton - IPv4-mapped IPv6 ("::ffff:127.0.0.1") is NOT cross-matched against an IPv4 entry CIDR - basic v4 in-cidr / not-in-cidr - "0.0.0.0/0" (prefix=0; verifies no shift UB) - bare IP treated as /32 - malformed prefix (/33) silently dropped → no NO_PROXY effect Proxy-Authorization handling - suppressed when NO_PROXY matches the target - sent when NO_PROXY does not match Backward compat - default behavior unchanged when set_no_proxy is never called Parsing edge cases - port-specific entries ("host:port") rejected - empty / whitespace tokens dropped Cross-origin redirect (analog of GHSA-6hrp-7fq9-3qv2) - redirect target in NO_PROXY → redirect leg goes direct, no Proxy-Authorization carried over set_proxy_from_env (Unix only — uses setenv/unsetenv) - lowercase http_proxy applied - uppercase HTTP_PROXY ignored (httpoxy / CVE-2016-5385) - NO_PROXY-only env returns true and applies the bypass list - CRLF in env value rejected (cf. CVE-2026-21428) - empty env value treated as unset 635 tests (608 prior + 27 new) pass under both the regular and the split builds. * Document set_no_proxy and set_proxy_from_env in README Adds two subsections under "Proxy server support": - "Bypass the proxy for specific hosts (NO_PROXY)" — set_no_proxy, pattern syntax, dot-boundary rule, IP normalization, limitations (no port-specific entries, no v4-mapped v6 cross-match, replace semantics). - "Read proxy settings from the environment" — set_proxy_from_env, which variables are read, the lowercase-only http_proxy rule with an inline httpoxy / CVE-2016-5385 explanation, threading expectations. Documentation only. Closes the doc gap from #2446. * Document NO_PROXY and set_proxy_from_env in cookbook c16-proxy Replaces the now-incorrect Note at the bottom of c16-proxy ("cpp-httplib does not read HTTP_PROXY...") with the actual API. JA is the master per the project's translation workflow; the EN translation lands in the same PR. Both pages remain `status: "draft"` for normal review. Adds two sections: - Bypass the proxy for specific hosts (set_no_proxy): pattern syntax, dot-boundary rule, case-insensitivity, IP normalization via inet_pton, port-specific-entries unsupported, malformed entries dropped. - Read proxy settings from the environment (set_proxy_from_env): which variables are read, lowercase-only http_proxy with an inline httpoxy / CVE-2016-5385 explanation, threading caveat. * Simplify NO_PROXY implementation per review Apply seven post-implementation cleanups: - Move ProxyUrl, ProxyEnvSettings and most helper forward declarations below the BORDER. Only NoProxyKind/NoProxyEntry/NormalizedTarget stay above (they are used as ClientImpl members or by inline cache state). This shrinks the public header surface area considerably. - Drop ProxyUrl::scheme: the field was write-only after parsing. Track is_https as a local during parse_proxy_url and use it for the default-port branch directly. - Hoist the duplicate is_proxy_enabled_for_host(host_) gate in write_request: the previous form had two adjacent gates bracketing an unrelated end-server bearer-token block. Reordering puts the two proxy-auth blocks together under a single gate. - Drop the redundant trim_copy + empty-check inside parse_no_proxy_list: detail::split already trims each token and skips empties, so the inner work was dead code. - Cache normalize_target(host_) on the client. host_ is const, so the normalized form is invariant for the client's lifetime. The gate is called up to 7 times per request when NO_PROXY is configured; caching avoids repeating two heap allocations + two inet_pton calls per request. Cross-host calls (only setup_redirect_client passing next_host) still compute fresh. - Trim narrative comments in setup_redirect_client and set_proxy_from_env: replace WHAT-narration with single-line WHY statements. - Drop test comments that paraphrased their own test name. All 635 unit tests pass under both the regular and split builds. * Inline proxy URL parsing and env reading; drop intermediate structs The previous design had two intermediate structs that existed only to ferry parsed values between helper functions and the consuming method: - detail::ProxyUrl: filled by parse_proxy_url, drained back into proxy_host_ / proxy_port_ / proxy_basic_auth_* by set_proxy_from_env. - detail::ProxyEnvSettings: bundle of two ProxyUrl + a NoProxyEntry vector returned by read_proxy_env, drained by set_proxy_from_env. Both bundles had exactly one producer and exactly one consumer. Drop them and let the parsing flow directly into ClientImpl state: - New private member ClientImpl::apply_proxy_url(url) parses a proxy URL and, on success, assigns the result to proxy_host_, proxy_port_, and proxy_basic_auth_*. Same validation as before (CRLF rejection, scheme allowlist, port range, IPv6 bracket validation), same commit- on-success ordering — the local variables are kept until every check has passed so a malformed URL leaves no partial state. - set_proxy_from_env now reads getenv() directly, dispatches between https_proxy / http_proxy via virtual is_ssl(), and applies via apply_proxy_url. NO_PROXY is parsed in place via parse_no_proxy_list. Net effect: - Two structs and two free helper functions removed (~150 lines of declaration + body deleted). - set_proxy_from_env body grows ~20 lines (still well under 50). - Per-request hot path is unchanged (NoProxyEntry / NormalizedTarget cache stays). Setup path is marginally faster (no intermediate string copies through ProxyUrl / ProxyEnvSettings). 635 unit tests pass under both the regular and split builds. * Trim doc comments to match the rest of httplib.h The new code carried inline doc comments (15-line set_no_proxy block, 18-line set_proxy_from_env block, plus narrating comments inside parser bodies, plus section dividers in the test file) that were heavy compared to the rest of the codebase — neighboring setters like set_proxy / set_proxy_basic_auth carry no doc at all, the test file does not use sub-section dividers, and the README / cookbook already document the behavior in detail. Removed: - Public-API doc blocks on set_no_proxy and set_proxy_from_env. - Narrating comments inside parse_no_proxy_entry, normalize_target, apply_proxy_url, host_matches_no_proxy that were just describing the obvious code structure. - Multi-line BORDER-rationale meta comments. - In-test sub-section dividers ("// ---- Hostname suffix matching", etc.) and per-class doc comments on the test fixtures. - Test-side comments that paraphrased their own test name. - Redundant ordering comments inside setup_redirect_client. Kept: - Security WHY comments (CRLF rejection, dot-boundary suffix matching, httpoxy / CVE-2016-5385, GHSA-6hrp-7fq9-3qv2 analog, CVE-2026-21428). - Regression-target WHY comments (UB shift on prefix=0). - Non-obvious external knowledge (detail::split already trims). 635 unit tests still pass under both the regular and split builds. * Add NO_PROXY tests covering edge cases found during PR review Three regression guards added during review of an alternate NO_PROXY implementation (PR #2449). All three pass on the current implementation and surface bugs in the alternate one: - BareIPv6LiteralMatchesIPv6Cidr: a host given as a bare IPv6 literal (no surrounding brackets) must still be recognized as IPv6 for CIDR matching. An implementation that only detects IPv6 when the host string starts with '[' would split the host at the first ':' and misclassify it as a hostname. - TrailingDotOnEntryIsNormalized: trailing dots must be canonicalized on BOTH sides — host and entry. An implementation that strips the host-side trailing dot only would fail to match host "example.com" against entry "example.com." because the substring lengths differ. - ValidEntryWithSurroundingWhitespaceStillMatches: an entry with leading/trailing whitespace must still match. An implementation that feeds raw tokens directly to inet_pton would reject valid CIDRs (" 10.0.0.0/8 ") because of the spaces. 635 unit tests pass. * Unify IPv4/IPv6 CIDR matching into a single byte-buffer helper Adopts the unified 16-byte address representation suggested by the alternate NO_PROXY implementation in PR #2449. Both v4 and v6 entries now share one storage type and one matcher; the v4/v6 distinction is only the address-family flag and the max prefix length. - detail::NoProxyEntry: replaces in_addr v4_net + in6_addr v6_net with a single IPBytes net (std::array). v4 occupies the first 4 bytes, v6 fills all 16. - detail::NormalizedTarget: replaces in_addr v4 + in6_addr v6 with a single IPBytes ip. - Replaces detail::ipv4_in_cidr and detail::ipv6_in_cidr with one detail::ip_in_cidr that takes the address, the network, the prefix length and the family's max bits (32 for v4, 128 for v6). The mask is constructed by the byte-fill approach from the previous v6 helper, which is straightforward to read and avoids the shift UB that the v4 helper had to special-case. - The NoProxyKind enum keeps IPv4Cidr / IPv6Cidr as separate values so the match dispatch stays explicit and IPv4 entries cannot accidentally cross-match an IPv6 target (the same address-family isolation the previous code had). Net change: -28 lines + -1 helper function. All 30 NoProxyTest cases plus 643 unit tests pass under both the regular and split builds. * Drop set_proxy_from_env per #2446 discussion Per @unterwegi's feedback in #2446, environment variable handling conflicts with cpp-httplib's long-standing policy of explicit configuration (e.g. set_ca_cert_path requires explicit paths instead of reading SSL_CERT_FILE / SSL_CERT_DIR). The NO_PROXY matching logic is the genuinely tricky part worth keeping in the library; getenv parsing is trivial and is left to the caller. - Remove Client::set_proxy_from_env, ClientImpl::set_proxy_from_env, and ClientImpl::apply_proxy_url - Remove ScopedEnv test helper and env-driven NoProxyTest cases - Replace the "Read proxy settings from the environment" docs with a short snippet showing how to parse no_proxy and feed set_no_proxy() - Keep set_no_proxy() and all NO_PROXY pattern matching intact * docs: blend NO_PROXY env-var note into c16-proxy cookbook style Match the granularity of the surrounding sections: imperative heading, inline paragraph instead of a heavyweight callout, and a simpler getenv snippet without the C++17 if-init. * Skip digest 407 retry when target is bypassed by NO_PROXY Before this fix, a NO_PROXY-bypassed origin that returns 407 Proxy-Authentication-Required with a Digest challenge would trigger the same retry path the proxy uses, computing a Proxy-Authorization header from proxy_digest_auth_* and sending the user's proxy credentials directly to that (potentially hostile) origin. A 407 from a direct origin is semantically meaningless — RFC 9110 defines it strictly as a proxy response. Skip the retry when the current target is not actually going through the proxy and let the 407 propagate to the caller unchanged. Regression test BypassedTargetReturning407DoesNotLeakProxyDigest Credentials reproduces the leak without this gate. * Make set_no_proxy safe across redirects and keep-alive Two correctness bugs that the dynamic NO_PROXY API exposed: 1. Multi-hop redirect through a bypassed host lost the proxy. setup_redirect_client only copied proxy_host_/port and the proxy auth credentials when is_proxy_enabled_for_host(next_host) was true. After a chain like A (proxied) -> B (NO_PROXY-matched, direct) -> C, the redirect client built for B had no proxy configured, so the further B -> C hop went direct even when C should have been proxied. Copy the proxy configuration unconditionally and let is_proxy_enabled_for_host gate at send time. The next_host parameter is no longer needed and removed from the signature. 2. Keep-alive socket reuse with a stale bypass decision. set_proxy() / set_no_proxy() left the existing keep-alive socket open, so the next request reused a socket pointed at the previous endpoint (proxy vs origin) while write_request emitted the new request-line form (absolute vs relative URL). Add invalidate_keep_alive_socket() and call it from both setters; the helper handles the in-flight case by deferring the close. Regression tests MultiHopRedirectThroughBypassedHostKeepsProxy and KeepAliveSocketInvalidatedOnSetNoProxy reproduce each bug without the respective fix. * Tighten NO_PROXY entry parsing Three small parser fixes surfaced during code review: - Accept bracketed IPv6 entries like "[::1]" and "[fe80::]/10". Users coming from URL syntax naturally write the bracketed form; previously it was silently rejected because inet_pton does not accept brackets and the subsequent ':' check tripped. - Reject malformed trailing-slash CIDRs like "127.0.0.1/" instead of silently treating them as /32 (or /128). A typoed entry quietly turning into a single-host bypass changes semantics with no diagnostic. - Delete detail::parse_no_proxy_list — leftover from the removed set_proxy_from_env path, no longer called from anywhere. New regression tests: BracketedIPv6EntryAccepted, BracketedIPv6CidrEntryAccepted, TrailingSlashCidrIsRejected. * Refactor: introduce disconnect() and remove invalidate_keep_alive_socket Replace the repeated `shutdown_ssl + shutdown_socket + close_socket` pattern with a single `disconnect(bool gracefully)` helper. Used by `stop()`, the send_() peer-closed and epilogue branches, and the close in process_request after a non-keep-alive response. Drop `invalidate_keep_alive_socket()` — its body collapses to a `lock + disconnect()` pair which is now inlined in `set_proxy()` and `set_no_proxy()` directly. Also simplify `setup_redirect_client`: drop the now-unused next_host parameter and the verbose comment block; the per-target proxy decision is re-evaluated at send time anyway. Net -47 lines in httplib.h. * Fix MultiHopRedirect test on Windows; trim NoProxyTest comments The bypass leg redirected to "http://localhost:/...", but on Windows `localhost` resolves to ::1 first while the mock server is bound to 127.0.0.1, causing the redirect leg to time out. Use the literal 127.0.0.1 in the Location and switch the NO_PROXY entry to match, so the test exercises the same multi-hop path on every platform. Also trim the heavier inline comments and EXPECT messages I added on recent NoProxyTest cases so they match the surrounding test style. * Consolidate NoProxyTest server boilerplate; drop hardcoded sentinel ports Add a small ScopedServer helper to no_proxy_test that wraps the bind/listen/thread/cleanup dance (~13 lines per server before). Use it to rewrite the four big tests (Redirect, BypassedTarget407, MultiHop, KeepAlive), shaving ~100 lines. Also drop the hardcoded port-1 / port-80 sentinels that violated the "new standalone tests MUST use bind_to_any_port" convention and risked collisions across gtest shards: re-use existing dynamic ports (target.port() / bypass_server.port()) instead. Verified pass under 4-shard parallel run. * Trim README NO_PROXY section to match surrounding granularity The block had ballooned to 62 lines while neighboring subsections (Authentication, Proxy server support, Range, Redirect) are 13-18 each. Collapse to a single code example + one-line behavior summary; point at the cookbook for the entry-form details, env-var parsing snippet, and httpoxy note that used to live inline. --- README.md | 11 + docs-src/pages/en/cookbook/c16-proxy.md | 37 +- docs-src/pages/ja/cookbook/c16-proxy.md | 37 +- httplib.h | 331 +++++++++++-- test/test.cc | 597 ++++++++++++++++++++++++ 5 files changed, 966 insertions(+), 47 deletions(-) diff --git a/README.md b/README.md index 1037ab2..d4bbb2e 100644 --- a/README.md +++ b/README.md @@ -1181,6 +1181,17 @@ cli.set_proxy_bearer_token_auth("pass"); > [!NOTE] > OpenSSL is required for Digest Authentication. +#### Bypass the proxy for specific hosts (`NO_PROXY`) + +```cpp +cli.set_no_proxy({"internal.corp", "10.0.0.0/8", "*.dev.local"}); +``` + +Each pattern is `*`, a hostname suffix, an IP literal, or a CIDR block. +Hostname matching is case-insensitive with a dot-boundary rule. See the +[NO_PROXY cookbook](https://yhirose.github.io/cpp-httplib/en/cookbook/c16-proxy) +for details and for reading the variable from the environment. + ### Range ```cpp diff --git a/docs-src/pages/en/cookbook/c16-proxy.md b/docs-src/pages/en/cookbook/c16-proxy.md index 5b193b3..f860eb0 100644 --- a/docs-src/pages/en/cookbook/c16-proxy.md +++ b/docs-src/pages/en/cookbook/c16-proxy.md @@ -49,4 +49,39 @@ cli.set_bearer_token_auth("api-token"); // for the end server `Proxy-Authorization` is sent to the proxy, `Authorization` to the end server. -> **Note:** cpp-httplib does not read `HTTP_PROXY` or `HTTPS_PROXY` environment variables automatically. If you want to honor them, read them in your application and pass the values to `set_proxy()`. +## Bypass the proxy for specific hosts + +You often want internal endpoints to skip the proxy. Configure a bypass list with `set_no_proxy()`. + +```cpp +cli.set_proxy("proxy.internal", 8080); +cli.set_no_proxy({"internal.corp", "10.0.0.0/8", "*.dev.local"}); +``` + +Each entry is one of: + +- `*` — bypass the proxy for all hosts +- a hostname suffix (e.g. `example.com`) — matches `example.com` itself and any subdomain (`foo.example.com`). A leading dot is permitted but informational; both forms are equivalent. +- a single IP literal (e.g. `192.168.1.1`, `::1`) +- a CIDR block (e.g. `10.0.0.0/8`, `fe80::/10`) + +Hostname matching is case-insensitive and uses a dot-boundary rule, so an entry of `example.com` does **not** match `evilexample.com`. IP comparisons are normalized through `inet_pton`, so `127.0.0.1` cannot be bypassed via alternate string forms (e.g. `127.000.000.001`). When an entry matches, the `Proxy-Authorization` header is suppressed as well. + +Malformed entries are silently dropped. Port-specific entries such as `example.com:8080` are not supported (cpp-httplib's other host-keyed APIs are also keyed on hostname only). + +## Read proxy settings from the environment + +cpp-httplib doesn't touch `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY` on its own — the config API is always explicit, the same way `set_ca_cert_path()` is. If you'd like that behavior, read the variables in your application and feed them to `set_proxy()` and `set_no_proxy()`. + +```cpp +if (const char *v = std::getenv("no_proxy")) { + std::vector patterns; + std::stringstream ss(v); + for (std::string item; std::getline(ss, item, ',');) { + if (!item.empty()) { patterns.push_back(item); } + } + cli.set_no_proxy(patterns); +} +``` + +If you also read `HTTP_PROXY` yourself, honor the lowercase `http_proxy` only. The uppercase form is poisoned in CGI/FastCGI environments by the `Proxy:` request header ([CVE-2016-5385 / "httpoxy"](https://httpoxy.org/)). `HTTPS_PROXY` and `NO_PROXY` are safe in either case because their names don't begin with `HTTP_`. diff --git a/docs-src/pages/ja/cookbook/c16-proxy.md b/docs-src/pages/ja/cookbook/c16-proxy.md index 296035e..21d9b92 100644 --- a/docs-src/pages/ja/cookbook/c16-proxy.md +++ b/docs-src/pages/ja/cookbook/c16-proxy.md @@ -49,4 +49,39 @@ cli.set_bearer_token_auth("api-token"); // エンドサーバー向け プロキシには`Proxy-Authorization`、エンドサーバーには`Authorization`ヘッダーが送られます。 -> **Note:** 環境変数の`HTTP_PROXY`や`HTTPS_PROXY`は自動的には読まれません。必要ならアプリケーション側で読み取って`set_proxy()`に渡してください。 +## 特定のホストだけプロキシをバイパスする + +社内エンドポイントなどはプロキシを経由させたくないことがあります。`set_no_proxy()`で除外リストを指定できます。 + +```cpp +cli.set_proxy("proxy.internal", 8080); +cli.set_no_proxy({"internal.corp", "10.0.0.0/8", "*.dev.local"}); +``` + +エントリは次のいずれかです。 + +- `*` — すべてのホストでバイパス +- ホスト名サフィックス(例: `example.com`)— `example.com`本体と任意のサブドメイン(`foo.example.com`)にマッチ。先頭にドットを付けても同じ意味です(`.example.com`)。 +- 単一のIPリテラル(例: `192.168.1.1`、`::1`) +- CIDRブロック(例: `10.0.0.0/8`、`fe80::/10`) + +ホスト名のマッチは大文字小文字を区別せず、ドット境界でしか一致しません。たとえば`example.com`というエントリは`evilexample.com`にはマッチしません。IPの比較は`inet_pton`で正規化されるので、`127.0.0.1`を`127.000.000.001`のような別表記でバイパスすることはできません。マッチした場合、`Proxy-Authorization`ヘッダーも自動的に外れます。 + +不正な書式のエントリは黙って捨てられます。`example.com:8080`のようなポート指定エントリはサポート外です(cpp-httplibの他のホストキーAPIもホスト名のみを扱う設計のため)。 + +## 環境変数からプロキシ設定を読み込む + +cpp-httplib本体は`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`を読みません。`set_ca_cert_path()`と同じで、設定APIは常に明示的にしています。環境変数を反映させたい場合は、アプリ側で読んで`set_proxy()`や`set_no_proxy()`に渡してください。 + +```cpp +if (const char *v = std::getenv("no_proxy")) { + std::vector patterns; + std::stringstream ss(v); + for (std::string item; std::getline(ss, item, ',');) { + if (!item.empty()) { patterns.push_back(item); } + } + cli.set_no_proxy(patterns); +} +``` + +`HTTP_PROXY`も自分で読むなら、小文字の`http_proxy`だけを採用してください。大文字の方はCGI/FastCGI環境で`Proxy:`リクエストヘッダーから汚染される可能性があります([CVE-2016-5385 / "httpoxy"](https://httpoxy.org/))。`HTTPS_PROXY`と`NO_PROXY`は名前が`HTTP_`で始まらないので、どちらの大文字小文字でも安全です。 diff --git a/httplib.h b/httplib.h index d54534c..74eed7f 100644 --- a/httplib.h +++ b/httplib.h @@ -2024,6 +2024,31 @@ inline ssize_t read_body_content(Stream *stream, BodyReader &br, char *buf, class decompressor; +enum class NoProxyKind { + Wildcard, // "*" + HostnameSuffix, // "example.com" or ".example.com" + IPv4Cidr, // "10.0.0.0/8" (or single IP, treated as /32) + IPv6Cidr, // "fe80::/10" (or single IP, treated as /128) +}; + +// Unified 16-byte buffer holding either a v4 (first 4 bytes) or v6 address. +// Lets one CIDR matcher cover both families. +using IPBytes = std::array; + +struct NoProxyEntry { + NoProxyKind kind = NoProxyKind::Wildcard; + std::string hostname_pattern; // lowercased, leading/trailing dot stripped + IPBytes net{}; + int prefix_bits = 0; +}; + +struct NormalizedTarget { + std::string hostname; // lowercase; brackets and trailing dot removed + bool is_ipv4 = false; + bool is_ipv6 = false; + IPBytes ip{}; +}; + } // namespace detail class ClientImpl { @@ -2240,6 +2265,7 @@ public: void set_proxy_basic_auth(const std::string &username, const std::string &password); void set_proxy_bearer_token_auth(const std::string &token); + void set_no_proxy(const std::vector &patterns); void set_logger(Logger logger); void set_error_logger(ErrorLogger error_logger); @@ -2265,16 +2291,19 @@ protected: std::chrono::time_point start_time, Response &res, bool &success, Error &error); + bool is_proxy_enabled_for_host(const std::string &host) const; + // All of: // shutdown_ssl // shutdown_socket // close_socket - // should ONLY be called when socket_mutex_ is locked. - // Also, shutdown_ssl and close_socket should also NOT be called concurrently - // with a DIFFERENT thread sending requests using that socket. + // disconnect + // should ONLY be called when socket_mutex_ is locked, and only when + // no other thread is using the socket. virtual void shutdown_ssl(Socket &socket, bool shutdown_gracefully); void shutdown_socket(Socket &socket) const; void close_socket(Socket &socket); + void disconnect(bool gracefully); bool process_request(Stream &strm, Request &req, Response &res, bool close_connection, Error &error); @@ -2352,6 +2381,11 @@ protected: std::string proxy_basic_auth_password_; std::string proxy_bearer_token_auth_token_; + std::vector no_proxy_entries_; + + mutable detail::NormalizedTarget host_normalized_; + mutable bool host_normalized_valid_ = false; + mutable std::mutex logger_mutex_; Logger logger_; ErrorLogger error_logger_; @@ -2612,6 +2646,7 @@ public: void set_proxy_basic_auth(const std::string &username, const std::string &password); void set_proxy_bearer_token_auth(const std::string &token); + void set_no_proxy(const std::vector &patterns); void set_logger(Logger logger); void set_error_logger(ErrorLogger error_logger); @@ -10513,6 +10548,176 @@ make_host_and_port_string_always_port(const std::string &host, int port) { return prepare_host_string(host) + ":" + std::to_string(port); } +bool parse_no_proxy_entry(const std::string &token, NoProxyEntry &out); +NormalizedTarget normalize_target(const std::string &host); +bool ip_in_cidr(const IPBytes &ip, const IPBytes &net, int prefix_bits); +bool host_matches_no_proxy(const NormalizedTarget &target, + const std::vector &entries); + +inline bool ip_in_cidr(const IPBytes &ip, const IPBytes &net, int prefix_bits) { + if (prefix_bits < 0 || prefix_bits > 128) { return false; } + if (prefix_bits == 0) { return true; } + int full_bytes = prefix_bits / 8; + int rem_bits = prefix_bits % 8; + if (full_bytes > 0 && std::memcmp(ip.data(), net.data(), + static_cast(full_bytes)) != 0) { + return false; + } + if (rem_bits == 0) { return true; } + auto i = static_cast(full_bytes); + auto mask = static_cast(0xFFu << (8 - rem_bits)); + return (ip[i] & mask) == (net[i] & mask); +} + +inline bool parse_no_proxy_entry(const std::string &token, NoProxyEntry &out) { + if (token.empty()) { return false; } + + if (token == "*") { + out.kind = NoProxyKind::Wildcard; + return true; + } + + auto slash = token.find('/'); + std::string addr_part = + (slash == std::string::npos) ? token : token.substr(0, slash); + std::string prefix_part = + (slash == std::string::npos) ? std::string() : token.substr(slash + 1); + + // A bare slash or trailing-slash CIDR like "10.0.0.0/" is malformed; + // don't silently treat it as a /32 (or /128). + if (slash != std::string::npos && prefix_part.empty()) { return false; } + + // Accept the bracketed IPv6 form ("[::1]", "[fe80::]/10") as well as the + // bare form. Brackets have no meaning for IPv4, so skip the IPv4 attempt + // when brackets are present. + bool bracketed = addr_part.size() >= 2 && addr_part.front() == '[' && + addr_part.back() == ']'; + if (bracketed) { addr_part = addr_part.substr(1, addr_part.size() - 2); } + + if (!bracketed) { + struct in_addr v4; + if (inet_pton(AF_INET, addr_part.c_str(), &v4) == 1) { + int prefix = 32; + if (!prefix_part.empty()) { + auto r = from_chars(prefix_part.data(), + prefix_part.data() + prefix_part.size(), prefix); + if (r.ec != std::errc{} || + r.ptr != prefix_part.data() + prefix_part.size()) { + return false; + } + if (prefix < 0 || prefix > 32) { return false; } + } + out.kind = NoProxyKind::IPv4Cidr; + std::memcpy(out.net.data(), &v4, sizeof(v4)); + out.prefix_bits = prefix; + return true; + } + } + + struct in6_addr v6; + if (inet_pton(AF_INET6, addr_part.c_str(), &v6) == 1) { + int prefix = 128; + if (!prefix_part.empty()) { + auto r = from_chars(prefix_part.data(), + prefix_part.data() + prefix_part.size(), prefix); + if (r.ec != std::errc{} || + r.ptr != prefix_part.data() + prefix_part.size()) { + return false; + } + if (prefix < 0 || prefix > 128) { return false; } + } + out.kind = NoProxyKind::IPv6Cidr; + std::memcpy(out.net.data(), &v6, sizeof(v6)); + out.prefix_bits = prefix; + return true; + } + + // Bracketed entries can only be IPv6. If the IPv6 parse above failed, + // the entry is malformed — don't fall through to the hostname branch. + if (bracketed) { return false; } + + // A '/' on a non-IP token means a CIDR prefix without an address. Reject. + if (slash != std::string::npos) { return false; } + // Port-specific entries (host:port) are not supported. + if (token.find(':') != std::string::npos) { return false; } + + std::string hostname = case_ignore::to_lower(token); + while (!hostname.empty() && hostname.front() == '.') { + hostname.erase(hostname.begin()); + } + while (!hostname.empty() && hostname.back() == '.') { + hostname.pop_back(); + } + if (hostname.empty()) { return false; } + + out.kind = NoProxyKind::HostnameSuffix; + out.hostname_pattern = std::move(hostname); + return true; +} + +inline NormalizedTarget normalize_target(const std::string &host) { + NormalizedTarget t; + std::string h = host; + + if (h.size() >= 2 && h.front() == '[' && h.back() == ']') { + h = h.substr(1, h.size() - 2); + } + + // Strip a single trailing dot so "example.com." canonicalizes to + // "example.com". + if (!h.empty() && h.back() == '.') { h.pop_back(); } + + t.hostname = case_ignore::to_lower(h); + + if (!t.hostname.empty()) { + struct in_addr v4; + struct in6_addr v6; + if (inet_pton(AF_INET, t.hostname.c_str(), &v4) == 1) { + t.is_ipv4 = true; + std::memcpy(t.ip.data(), &v4, sizeof(v4)); + } else if (inet_pton(AF_INET6, t.hostname.c_str(), &v6) == 1) { + t.is_ipv6 = true; + std::memcpy(t.ip.data(), &v6, sizeof(v6)); + } + } + return t; +} + +inline bool host_matches_no_proxy(const NormalizedTarget &target, + const std::vector &entries) { + if (target.hostname.empty()) { return false; } + for (const auto &e : entries) { + switch (e.kind) { + case NoProxyKind::Wildcard: return true; + case NoProxyKind::IPv4Cidr: + if (target.is_ipv4 && ip_in_cidr(target.ip, e.net, e.prefix_bits)) { + return true; + } + break; + case NoProxyKind::IPv6Cidr: + if (target.is_ipv6 && ip_in_cidr(target.ip, e.net, e.prefix_bits)) { + return true; + } + break; + case NoProxyKind::HostnameSuffix: + if (target.is_ipv4 || target.is_ipv6) { break; } + if (target.hostname == e.hostname_pattern) { return true; } + // Dot-boundary suffix match: prevents "evilexample.com" from matching + // an entry of "example.com". + if (target.hostname.size() > e.hostname_pattern.size() + 1) { + auto offset = target.hostname.size() - e.hostname_pattern.size(); + if (target.hostname[offset - 1] == '.' && + target.hostname.compare(offset, e.hostname_pattern.size(), + e.hostname_pattern) == 0) { + return true; + } + } + break; + } + } + return false; +} + template inline bool check_and_write_headers(Stream &strm, Headers &headers, T header_writer, Error &error) { @@ -12318,6 +12523,7 @@ inline void ClientImpl::copy_settings(const ClientImpl &rhs) { proxy_basic_auth_username_ = rhs.proxy_basic_auth_username_; proxy_basic_auth_password_ = rhs.proxy_basic_auth_password_; proxy_bearer_token_auth_token_ = rhs.proxy_bearer_token_auth_token_; + no_proxy_entries_ = rhs.no_proxy_entries_; logger_ = rhs.logger_; error_logger_ = rhs.error_logger_; @@ -12333,8 +12539,25 @@ inline void ClientImpl::copy_settings(const ClientImpl &rhs) { #endif } +inline bool +ClientImpl::is_proxy_enabled_for_host(const std::string &host) const { + if (proxy_host_.empty() || proxy_port_ == -1) { return false; } + if (no_proxy_entries_.empty()) { return true; } + // host_ is const so its normalized form is invariant; cache it. The + // cross-host path (setup_redirect_client passing next_host) re-normalizes. + if (host == host_) { + if (!host_normalized_valid_) { + host_normalized_ = detail::normalize_target(host_); + host_normalized_valid_ = true; + } + return !detail::host_matches_no_proxy(host_normalized_, no_proxy_entries_); + } + auto target = detail::normalize_target(host); + return !detail::host_matches_no_proxy(target, no_proxy_entries_); +} + inline socket_t ClientImpl::create_client_socket(Error &error) const { - if (!proxy_host_.empty() && proxy_port_ != -1) { + if (is_proxy_enabled_for_host(host_)) { return detail::create_client_socket( proxy_host_, std::string(), proxy_port_, address_family_, tcp_nodelay_, ipv6_v6only_, socket_options_, connection_timeout_sec_, @@ -12406,6 +12629,12 @@ inline void ClientImpl::close_socket(Socket &socket) { socket.sock = INVALID_SOCKET; } +inline void ClientImpl::disconnect(bool gracefully) { + shutdown_ssl(socket_, gracefully); + shutdown_socket(socket_); + close_socket(socket_); +} + inline bool ClientImpl::read_response_line(Stream &strm, const Request &req, Response &res, bool skip_100_continue) const { @@ -12477,14 +12706,8 @@ inline bool ClientImpl::send_(Request &req, Response &res, Error &error) { #endif if (!is_alive) { - // Attempt to avoid sigpipe by shutting down non-gracefully if it - // seems like the other side has already closed the connection Also, - // there cannot be any requests in flight from other threads since we - // locked request_mutex_, so safe to close everything immediately - const bool shutdown_gracefully = false; - shutdown_ssl(socket_, shutdown_gracefully); - shutdown_socket(socket_); - close_socket(socket_); + // Peer seems gone — non-graceful shutdown to avoid SIGPIPE. + disconnect(/*gracefully=*/false); } } @@ -12534,9 +12757,7 @@ inline bool ClientImpl::send_(Request &req, Response &res, Error &error) { if (socket_should_be_closed_when_request_is_done_ || close_connection || !ret) { - shutdown_ssl(socket_, true); - shutdown_socket(socket_); - close_socket(socket_); + disconnect(/*gracefully=*/true); } }); @@ -12649,11 +12870,7 @@ ClientImpl::open_stream(const std::string &method, const std::string &path, } } #endif - if (!is_alive) { - shutdown_ssl(socket_, false); - shutdown_socket(socket_); - close_socket(socket_); - } + if (!is_alive) { disconnect(/*gracefully=*/false); } } if (!is_alive) { @@ -12945,7 +13162,7 @@ inline bool ClientImpl::handle_request(Stream &strm, Request &req, bool ret; - if (!is_ssl() && !proxy_host_.empty() && proxy_port_ != -1) { + if (!is_ssl() && is_proxy_enabled_for_host(host_)) { auto req2 = req; req2.path = "http://" + detail::make_host_and_port_string(host_, port_, false) + @@ -12969,9 +13186,7 @@ inline bool ClientImpl::handle_request(Stream &strm, Request &req, // to call it from a different thread since it's a thread-safety issue // to do these things to the socket if another thread is using the socket. std::lock_guard guard(socket_mutex_); - shutdown_ssl(socket_, true); - shutdown_socket(socket_); - close_socket(socket_); + disconnect(/*gracefully=*/true); } if (300 < res.status && res.status < 400 && follow_location_) { @@ -12984,6 +13199,12 @@ inline bool ClientImpl::handle_request(Stream &strm, Request &req, res.status == StatusCode::ProxyAuthenticationRequired_407) && req.authorization_count_ < 5) { auto is_proxy = res.status == StatusCode::ProxyAuthenticationRequired_407; + + // A 407 from a direct (NO_PROXY-bypassed) origin is meaningless and + // must not trigger a retry — that would let the origin extract the + // user's proxy digest credentials. + if (is_proxy && !is_proxy_enabled_for_host(host_)) { return ret; } + const auto &username = is_proxy ? proxy_digest_auth_username_ : digest_auth_username_; const auto &password = @@ -13151,13 +13372,13 @@ inline void ClientImpl::setup_redirect_client(ClientType &client) { // host. This function is only called for cross-host redirects; same-host // redirects are handled directly in ClientImpl::redirect(). - // Setup proxy configuration (CRITICAL ORDER - proxy must be set - // before proxy auth) + // Copy the proxy configuration unconditionally; the per-target bypass is + // re-evaluated at send time, so a later hop to a non-bypassed host can + // still use the proxy. + client.no_proxy_entries_ = no_proxy_entries_; if (!proxy_host_.empty() && proxy_port_ != -1) { - // First set proxy host and port client.set_proxy(proxy_host_, proxy_port_); - // Then set proxy authentication (order matters!) if (!proxy_basic_auth_username_.empty()) { client.set_proxy_basic_auth(proxy_basic_auth_username_, proxy_basic_auth_password_); @@ -13248,14 +13469,6 @@ inline bool ClientImpl::write_request(Stream &strm, Request &req, } } - if (!proxy_basic_auth_username_.empty() && - !proxy_basic_auth_password_.empty()) { - if (!req.has_header("Proxy-Authorization")) { - req.headers.insert(make_basic_authentication_header( - proxy_basic_auth_username_, proxy_basic_auth_password_, true)); - } - } - if (!bearer_token_auth_token_.empty()) { if (!req.has_header("Authorization")) { req.headers.insert(make_bearer_token_authentication_header( @@ -13263,8 +13476,18 @@ inline bool ClientImpl::write_request(Stream &strm, Request &req, } } - if (!proxy_bearer_token_auth_token_.empty()) { - if (!req.has_header("Proxy-Authorization")) { + // Proxy-Authorization is only sent when the proxy is actually used for + // this target — otherwise NO_PROXY-matched requests would leak proxy + // credentials directly to the destination server. + if (is_proxy_enabled_for_host(host_)) { + if (!proxy_basic_auth_username_.empty() && + !proxy_basic_auth_password_.empty() && + !req.has_header("Proxy-Authorization")) { + req.headers.insert(make_basic_authentication_header( + proxy_basic_auth_username_, proxy_basic_auth_password_, true)); + } + if (!proxy_bearer_token_auth_token_.empty() && + !req.has_header("Proxy-Authorization")) { req.headers.insert(make_bearer_token_authentication_header( proxy_bearer_token_auth_token_, true)); } @@ -13574,7 +13797,7 @@ inline bool ClientImpl::process_request(Stream &strm, Request &req, #ifdef CPPHTTPLIB_SSL_ENABLED if (is_ssl() && !expect_100_continue) { - auto is_proxy_enabled = !proxy_host_.empty() && proxy_port_ != -1; + auto is_proxy_enabled = is_proxy_enabled_for_host(host_); if (!is_proxy_enabled) { if (tls::is_peer_closed(socket_.ssl, socket_.sock)) { error = Error::SSLPeerCouldBeClosed_; @@ -14581,10 +14804,7 @@ inline void ClientImpl::stop() { return; } - // Otherwise, still holding the mutex, we can shut everything down ourselves - shutdown_ssl(socket_, true); - shutdown_socket(socket_); - close_socket(socket_); + disconnect(/*gracefully=*/true); } inline std::string ClientImpl::host() const { return host_; } @@ -14675,6 +14895,8 @@ inline void ClientImpl::set_interface(const std::string &intf) { inline void ClientImpl::set_proxy(const std::string &host, int port) { proxy_host_ = host; proxy_port_ = port; + std::lock_guard guard(socket_mutex_); + disconnect(/*gracefully=*/true); } inline void ClientImpl::set_proxy_basic_auth(const std::string &username, @@ -14687,6 +14909,22 @@ inline void ClientImpl::set_proxy_bearer_token_auth(const std::string &token) { proxy_bearer_token_auth_token_ = token; } +inline void ClientImpl::set_no_proxy(const std::vector &patterns) { + std::vector parsed; + parsed.reserve(patterns.size()); + for (const auto &p : patterns) { + auto trimmed = detail::trim_copy(p); + if (trimmed.empty()) { continue; } + detail::NoProxyEntry entry; + if (detail::parse_no_proxy_entry(trimmed, entry)) { + parsed.push_back(std::move(entry)); + } + } + no_proxy_entries_ = std::move(parsed); + std::lock_guard guard(socket_mutex_); + disconnect(/*gracefully=*/true); +} + #ifdef CPPHTTPLIB_SSL_ENABLED inline void ClientImpl::set_digest_auth(const std::string &username, const std::string &password) { @@ -15388,6 +15626,9 @@ inline void Client::set_proxy_basic_auth(const std::string &username, inline void Client::set_proxy_bearer_token_auth(const std::string &token) { cli_->set_proxy_bearer_token_auth(token); } +inline void Client::set_no_proxy(const std::vector &patterns) { + cli_->set_no_proxy(patterns); +} inline void Client::set_logger(Logger logger) { cli_->set_logger(std::move(logger)); @@ -15617,7 +15858,7 @@ inline bool SSLClient::setup_proxy_connection( Socket &socket, std::chrono::time_point start_time, Response &res, bool &success, Error &error) { - if (proxy_host_.empty() || proxy_port_ == -1) { return true; } + if (!is_proxy_enabled_for_host(host_)) { return true; } if (!connect_with_proxy(socket, start_time, res, success, error)) { return false; @@ -15730,7 +15971,7 @@ inline bool SSLClient::connect_with_proxy( inline bool SSLClient::ensure_socket_connection(Socket &socket, Error &error) { if (!ClientImpl::ensure_socket_connection(socket, error)) { return false; } - if (!proxy_host_.empty() && proxy_port_ != -1) { return true; } + if (is_proxy_enabled_for_host(host_)) { return true; } if (!initialize_ssl(socket, error)) { shutdown_socket(socket); diff --git a/test/test.cc b/test/test.cc index e968322..6f64a1c 100644 --- a/test/test.cc +++ b/test/test.cc @@ -18276,3 +18276,600 @@ TEST(KeepAliveTest, DeleteWithoutContentLengthDoesNotEatNextRequest) { EXPECT_EQ(2, delete_count.load()); } + +namespace no_proxy_test { + +// Server bound to 127.0.0.1:, listen thread spawned by listen(), +// auto-stopped + joined on scope exit. Register handlers via svr() BEFORE +// calling listen(). +class ScopedServer { +public: + ScopedServer() { port_ = svr_.bind_to_any_port("127.0.0.1"); } + ~ScopedServer() { + svr_.stop(); + if (th_.joinable()) { th_.join(); } + } + Server &svr() { return svr_; } + int port() const { return port_; } + void listen() { + th_ = std::thread([this] { svr_.listen_after_bind(); }); + svr_.wait_until_ready(); + } + +private: + Server svr_; + std::thread th_; + int port_ = 0; +}; + +class ProxyAndTargetServers { +public: + ProxyAndTargetServers() { + proxy_mock_.Get(".*", [this](const Request &req, Response &res) { + proxy_hits_++; + last_had_proxy_authz_ = req.has_header("Proxy-Authorization"); + res.set_content("via-proxy", "text/plain"); + }); + target_.Get(".*", [this](const Request &req, Response &res) { + target_hits_++; + last_had_proxy_authz_ = req.has_header("Proxy-Authorization"); + res.set_content("direct", "text/plain"); + }); + + proxy_port_ = proxy_mock_.bind_to_any_port("127.0.0.1"); + target_port_ = target_.bind_to_any_port("127.0.0.1"); + proxy_thread_ = std::thread([this] { proxy_mock_.listen_after_bind(); }); + target_thread_ = std::thread([this] { target_.listen_after_bind(); }); + proxy_mock_.wait_until_ready(); + target_.wait_until_ready(); + } + + ~ProxyAndTargetServers() { + proxy_mock_.stop(); + target_.stop(); + if (proxy_thread_.joinable()) { proxy_thread_.join(); } + if (target_thread_.joinable()) { target_thread_.join(); } + } + + Server &proxy_mock() { return proxy_mock_; } + Server &target() { return target_; } + int proxy_port() const { return proxy_port_; } + int target_port() const { return target_port_; } + int proxy_hits() const { return proxy_hits_.load(); } + int target_hits() const { return target_hits_.load(); } + bool last_had_proxy_authz() const { return last_had_proxy_authz_.load(); } + + void reset_counters() { + proxy_hits_ = 0; + target_hits_ = 0; + last_had_proxy_authz_ = false; + } + +private: + Server proxy_mock_; + Server target_; + std::thread proxy_thread_; + std::thread target_thread_; + int proxy_port_ = 0; + int target_port_ = 0; + std::atomic proxy_hits_{0}; + std::atomic target_hits_{0}; + std::atomic last_had_proxy_authz_{false}; +}; + +inline std::unique_ptr make_client(const std::string &host, + ProxyAndTargetServers &s) { + auto cli = detail::make_unique(host, s.target_port()); + cli->set_hostname_addr_map({{host, "127.0.0.1"}}); + cli->set_proxy("127.0.0.1", s.proxy_port()); + return cli; +} + +} // namespace no_proxy_test + +using no_proxy_test::make_client; +using no_proxy_test::ProxyAndTargetServers; + +TEST(NoProxyTest, ExactHostnameBypasses) { + ProxyAndTargetServers s; + auto cli = make_client("example.com", s); + cli->set_no_proxy({"example.com"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, SubdomainBypasses) { + ProxyAndTargetServers s; + auto cli = make_client("foo.example.com", s); + cli->set_no_proxy({"example.com"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, EvilExampleDoesNotMatchExample) { + // Regression guard: "evilexample.com" must not be considered a subdomain + // of "example.com". Without the dot-boundary rule, a naive endsWith + // check would let traffic bypass the proxy and leak credentials direct + // to the attacker host. + ProxyAndTargetServers s; + auto cli = make_client("evilexample.com", s); + cli->set_no_proxy({"example.com"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_EQ(0, s.target_hits()); +} + +TEST(NoProxyTest, ExampleDotEvilDoesNotMatchExample) { + ProxyAndTargetServers s; + auto cli = make_client("example.com.evil.com", s); + cli->set_no_proxy({"example.com"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_EQ(0, s.target_hits()); +} + +TEST(NoProxyTest, LeadingDotPatternMatchesBareDomain) { + ProxyAndTargetServers s; + auto cli = make_client("example.com", s); + cli->set_no_proxy({".example.com"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, CaseInsensitiveHostname) { + ProxyAndTargetServers s; + auto cli = make_client("Example.COM", s); + cli->set_no_proxy({"EXAMPLE.com"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, TrailingDotIsNormalized) { + ProxyAndTargetServers s; + auto cli = make_client("example.com.", s); + cli->set_no_proxy({"example.com"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, TrailingDotOnEntryIsNormalized) { + // Trailing dots must be normalized on BOTH sides — host and entry. + // An implementation that only strips the host-side trailing dot would + // fail to match host "example.com" against entry "example.com." because + // a literal substring search would compare 11 chars against 12. + ProxyAndTargetServers s; + auto cli = make_client("example.com", s); + cli->set_no_proxy({"example.com."}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, WildcardBypassesEverything) { + ProxyAndTargetServers s; + auto cli = make_client("anything.invalid.test", s); + cli->set_no_proxy({"*"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, IPv4LiteralExactMatch) { + ProxyAndTargetServers s; + Client cli("127.0.0.1", s.target_port()); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"127.0.0.1"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, IPv6LiteralExactMatchAcrossEquivalentForms) { + ProxyAndTargetServers s; + Client cli("0:0:0:0:0:0:0:1", s.target_port()); + cli.set_hostname_addr_map({{"0:0:0:0:0:0:0:1", "127.0.0.1"}}); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"::1"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, BareIPv6LiteralMatchesIPv6Cidr) { + // Regression guard: a bare IPv6 host literal (no surrounding brackets) + // must still be recognized as IPv6 for CIDR matching. Implementations + // that detect IPv6 only when the host begins with '[' would parse the + // host as a hostname and miss the match. + ProxyAndTargetServers s; + Client cli("fe80::1", s.target_port()); + cli.set_hostname_addr_map({{"fe80::1", "127.0.0.1"}}); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"fe80::/10"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, BracketedIPv6EntryAccepted) { + ProxyAndTargetServers s; + Client cli("::1", s.target_port()); + cli.set_hostname_addr_map({{"::1", "127.0.0.1"}}); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"[::1]"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, BracketedIPv6CidrEntryAccepted) { + ProxyAndTargetServers s; + Client cli("fe80::1", s.target_port()); + cli.set_hostname_addr_map({{"fe80::1", "127.0.0.1"}}); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"[fe80::]/10"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, IPv4MappedIPv6IsNotCrossMatchedAgainstIPv4Entry) { + // Policy: keep address families separate. "::ffff:1.2.3.4" must NOT + // satisfy a NO_PROXY entry of "1.2.3.4". This avoids subtle bypass + // tricks via address-family conversion. + ProxyAndTargetServers s; + Client cli("::ffff:127.0.0.1", s.target_port()); + cli.set_hostname_addr_map({{"::ffff:127.0.0.1", "127.0.0.1"}}); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"127.0.0.1"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_EQ(0, s.target_hits()); +} + +TEST(NoProxyTest, IPv4CidrMatch) { + ProxyAndTargetServers s; + Client cli("127.0.0.1", s.target_port()); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"127.0.0.0/8"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, IPv4CidrNonMatch) { + ProxyAndTargetServers s; + Client cli("127.0.0.1", s.target_port()); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"10.0.0.0/8"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_EQ(0, s.target_hits()); +} + +TEST(NoProxyTest, IPv4CidrPrefixZeroMatchesAll) { + // Prefix 0 must not trigger the (1u << 32) shift UB. Result: every + // IPv4 target matches. + ProxyAndTargetServers s; + Client cli("127.0.0.1", s.target_port()); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"0.0.0.0/0"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, IPv4CidrSingleHostNoSlash) { + ProxyAndTargetServers s; + Client cli("127.0.0.1", s.target_port()); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"127.0.0.1"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, MalformedCidrPrefixIsDropped) { + ProxyAndTargetServers s; + Client cli("127.0.0.1", s.target_port()); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"127.0.0.0/33"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_EQ(0, s.target_hits()); +} + +TEST(NoProxyTest, TrailingSlashCidrIsRejected) { + // Empty prefix after the slash must be rejected, not silently treated as /32. + ProxyAndTargetServers s; + Client cli("127.0.0.1", s.target_port()); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({"127.0.0.1/"}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_EQ(0, s.target_hits()); +} + +TEST(NoProxyTest, ProxyAuthorizationSuppressedWhenBypassed) { + ProxyAndTargetServers s; + auto cli = make_client("internal.corp", s); + cli->set_proxy_basic_auth("u", "p"); + cli->set_no_proxy({"internal.corp"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(1, s.target_hits()); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_FALSE(s.last_had_proxy_authz()) + << "Proxy-Authorization must not be sent direct to the target"; +} + +TEST(NoProxyTest, ProxyAuthorizationSentWhenNotBypassed) { + ProxyAndTargetServers s; + auto cli = make_client("public.example", s); + cli->set_proxy_basic_auth("u", "p"); + cli->set_no_proxy({"internal.corp"}); // does not match + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_TRUE(s.last_had_proxy_authz()); +} + +TEST(NoProxyTest, EmptyNoProxyKeepsProxyOn) { + ProxyAndTargetServers s; + auto cli = make_client("anything.test", s); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_EQ(0, s.target_hits()); +} + +TEST(NoProxyTest, PortSpecificEntryRejected) { + ProxyAndTargetServers s; + auto cli = make_client("example.com", s); + cli->set_no_proxy({"example.com:8080"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_EQ(0, s.target_hits()); +} + +TEST(NoProxyTest, EmptyAndWhitespaceEntriesDropped) { + ProxyAndTargetServers s; + auto cli = make_client("anything.test", s); + cli->set_no_proxy({"", " ", "\t"}); + + auto res = cli->Get("/"); + ASSERT_TRUE(res); + EXPECT_GE(s.proxy_hits(), 1); + EXPECT_EQ(0, s.target_hits()); +} + +TEST(NoProxyTest, ValidEntryWithSurroundingWhitespaceStillMatches) { + // An entry with leading/trailing whitespace must still match — env-style + // values are commonly pasted with stray spaces and an implementation + // that feeds the raw token directly to inet_pton would fail to match + // valid CIDRs because of the spaces. + ProxyAndTargetServers s; + Client cli("127.0.0.1", s.target_port()); + cli.set_proxy("127.0.0.1", s.proxy_port()); + cli.set_no_proxy({" 127.0.0.0/8 "}); + + auto res = cli.Get("/"); + ASSERT_TRUE(res); + EXPECT_EQ(0, s.proxy_hits()); + EXPECT_EQ(1, s.target_hits()); +} + +TEST(NoProxyTest, RedirectToBypassedHostStripsProxyAndProxyAuth) { + // Analog of GHSA-6hrp-7fq9-3qv2: redirect to a NO_PROXY-matched host must + // go direct and must NOT carry Proxy-Authorization. + std::atomic proxy_hits{0}; + std::atomic target_hits{0}; + std::atomic target_saw_authz{false}; + + no_proxy_test::ScopedServer proxy_mock, target; + + proxy_mock.svr().Get(".*", [&](const Request &, Response &res) { + proxy_hits++; + res.status = 302; + res.set_header("Location", "http://127.0.0.1:" + + std::to_string(target.port()) + "/landed"); + }); + target.svr().Get(".*", [&](const Request &req, Response &res) { + target_hits++; + if (req.has_header("Proxy-Authorization")) { target_saw_authz = true; } + res.set_content("direct", "text/plain"); + }); + proxy_mock.listen(); + target.listen(); + + Client cli("public.example", target.port()); + cli.set_hostname_addr_map({{"public.example", "127.0.0.1"}}); + cli.set_proxy("127.0.0.1", proxy_mock.port()); + cli.set_proxy_basic_auth("u", "p"); + cli.set_no_proxy({"127.0.0.1"}); + cli.set_follow_location(true); + + auto res = cli.Get("/redir"); + ASSERT_TRUE(res); + EXPECT_GE(proxy_hits.load(), 1); + EXPECT_GE(target_hits.load(), 1); + EXPECT_FALSE(target_saw_authz.load()); +} + +#ifdef CPPHTTPLIB_SSL_ENABLED +TEST(NoProxyTest, BypassedTargetReturning407DoesNotLeakProxyDigestCredentials) { + // Direct origin replying 407 must not trigger the digest retry; otherwise + // proxy creds would be sent to the (possibly hostile) origin. + std::atomic target_hits{0}; + std::atomic target_saw_proxy_authz{false}; + + no_proxy_test::ScopedServer target; + target.svr().Get(".*", [&](const Request &req, Response &res) { + target_hits++; + if (req.has_header("Proxy-Authorization")) { + target_saw_proxy_authz = true; + } + res.status = StatusCode::ProxyAuthenticationRequired_407; + res.set_header("Proxy-Authenticate", "Digest realm=\"evil\", qop=\"auth\", " + "nonce=\"abc\", algorithm=MD5"); + }); + target.listen(); + + // The proxy address is set to the target's port: the bypass MUST kick in; + // if it doesn't, the test still routes "via proxy" to the same server and + // the Proxy-Authorization assertion below catches the leak. + Client cli("evil.example", target.port()); + cli.set_hostname_addr_map({{"evil.example", "127.0.0.1"}}); + cli.set_proxy("127.0.0.1", target.port()); + cli.set_proxy_digest_auth("proxy-user", "proxy-pass"); + cli.set_no_proxy({"evil.example"}); + + auto res = cli.Get("/x"); + ASSERT_TRUE(res); + EXPECT_EQ(StatusCode::ProxyAuthenticationRequired_407, res->status); + EXPECT_EQ(1, target_hits.load()); + EXPECT_FALSE(target_saw_proxy_authz.load()); +} +#endif + +TEST(NoProxyTest, MultiHopRedirectThroughBypassedHostKeepsProxy) { + // A (via proxy) → B (NO_PROXY-matched, direct) → C must re-engage the proxy. + std::atomic proxy_hits{0}; + std::atomic bypass_hits{0}; + std::atomic proxy_saw_c_url{false}; + + no_proxy_test::ScopedServer proxy_mock, bypass_server; + + proxy_mock.svr().Get(".*", [&](const Request &req, Response &res) { + proxy_hits++; + if (req.path.find("/start") != std::string::npos) { + res.status = 302; + res.set_header("Location", "http://127.0.0.1:" + + std::to_string(bypass_server.port()) + + "/middle"); + return; + } + if (req.path.find("/end") != std::string::npos) { + proxy_saw_c_url = true; + res.set_content("c-via-proxy", "text/plain"); + return; + } + res.set_content("unexpected", "text/plain"); + }); + // public.example's "advertised" port is arbitrary (the request never lands + // there — it goes through the proxy), but use a dynamic value to stay + // friendly with sharded parallel runs. + int public_port = bypass_server.port(); + bypass_server.svr().Get(".*", [&](const Request &, Response &res) { + bypass_hits++; + res.status = 302; + res.set_header("Location", "http://public.example:" + + std::to_string(public_port) + "/end"); + }); + proxy_mock.listen(); + bypass_server.listen(); + + Client cli("public.example", public_port); + cli.set_hostname_addr_map({{"public.example", "127.0.0.1"}}); + cli.set_proxy("127.0.0.1", proxy_mock.port()); + cli.set_no_proxy({"127.0.0.1"}); + cli.set_follow_location(true); + + auto res = cli.Get("/start"); + ASSERT_TRUE(res); + EXPECT_EQ(StatusCode::OK_200, res->status); + EXPECT_EQ("c-via-proxy", res->body); + EXPECT_GE(proxy_hits.load(), 2); + EXPECT_GE(bypass_hits.load(), 1); + EXPECT_TRUE(proxy_saw_c_url.load()); +} + +TEST(NoProxyTest, KeepAliveSocketInvalidatedOnSetNoProxy) { + // Mid-session set_no_proxy must drop any keep-alive socket so the next + // request reconnects to the correct endpoint. + std::atomic proxy_hits{0}; + std::atomic target_hits{0}; + + no_proxy_test::ScopedServer proxy_mock, target; + + proxy_mock.svr().Get(".*", [&](const Request &, Response &res) { + proxy_hits++; + res.set_content("via-proxy", "text/plain"); + }); + target.svr().Get(".*", [&](const Request &, Response &res) { + target_hits++; + res.set_content("direct", "text/plain"); + }); + proxy_mock.listen(); + target.listen(); + + Client cli("public.example", target.port()); + cli.set_hostname_addr_map({{"public.example", "127.0.0.1"}}); + cli.set_proxy("127.0.0.1", proxy_mock.port()); + cli.set_keep_alive(true); + + auto res1 = cli.Get("/a"); + ASSERT_TRUE(res1); + EXPECT_EQ("via-proxy", res1->body); + EXPECT_EQ(1, proxy_hits.load()); + EXPECT_EQ(0, target_hits.load()); + + cli.set_no_proxy({"public.example"}); + + auto res2 = cli.Get("/b"); + ASSERT_TRUE(res2); + EXPECT_EQ("direct", res2->body); + EXPECT_EQ(1, proxy_hits.load()); + EXPECT_EQ(1, target_hits.load()); +}