Support connection to proxy via https scheme

[xformerfhs]

I need to make a connection to a web site via an internet proxy. The proxy requires authentication. libcurl is able to use the https scheme for the connection to the proxy in order to make it possible to send the proxy authentication data in an encrypted form.

Unfortunately in module httpclient.rb, method "proxy=" there are the following lines:

  if @proxy.scheme == nil or @proxy.scheme.downcase != 'http' or
      @proxy.host == nil or @proxy.port == nil
    raise ArgumentError.new("unsupported proxy #{proxy}")
  end

So, it explicitely checks whether the scheme is "http" and raises an error if it is "https". This considerably weakens the security of proxy connections as the proxy authentication data are forced to be sent in the clear. As I mentioned already, libcurl supports the https scheme for the proxy connection.

I suggest that this check is modified like this:

 if @proxy.scheme == nil or 
      (@proxy.scheme.downcase != 'http' and @proxy.scheme.downcase != 'https') or
      @proxy.host == nil or @proxy.port == nil
    raise ArgumentError.new("unsupported proxy #{proxy}")
  end

Please note that this issue is not about the connection to be routed through the proxy. It is about the connection to the proxy itself.

In curl it is possible to call a web site through a proxy like this: curl --proxy https://some.proxy.com:12345 --proxy-user "aproxyuser:aproxypwd" "https://some.destination.com/someParameter"

This works and sends the proxy authentication data "aproxyuser:aproxypassword" through a TLS tunnel, so the are secured against eavesdropping.

[carlosantoniodasilva]

@xformerfhs have you been able to get httpclient working with an https proxy with just that change? I was just trying it locally here and while it works on curl, it doesn't work with httpclient by monkey-patching just that to allow setting https proxy config, it hangs and times out.

I'll look some more, but thought I'd drop a comment here in the meantime (I also know this is a 2+ year old issue so you may not even remember anymore :)

[xformerfhs]

@carlosantoniodasilva: Thanks for your comment. I did not actually try that change. I remember that I looked further into this and realized that I would have to dig really deep into ruby's http internals and I did not want to do this. It was meant as a suggestion to the Ruby developers. I really did not (and do not) understand why one would forbid to use a secure method and only allow an unsecure method.

First I refactored my client to call curl instead of using ruby's http client like this:

stdoutResult, stderrResult, status = Open3.capture3('curl --connect-timeout 9 --max-time 20 --fail --silent --show-error --proxy "https://some.proxy.com:12345" --proxy-user "aproxyuser:aproxypwd" --header "Accept: application/json, text/javascript, */*; q=0.01" --header "Connection: keep-alive" --header "Accept-Encoding: gzip, deflate" --header "Language: en-US" --write-out "|%{response_code}" "' + requestURI + '?' + requestParameters + '"')

Finally I switched programing language and implemented my client in Go. That worked perfectly.

[carlosantoniodasilva]

@xformerfhs makes sense, thanks for sharing.

I don't think shelling out will be an option for me in this case, but I might give it a shot as well. I am looking into a few other alternatives in the meantime. Thanks again!