feat: allow http handler to control whether to intercept CONNECT request

Author: omjadas

src/lib.rs

@@ -113,6 +113,11 @@ pub trait HttpHandler: Clone + Send + Sync + 'static {
     async fn handle_response(&mut self, _ctx: &HttpContext, res: Response<Body>) -> Response<Body> {
         res
     }
+
+    /// Whether a CONNECT request should be intercepted. Defaults to `true` for all requests.
+    async fn should_intercept(&mut self, _req: &Request<Body>) -> bool {
+        true
+    }
 }
 
 /// Handler for websocket messages.

src/proxy/internal.rs

@@ -115,7 +115,7 @@ where
         }
     }
 
-    fn process_connect(self, mut req: Request<Body>) -> Result<Response<Body>, hyper::Error> {
+    fn process_connect(mut self, mut req: Request<Body>) -> Result<Response<Body>, hyper::Error> {
         match req.uri().authority().cloned() {
             Some(authority) => {
                 let span = info_span!("process_connect");
@@ -136,60 +136,66 @@ where
                                 bytes::Bytes::copy_from_slice(buffer[..bytes_read].as_ref()),
                             );
 
-                            if buffer == *b"GET " {
-                                if let Err(e) =
-                                    self.serve_stream(upgraded, Scheme::HTTP, authority).await
-                                {
-                                    error!("Websocket connect error: {}", e);
-                                }
-                            } else if buffer[..2] == *b"\x16\x03" {
-                                let server_config = self
-                                    .ca
-                                    .gen_server_config(&authority)
-                                    .instrument(info_span!("gen_server_config"))
-                                    .await;
-
-                                let stream =
-                                    match TlsAcceptor::from(server_config).accept(upgraded).await {
+                            if self.http_handler.should_intercept(&req).await {
+                                if buffer == *b"GET " {
+                                    if let Err(e) =
+                                        self.serve_stream(upgraded, Scheme::HTTP, authority).await
+                                    {
+                                        error!("Websocket connect error: {}", e);
+                                    }
+
+                                    return;
+                                } else if buffer[..2] == *b"\x16\x03" {
+                                    let server_config = self
+                                        .ca
+                                        .gen_server_config(&authority)
+                                        .instrument(info_span!("gen_server_config"))
+                                        .await;
+
+                                    let stream = match TlsAcceptor::from(server_config)
+                                        .accept(upgraded)
+                                        .await
+                                    {
                                         Ok(stream) => stream,
                                         Err(e) => {
                                             error!("Failed to establish TLS connection: {}", e);
                                             return;
                                         }
                                     };
 
-                                if let Err(e) =
-                                    self.serve_stream(stream, Scheme::HTTPS, authority).await
-                                {
-                                    if !e.to_string().starts_with("error shutting down connection")
+                                    if let Err(e) =
+                                        self.serve_stream(stream, Scheme::HTTPS, authority).await
                                     {
-                                        error!("HTTPS connect error: {}", e);
-                                    }
-                                }
-                            } else {
-                                warn!(
-                                    "Unknown protocol, read '{:02X?}' from upgraded connection",
-                                    &buffer[..bytes_read]
-                                );
-
-                                let mut server = match TcpStream::connect(authority.as_ref()).await
-                                {
-                                    Ok(server) => server,
-                                    Err(e) => {
-                                        error!("Failed to connect to {}: {}", authority, e);
-                                        return;
+                                        if !e
+                                            .to_string()
+                                            .starts_with("error shutting down connection")
+                                        {
+                                            error!("HTTPS connect error: {}", e);
+                                        }
                                     }
-                                };
-
-                                if let Err(e) =
-                                    tokio::io::copy_bidirectional(&mut upgraded, &mut server).await
-                                {
-                                    error!(
-                                        "Failed to tunnel unknown protocol to {}: {}",
-                                        authority, e
+
+                                    return;
+                                } else {
+                                    warn!(
+                                        "Unknown protocol, read '{:02X?}' from upgraded connection",
+                                        &buffer[..bytes_read]
                                     );
                                 }
                             }
+
+                            let mut server = match TcpStream::connect(authority.as_ref()).await {
+                                Ok(server) => server,
+                                Err(e) => {
+                                    error!("Failed to connect to {}: {}", authority, e);
+                                    return;
+                                }
+                            };
+
+                            if let Err(e) =
+                                tokio::io::copy_bidirectional(&mut upgraded, &mut server).await
+                            {
+                                error!("Failed to tunnel to {}: {}", authority, e);
+                            }
                         }
                         Err(e) => error!("Upgrade error: {}", e),
                     };

tests/common/mod.rs

@@ -113,6 +113,14 @@ pub async fn start_https_server(
     Ok((addr, tx))
 }
 
+pub fn http_client() -> Client<HttpConnector> {
+    Client::new()
+}
+
+pub fn plain_websocket_connector() -> tokio_tungstenite::Connector {
+    tokio_tungstenite::Connector::Plain
+}
+
 fn rustls_client_config() -> rustls::ClientConfig {
     let mut roots = rustls::RootCertStore::empty();
 
@@ -174,37 +182,57 @@ pub fn native_tls_client() -> Client<hyper_tls::HttpsConnector<HttpConnector>> {
     Client::builder().build(https)
 }
 
-type TestHandlers = (TestHttpHandler, TestWebSocketHandler);
-
 pub fn start_proxy<C>(
     ca: impl CertificateAuthority,
     client: Client<C>,
     websocket_connector: tokio_tungstenite::Connector,
-) -> Result<(SocketAddr, TestHandlers, Sender<()>), Box<dyn std::error::Error>>
+) -> Result<(SocketAddr, TestHandler, Sender<()>), Box<dyn std::error::Error>>
+where
+    C: Connect + Clone + Send + Sync + 'static,
+{
+    _start_proxy(ca, client, websocket_connector, true)
+}
+
+pub fn start_proxy_without_intercept<C>(
+    ca: impl CertificateAuthority,
+    client: Client<C>,
+    websocket_connector: tokio_tungstenite::Connector,
+) -> Result<(SocketAddr, TestHandler, Sender<()>), Box<dyn std::error::Error>>
+where
+    C: Connect + Clone + Send + Sync + 'static,
+{
+    _start_proxy(ca, client, websocket_connector, false)
+}
+
+fn _start_proxy<C>(
+    ca: impl CertificateAuthority,
+    client: Client<C>,
+    websocket_connector: tokio_tungstenite::Connector,
+    should_intercept: bool,
+) -> Result<(SocketAddr, TestHandler, Sender<()>), Box<dyn std::error::Error>>
 where
     C: Connect + Clone + Send + Sync + 'static,
 {
     let listener = TcpListener::bind(SocketAddr::from(([127, 0, 0, 1], 0)))?;
     let addr = listener.local_addr()?;
     let (tx, rx) = tokio::sync::oneshot::channel();
 
-    let http_handler = TestHttpHandler::new();
-    let websocket_handler = TestWebSocketHandler::new();
+    let handler = TestHandler::new(should_intercept);
 
     let proxy = Proxy::builder()
         .with_listener(listener)
         .with_client(client)
         .with_ca(ca)
-        .with_http_handler(http_handler.clone())
-        .with_websocket_handler(websocket_handler.clone())
+        .with_http_handler(handler.clone())
+        .with_websocket_handler(handler.clone())
         .with_websocket_connector(websocket_connector)
         .build();
 
     tokio::spawn(proxy.start(async {
         rx.await.unwrap_or_default();
     }));
 
-    Ok((addr, (http_handler, websocket_handler), tx))
+    Ok((addr, handler, tx))
 }
 
 pub fn start_noop_proxy(
@@ -242,22 +270,26 @@ pub fn build_client(proxy: &str) -> reqwest::Client {
 }
 
 #[derive(Clone)]
-pub struct TestHttpHandler {
+pub struct TestHandler {
     pub request_counter: Arc<AtomicUsize>,
     pub response_counter: Arc<AtomicUsize>,
+    pub message_counter: Arc<AtomicUsize>,
+    pub should_intercept: bool,
 }
 
-impl TestHttpHandler {
-    pub fn new() -> Self {
+impl TestHandler {
+    pub fn new(should_intercept: bool) -> Self {
         Self {
             request_counter: Arc::new(AtomicUsize::new(0)),
             response_counter: Arc::new(AtomicUsize::new(0)),
+            message_counter: Arc::new(AtomicUsize::new(0)),
+            should_intercept,
         }
     }
 }
 
 #[async_trait]
-impl HttpHandler for TestHttpHandler {
+impl HttpHandler for TestHandler {
     async fn handle_request(
         &mut self,
         _ctx: &HttpContext,
@@ -272,23 +304,14 @@ impl HttpHandler for TestHttpHandler {
         self.response_counter.fetch_add(1, Ordering::Relaxed);
         decode_response(res).unwrap()
     }
-}
 
-#[derive(Clone)]
-pub struct TestWebSocketHandler {
-    pub message_counter: Arc<AtomicUsize>,
-}
-
-impl TestWebSocketHandler {
-    pub fn new() -> Self {
-        Self {
-            message_counter: Arc::new(AtomicUsize::new(0)),
-        }
+    async fn should_intercept(&mut self, _req: &Request<Body>) -> bool {
+        self.should_intercept
     }
 }
 
 #[async_trait]
-impl WebSocketHandler for TestWebSocketHandler {
+impl WebSocketHandler for TestHandler {
     async fn handle_message(&mut self, _ctx: &WebSocketContext, msg: Message) -> Option<Message> {
         self.message_counter.fetch_add(1, Ordering::Relaxed);
         Some(msg)

tests/openssl_ca.rs

@@ -18,7 +18,7 @@ fn build_ca() -> OpensslAuthority {
 
 #[tokio::test]
 async fn https_rustls() {
-    let (proxy_addr, (http_handler, _), stop_proxy) = common::start_proxy(
+    let (proxy_addr, handler, stop_proxy) = common::start_proxy(
         build_ca(),
         common::rustls_client(),
         common::rustls_websocket_connector(),
@@ -35,16 +35,16 @@ async fn https_rustls() {
         .unwrap();
 
     assert_eq!(res.status(), 200);
-    assert_eq!(http_handler.request_counter.load(Ordering::Relaxed), 2);
-    assert_eq!(http_handler.response_counter.load(Ordering::Relaxed), 1);
+    assert_eq!(handler.request_counter.load(Ordering::Relaxed), 2);
+    assert_eq!(handler.response_counter.load(Ordering::Relaxed), 1);
 
     stop_server.send(()).unwrap();
     stop_proxy.send(()).unwrap();
 }
 
 #[tokio::test]
 async fn https_native_tls() {
-    let (proxy_addr, (http_handler, _), stop_proxy) = common::start_proxy(
+    let (proxy_addr, handler, stop_proxy) = common::start_proxy(
         build_ca(),
         common::native_tls_client(),
         common::native_tls_websocket_connector(),
@@ -61,8 +61,34 @@ async fn https_native_tls() {
         .unwrap();
 
     assert_eq!(res.status(), 200);
-    assert_eq!(http_handler.request_counter.load(Ordering::Relaxed), 2);
-    assert_eq!(http_handler.response_counter.load(Ordering::Relaxed), 1);
+    assert_eq!(handler.request_counter.load(Ordering::Relaxed), 2);
+    assert_eq!(handler.response_counter.load(Ordering::Relaxed), 1);
+
+    stop_server.send(()).unwrap();
+    stop_proxy.send(()).unwrap();
+}
+
+#[tokio::test]
+async fn without_intercept() {
+    let (proxy_addr, handler, stop_proxy) = common::start_proxy_without_intercept(
+        build_ca(),
+        common::http_client(),
+        common::plain_websocket_connector(),
+    )
+    .unwrap();
+
+    let (server_addr, stop_server) = common::start_https_server(build_ca()).await.unwrap();
+    let client = common::build_client(&proxy_addr.to_string());
+
+    let res = client
+        .get(format!("https://localhost:{}/hello", server_addr.port()))
+        .send()
+        .await
+        .unwrap();
+
+    assert_eq!(res.status(), 200);
+    assert_eq!(handler.request_counter.load(Ordering::Relaxed), 1);
+    assert_eq!(handler.response_counter.load(Ordering::Relaxed), 0);
 
     stop_server.send(()).unwrap();
     stop_proxy.send(()).unwrap();