Support allowed hosts for migrations to work with proxy (#32025)

wolfogre · web-flow · commit 125679f2e14c · 2024-09-11T05:47:00.000Z
diff --git a/modules/hostmatcher/http.go b/modules/hostmatcher/http.go
@@ -13,11 +13,7 @@ import (
 )
 
 // NewDialContext returns a DialContext for Transport, the DialContext will do allow/block list check
-func NewDialContext(usage string, allowList, blockList *HostMatchList) func(ctx context.Context, network, addr string) (net.Conn, error) {
-	return NewDialContextWithProxy(usage, allowList, blockList, nil)
-}
-
-func NewDialContextWithProxy(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) {
+func NewDialContext(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) {
 	// How Go HTTP Client works with redirection:
 	//   transport.RoundTrip URL=http://domain.com, Host=domain.com
 	//   transport.DialContext addrOrHost=domain.com:80
diff --git a/services/migrations/http_client.go b/services/migrations/http_client.go
@@ -24,6 +24,6 @@ func NewMigrationHTTPTransport() *http.Transport {
 	return &http.Transport{
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Migrations.SkipTLSVerify},
 		Proxy:           proxy.Proxy(),
-		DialContext:     hostmatcher.NewDialContext("migration", allowList, blockList),
+		DialContext:     hostmatcher.NewDialContext("migration", allowList, blockList, setting.Proxy.ProxyURLFixed),
 	}
 }
diff --git a/services/migrations/migrate.go b/services/migrations/migrate.go
@@ -499,9 +499,5 @@ func Init() error {
 	// TODO: at the moment, if ALLOW_LOCALNETWORKS=false, ALLOWED_DOMAINS=domain.com, and domain.com has IP 127.0.0.1, then it's still allowed.
 	// if we want to block such case, the private&loopback should be added to the blockList when ALLOW_LOCALNETWORKS=false
 
-	if setting.Proxy.Enabled && setting.Proxy.ProxyURLFixed != nil {
-		allowList.AppendPattern(setting.Proxy.ProxyURLFixed.Host)
-	}
-
 	return nil
 }
diff --git a/services/webhook/deliver.go b/services/webhook/deliver.go
@@ -303,7 +303,7 @@ func Init() error {
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify},
 			Proxy:           webhookProxy(allowedHostMatcher),
-			DialContext:     hostmatcher.NewDialContextWithProxy("webhook", allowedHostMatcher, nil, setting.Webhook.ProxyURLFixed),
+			DialContext:     hostmatcher.NewDialContext("webhook", allowedHostMatcher, nil, setting.Webhook.ProxyURLFixed),
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,6 @@ func NewMigrationHTTPTransport() *http.Transport {`
`24`	`24`	`return &http.Transport{`
`25`	`25`	`TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Migrations.SkipTLSVerify},`
`26`	`26`	`Proxy: proxy.Proxy(),`
`27`		`- DialContext: hostmatcher.NewDialContext("migration", allowList, blockList),`
	`27`	`+ DialContext: hostmatcher.NewDialContext("migration", allowList, blockList, setting.Proxy.ProxyURLFixed),`
`28`	`28`	`}`
`29`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -499,9 +499,5 @@ func Init() error {`
`499`	`499`	`// TODO: at the moment, if ALLOW_LOCALNETWORKS=false, ALLOWED_DOMAINS=domain.com, and domain.com has IP 127.0.0.1, then it's still allowed.`
`500`	`500`	`// if we want to block such case, the private&loopback should be added to the blockList when ALLOW_LOCALNETWORKS=false`
`501`	`501`
`502`		`- if setting.Proxy.Enabled && setting.Proxy.ProxyURLFixed != nil {`
`503`		`- allowList.AppendPattern(setting.Proxy.ProxyURLFixed.Host)`
`504`		`- }`
`505`		`-`
`506`	`502`	`return nil`
`507`	`503`	`}`
Original file line number	Diff line number	Diff line change
`@@ -303,7 +303,7 @@ func Init() error {`
`303`	`303`	`Transport: &http.Transport{`
`304`	`304`	`TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify},`
`305`	`305`	`Proxy: webhookProxy(allowedHostMatcher),`
`306`		`- DialContext: hostmatcher.NewDialContextWithProxy("webhook", allowedHostMatcher, nil, setting.Webhook.ProxyURLFixed),`
	`306`	`+ DialContext: hostmatcher.NewDialContext("webhook", allowedHostMatcher, nil, setting.Webhook.ProxyURLFixed),`
`307`	`307`	`},`
`308`	`308`	`}`
`309`	`309`