From ddaa9d2436e862146fe099d7d9dc06238b3c6ec4 Mon Sep 17 00:00:00 2001 From: Luis Pater Date: Wed, 11 Mar 2026 11:08:02 +0800 Subject: [PATCH] Fixed: #2034 feat(proxy): centralize proxy handling with `proxyutil` package and enhance test coverage - Added `proxyutil` package to simplify proxy handling across the codebase. - Refactored various components (`executor`, `cliproxy`, `auth`, etc.) to use `proxyutil` for consistent and reusable proxy logic. - Introduced support for "direct" proxy mode to explicitly bypass all proxies. - Updated tests to validate proxy behavior (e.g., `direct`, HTTP/HTTPS, and SOCKS5). - Enhanced YAML configuration documentation for proxy options. --- config.example.yaml | 6 + internal/api/handlers/management/api_tools.go | 46 +---- .../api/handlers/management/api_tools_test.go | 183 ++++-------------- .../handlers/management/test_store_test.go | 49 +++++ internal/auth/claude/utls_transport.go | 19 +- internal/auth/gemini/gemini_auth.go | 40 +--- .../executor/codex_websockets_executor.go | 28 ++- .../codex_websockets_executor_test.go | 16 ++ internal/runtime/executor/proxy_helpers.go | 45 +---- .../runtime/executor/proxy_helpers_test.go | 30 +++ internal/util/proxy.go | 41 +--- sdk/cliproxy/rtprovider.go | 36 +--- sdk/cliproxy/rtprovider_test.go | 22 +++ sdk/proxyutil/proxy.go | 139 +++++++++++++ sdk/proxyutil/proxy_test.go | 89 +++++++++ 15 files changed, 442 insertions(+), 347 deletions(-) create mode 100644 internal/api/handlers/management/test_store_test.go create mode 100644 internal/runtime/executor/proxy_helpers_test.go create mode 100644 sdk/cliproxy/rtprovider_test.go create mode 100644 sdk/proxyutil/proxy.go create mode 100644 sdk/proxyutil/proxy_test.go diff --git a/config.example.yaml b/config.example.yaml index 348aabd8..a75b69f0 100644 --- a/config.example.yaml +++ b/config.example.yaml @@ -63,6 +63,7 @@ error-logs-max-files: 10 usage-statistics-enabled: false # Proxy URL. Supports socks5/http/https protocols. Example: socks5://user:pass@192.168.1.1:1080/ +# Per-entry proxy-url also supports "direct" or "none" to bypass both the global proxy-url and environment proxies explicitly. proxy-url: "" # When true, unprefixed model requests only use credentials without a prefix (except when prefix == model name). @@ -110,6 +111,7 @@ nonstream-keepalive-interval: 0 # headers: # X-Custom-Header: "custom-value" # proxy-url: "socks5://proxy.example.com:1080" +# # proxy-url: "direct" # optional: explicit direct connect for this credential # models: # - name: "gemini-2.5-flash" # upstream model name # alias: "gemini-flash" # client alias mapped to the upstream model @@ -128,6 +130,7 @@ nonstream-keepalive-interval: 0 # headers: # X-Custom-Header: "custom-value" # proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override +# # proxy-url: "direct" # optional: explicit direct connect for this credential # models: # - name: "gpt-5-codex" # upstream model name # alias: "codex-latest" # client alias mapped to the upstream model @@ -146,6 +149,7 @@ nonstream-keepalive-interval: 0 # headers: # X-Custom-Header: "custom-value" # proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override +# # proxy-url: "direct" # optional: explicit direct connect for this credential # models: # - name: "claude-3-5-sonnet-20241022" # upstream model name # alias: "claude-sonnet-latest" # client alias mapped to the upstream model @@ -183,6 +187,7 @@ nonstream-keepalive-interval: 0 # api-key-entries: # - api-key: "sk-or-v1-...b780" # proxy-url: "socks5://proxy.example.com:1080" # optional: per-key proxy override +# # proxy-url: "direct" # optional: explicit direct connect for this credential # - api-key: "sk-or-v1-...b781" # without proxy-url # models: # The models supported by the provider. # - name: "moonshotai/kimi-k2:free" # The actual model name. @@ -205,6 +210,7 @@ nonstream-keepalive-interval: 0 # prefix: "test" # optional: require calls like "test/vertex-pro" to target this credential # base-url: "https://example.com/api" # e.g. https://zenmux.ai/api # proxy-url: "socks5://proxy.example.com:1080" # optional per-key proxy override +# # proxy-url: "direct" # optional: explicit direct connect for this credential # headers: # X-Custom-Header: "custom-value" # models: # optional: map aliases to upstream model names diff --git a/internal/api/handlers/management/api_tools.go b/internal/api/handlers/management/api_tools.go index c7846a75..de546ea8 100644 --- a/internal/api/handlers/management/api_tools.go +++ b/internal/api/handlers/management/api_tools.go @@ -5,7 +5,6 @@ import ( "encoding/json" "fmt" "io" - "net" "net/http" "net/url" "strings" @@ -14,8 +13,8 @@ import ( "github.com/gin-gonic/gin" "github.com/router-for-me/CLIProxyAPI/v6/internal/runtime/geminicli" coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth" + "github.com/router-for-me/CLIProxyAPI/v6/sdk/proxyutil" log "github.com/sirupsen/logrus" - "golang.org/x/net/proxy" "golang.org/x/oauth2" "golang.org/x/oauth2/google" ) @@ -660,45 +659,10 @@ func (h *Handler) apiCallTransport(auth *coreauth.Auth) http.RoundTripper { } func buildProxyTransport(proxyStr string) *http.Transport { - proxyStr = strings.TrimSpace(proxyStr) - if proxyStr == "" { + transport, _, errBuild := proxyutil.BuildHTTPTransport(proxyStr) + if errBuild != nil { + log.WithError(errBuild).Debug("build proxy transport failed") return nil } - - proxyURL, errParse := url.Parse(proxyStr) - if errParse != nil { - log.WithError(errParse).Debug("parse proxy URL failed") - return nil - } - if proxyURL.Scheme == "" || proxyURL.Host == "" { - log.Debug("proxy URL missing scheme/host") - return nil - } - - if proxyURL.Scheme == "socks5" { - var proxyAuth *proxy.Auth - if proxyURL.User != nil { - username := proxyURL.User.Username() - password, _ := proxyURL.User.Password() - proxyAuth = &proxy.Auth{User: username, Password: password} - } - dialer, errSOCKS5 := proxy.SOCKS5("tcp", proxyURL.Host, proxyAuth, proxy.Direct) - if errSOCKS5 != nil { - log.WithError(errSOCKS5).Debug("create SOCKS5 dialer failed") - return nil - } - return &http.Transport{ - Proxy: nil, - DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) { - return dialer.Dial(network, addr) - }, - } - } - - if proxyURL.Scheme == "http" || proxyURL.Scheme == "https" { - return &http.Transport{Proxy: http.ProxyURL(proxyURL)} - } - - log.Debugf("unsupported proxy scheme: %s", proxyURL.Scheme) - return nil + return transport } diff --git a/internal/api/handlers/management/api_tools_test.go b/internal/api/handlers/management/api_tools_test.go index fecbee9c..5b0c6369 100644 --- a/internal/api/handlers/management/api_tools_test.go +++ b/internal/api/handlers/management/api_tools_test.go @@ -1,173 +1,58 @@ package management import ( - "context" - "encoding/json" - "io" "net/http" - "net/http/httptest" - "net/url" - "strings" - "sync" "testing" - "time" + "github.com/router-for-me/CLIProxyAPI/v6/internal/config" coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth" + sdkconfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config" ) -type memoryAuthStore struct { - mu sync.Mutex - items map[string]*coreauth.Auth -} +func TestAPICallTransportDirectBypassesGlobalProxy(t *testing.T) { + t.Parallel() -func (s *memoryAuthStore) List(ctx context.Context) ([]*coreauth.Auth, error) { - _ = ctx - s.mu.Lock() - defer s.mu.Unlock() - out := make([]*coreauth.Auth, 0, len(s.items)) - for _, a := range s.items { - out = append(out, a.Clone()) - } - return out, nil -} - -func (s *memoryAuthStore) Save(ctx context.Context, auth *coreauth.Auth) (string, error) { - _ = ctx - if auth == nil { - return "", nil - } - s.mu.Lock() - if s.items == nil { - s.items = make(map[string]*coreauth.Auth) - } - s.items[auth.ID] = auth.Clone() - s.mu.Unlock() - return auth.ID, nil -} - -func (s *memoryAuthStore) Delete(ctx context.Context, id string) error { - _ = ctx - s.mu.Lock() - delete(s.items, id) - s.mu.Unlock() - return nil -} - -func TestResolveTokenForAuth_Antigravity_RefreshesExpiredToken(t *testing.T) { - var callCount int - srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - callCount++ - if r.Method != http.MethodPost { - t.Fatalf("expected POST, got %s", r.Method) - } - if ct := r.Header.Get("Content-Type"); !strings.HasPrefix(ct, "application/x-www-form-urlencoded") { - t.Fatalf("unexpected content-type: %s", ct) - } - bodyBytes, _ := io.ReadAll(r.Body) - _ = r.Body.Close() - values, err := url.ParseQuery(string(bodyBytes)) - if err != nil { - t.Fatalf("parse form: %v", err) - } - if values.Get("grant_type") != "refresh_token" { - t.Fatalf("unexpected grant_type: %s", values.Get("grant_type")) - } - if values.Get("refresh_token") != "rt" { - t.Fatalf("unexpected refresh_token: %s", values.Get("refresh_token")) - } - if values.Get("client_id") != antigravityOAuthClientID { - t.Fatalf("unexpected client_id: %s", values.Get("client_id")) - } - if values.Get("client_secret") != antigravityOAuthClientSecret { - t.Fatalf("unexpected client_secret") - } - - w.Header().Set("Content-Type", "application/json") - _ = json.NewEncoder(w).Encode(map[string]any{ - "access_token": "new-token", - "refresh_token": "rt2", - "expires_in": int64(3600), - "token_type": "Bearer", - }) - })) - t.Cleanup(srv.Close) - - originalURL := antigravityOAuthTokenURL - antigravityOAuthTokenURL = srv.URL - t.Cleanup(func() { antigravityOAuthTokenURL = originalURL }) - - store := &memoryAuthStore{} - manager := coreauth.NewManager(store, nil, nil) - - auth := &coreauth.Auth{ - ID: "antigravity-test.json", - FileName: "antigravity-test.json", - Provider: "antigravity", - Metadata: map[string]any{ - "type": "antigravity", - "access_token": "old-token", - "refresh_token": "rt", - "expires_in": int64(3600), - "timestamp": time.Now().Add(-2 * time.Hour).UnixMilli(), - "expired": time.Now().Add(-1 * time.Hour).Format(time.RFC3339), + h := &Handler{ + cfg: &config.Config{ + SDKConfig: sdkconfig.SDKConfig{ProxyURL: "http://global-proxy.example.com:8080"}, }, } - if _, err := manager.Register(context.Background(), auth); err != nil { - t.Fatalf("register auth: %v", err) - } - h := &Handler{authManager: manager} - token, err := h.resolveTokenForAuth(context.Background(), auth) - if err != nil { - t.Fatalf("resolveTokenForAuth: %v", err) + transport := h.apiCallTransport(&coreauth.Auth{ProxyURL: "direct"}) + httpTransport, ok := transport.(*http.Transport) + if !ok { + t.Fatalf("transport type = %T, want *http.Transport", transport) } - if token != "new-token" { - t.Fatalf("expected refreshed token, got %q", token) - } - if callCount != 1 { - t.Fatalf("expected 1 refresh call, got %d", callCount) - } - - updated, ok := manager.GetByID(auth.ID) - if !ok || updated == nil { - t.Fatalf("expected auth in manager after update") - } - if got := tokenValueFromMetadata(updated.Metadata); got != "new-token" { - t.Fatalf("expected manager metadata updated, got %q", got) + if httpTransport.Proxy != nil { + t.Fatal("expected direct transport to disable proxy function") } } -func TestResolveTokenForAuth_Antigravity_SkipsRefreshWhenTokenValid(t *testing.T) { - var callCount int - srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - callCount++ - w.WriteHeader(http.StatusInternalServerError) - })) - t.Cleanup(srv.Close) +func TestAPICallTransportInvalidAuthFallsBackToGlobalProxy(t *testing.T) { + t.Parallel() - originalURL := antigravityOAuthTokenURL - antigravityOAuthTokenURL = srv.URL - t.Cleanup(func() { antigravityOAuthTokenURL = originalURL }) - - auth := &coreauth.Auth{ - ID: "antigravity-valid.json", - FileName: "antigravity-valid.json", - Provider: "antigravity", - Metadata: map[string]any{ - "type": "antigravity", - "access_token": "ok-token", - "expired": time.Now().Add(30 * time.Minute).Format(time.RFC3339), + h := &Handler{ + cfg: &config.Config{ + SDKConfig: sdkconfig.SDKConfig{ProxyURL: "http://global-proxy.example.com:8080"}, }, } - h := &Handler{} - token, err := h.resolveTokenForAuth(context.Background(), auth) - if err != nil { - t.Fatalf("resolveTokenForAuth: %v", err) + + transport := h.apiCallTransport(&coreauth.Auth{ProxyURL: "bad-value"}) + httpTransport, ok := transport.(*http.Transport) + if !ok { + t.Fatalf("transport type = %T, want *http.Transport", transport) } - if token != "ok-token" { - t.Fatalf("expected existing token, got %q", token) + + req, errRequest := http.NewRequest(http.MethodGet, "https://example.com", nil) + if errRequest != nil { + t.Fatalf("http.NewRequest returned error: %v", errRequest) } - if callCount != 0 { - t.Fatalf("expected no refresh calls, got %d", callCount) + + proxyURL, errProxy := httpTransport.Proxy(req) + if errProxy != nil { + t.Fatalf("httpTransport.Proxy returned error: %v", errProxy) + } + if proxyURL == nil || proxyURL.String() != "http://global-proxy.example.com:8080" { + t.Fatalf("proxy URL = %v, want http://global-proxy.example.com:8080", proxyURL) } } diff --git a/internal/api/handlers/management/test_store_test.go b/internal/api/handlers/management/test_store_test.go new file mode 100644 index 00000000..cf7dbaf7 --- /dev/null +++ b/internal/api/handlers/management/test_store_test.go @@ -0,0 +1,49 @@ +package management + +import ( + "context" + "sync" + + coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth" +) + +type memoryAuthStore struct { + mu sync.Mutex + items map[string]*coreauth.Auth +} + +func (s *memoryAuthStore) List(_ context.Context) ([]*coreauth.Auth, error) { + s.mu.Lock() + defer s.mu.Unlock() + + out := make([]*coreauth.Auth, 0, len(s.items)) + for _, item := range s.items { + out = append(out, item) + } + return out, nil +} + +func (s *memoryAuthStore) Save(_ context.Context, auth *coreauth.Auth) (string, error) { + if auth == nil { + return "", nil + } + + s.mu.Lock() + defer s.mu.Unlock() + + if s.items == nil { + s.items = make(map[string]*coreauth.Auth) + } + s.items[auth.ID] = auth + return auth.ID, nil +} + +func (s *memoryAuthStore) Delete(_ context.Context, id string) error { + s.mu.Lock() + defer s.mu.Unlock() + + delete(s.items, id) + return nil +} + +func (s *memoryAuthStore) SetBaseDir(string) {} diff --git a/internal/auth/claude/utls_transport.go b/internal/auth/claude/utls_transport.go index 27ec87e1..88b69c9b 100644 --- a/internal/auth/claude/utls_transport.go +++ b/internal/auth/claude/utls_transport.go @@ -4,12 +4,12 @@ package claude import ( "net/http" - "net/url" "strings" "sync" tls "github.com/refraction-networking/utls" "github.com/router-for-me/CLIProxyAPI/v6/sdk/config" + "github.com/router-for-me/CLIProxyAPI/v6/sdk/proxyutil" log "github.com/sirupsen/logrus" "golang.org/x/net/http2" "golang.org/x/net/proxy" @@ -31,17 +31,12 @@ type utlsRoundTripper struct { // newUtlsRoundTripper creates a new utls-based round tripper with optional proxy support func newUtlsRoundTripper(cfg *config.SDKConfig) *utlsRoundTripper { var dialer proxy.Dialer = proxy.Direct - if cfg != nil && cfg.ProxyURL != "" { - proxyURL, err := url.Parse(cfg.ProxyURL) - if err != nil { - log.Errorf("failed to parse proxy URL %q: %v", cfg.ProxyURL, err) - } else { - pDialer, err := proxy.FromURL(proxyURL, proxy.Direct) - if err != nil { - log.Errorf("failed to create proxy dialer for %q: %v", cfg.ProxyURL, err) - } else { - dialer = pDialer - } + if cfg != nil { + proxyDialer, mode, errBuild := proxyutil.BuildDialer(cfg.ProxyURL) + if errBuild != nil { + log.Errorf("failed to configure proxy dialer for %q: %v", cfg.ProxyURL, errBuild) + } else if mode != proxyutil.ModeInherit && proxyDialer != nil { + dialer = proxyDialer } } diff --git a/internal/auth/gemini/gemini_auth.go b/internal/auth/gemini/gemini_auth.go index 6406a0e1..c459c5ca 100644 --- a/internal/auth/gemini/gemini_auth.go +++ b/internal/auth/gemini/gemini_auth.go @@ -10,9 +10,7 @@ import ( "errors" "fmt" "io" - "net" "net/http" - "net/url" "time" "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/codex" @@ -20,9 +18,9 @@ import ( "github.com/router-for-me/CLIProxyAPI/v6/internal/config" "github.com/router-for-me/CLIProxyAPI/v6/internal/misc" "github.com/router-for-me/CLIProxyAPI/v6/internal/util" + "github.com/router-for-me/CLIProxyAPI/v6/sdk/proxyutil" log "github.com/sirupsen/logrus" "github.com/tidwall/gjson" - "golang.org/x/net/proxy" "golang.org/x/oauth2" "golang.org/x/oauth2/google" @@ -80,36 +78,16 @@ func (g *GeminiAuth) GetAuthenticatedClient(ctx context.Context, ts *GeminiToken } callbackURL := fmt.Sprintf("http://localhost:%d/oauth2callback", callbackPort) - // Configure proxy settings for the HTTP client if a proxy URL is provided. - proxyURL, err := url.Parse(cfg.ProxyURL) - if err == nil { - var transport *http.Transport - if proxyURL.Scheme == "socks5" { - // Handle SOCKS5 proxy. - username := proxyURL.User.Username() - password, _ := proxyURL.User.Password() - auth := &proxy.Auth{User: username, Password: password} - dialer, errSOCKS5 := proxy.SOCKS5("tcp", proxyURL.Host, auth, proxy.Direct) - if errSOCKS5 != nil { - log.Errorf("create SOCKS5 dialer failed: %v", errSOCKS5) - return nil, fmt.Errorf("create SOCKS5 dialer failed: %w", errSOCKS5) - } - transport = &http.Transport{ - DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) { - return dialer.Dial(network, addr) - }, - } - } else if proxyURL.Scheme == "http" || proxyURL.Scheme == "https" { - // Handle HTTP/HTTPS proxy. - transport = &http.Transport{Proxy: http.ProxyURL(proxyURL)} - } - - if transport != nil { - proxyClient := &http.Client{Transport: transport} - ctx = context.WithValue(ctx, oauth2.HTTPClient, proxyClient) - } + transport, _, errBuild := proxyutil.BuildHTTPTransport(cfg.ProxyURL) + if errBuild != nil { + log.Errorf("%v", errBuild) + } else if transport != nil { + proxyClient := &http.Client{Transport: transport} + ctx = context.WithValue(ctx, oauth2.HTTPClient, proxyClient) } + var err error + // Configure the OAuth2 client. conf := &oauth2.Config{ ClientID: ClientID, diff --git a/internal/runtime/executor/codex_websockets_executor.go b/internal/runtime/executor/codex_websockets_executor.go index 1f340050..42a9e797 100644 --- a/internal/runtime/executor/codex_websockets_executor.go +++ b/internal/runtime/executor/codex_websockets_executor.go @@ -23,6 +23,7 @@ import ( "github.com/router-for-me/CLIProxyAPI/v6/internal/util" cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth" cliproxyexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor" + "github.com/router-for-me/CLIProxyAPI/v6/sdk/proxyutil" sdktranslator "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator" log "github.com/sirupsen/logrus" "github.com/tidwall/gjson" @@ -705,21 +706,30 @@ func newProxyAwareWebsocketDialer(cfg *config.Config, auth *cliproxyauth.Auth) * return dialer } - parsedURL, errParse := url.Parse(proxyURL) + setting, errParse := proxyutil.Parse(proxyURL) if errParse != nil { - log.Errorf("codex websockets executor: parse proxy URL failed: %v", errParse) + log.Errorf("codex websockets executor: %v", errParse) return dialer } - switch parsedURL.Scheme { + switch setting.Mode { + case proxyutil.ModeDirect: + dialer.Proxy = nil + return dialer + case proxyutil.ModeProxy: + default: + return dialer + } + + switch setting.URL.Scheme { case "socks5": var proxyAuth *proxy.Auth - if parsedURL.User != nil { - username := parsedURL.User.Username() - password, _ := parsedURL.User.Password() + if setting.URL.User != nil { + username := setting.URL.User.Username() + password, _ := setting.URL.User.Password() proxyAuth = &proxy.Auth{User: username, Password: password} } - socksDialer, errSOCKS5 := proxy.SOCKS5("tcp", parsedURL.Host, proxyAuth, proxy.Direct) + socksDialer, errSOCKS5 := proxy.SOCKS5("tcp", setting.URL.Host, proxyAuth, proxy.Direct) if errSOCKS5 != nil { log.Errorf("codex websockets executor: create SOCKS5 dialer failed: %v", errSOCKS5) return dialer @@ -729,9 +739,9 @@ func newProxyAwareWebsocketDialer(cfg *config.Config, auth *cliproxyauth.Auth) * return socksDialer.Dial(network, addr) } case "http", "https": - dialer.Proxy = http.ProxyURL(parsedURL) + dialer.Proxy = http.ProxyURL(setting.URL) default: - log.Errorf("codex websockets executor: unsupported proxy scheme: %s", parsedURL.Scheme) + log.Errorf("codex websockets executor: unsupported proxy scheme: %s", setting.URL.Scheme) } return dialer diff --git a/internal/runtime/executor/codex_websockets_executor_test.go b/internal/runtime/executor/codex_websockets_executor_test.go index 1fd68513..20d44581 100644 --- a/internal/runtime/executor/codex_websockets_executor_test.go +++ b/internal/runtime/executor/codex_websockets_executor_test.go @@ -5,6 +5,9 @@ import ( "net/http" "testing" + "github.com/router-for-me/CLIProxyAPI/v6/internal/config" + cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth" + sdkconfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config" "github.com/tidwall/gjson" ) @@ -34,3 +37,16 @@ func TestApplyCodexWebsocketHeadersDefaultsToCurrentResponsesBeta(t *testing.T) t.Fatalf("OpenAI-Beta = %s, want %s", got, codexResponsesWebsocketBetaHeaderValue) } } + +func TestNewProxyAwareWebsocketDialerDirectDisablesProxy(t *testing.T) { + t.Parallel() + + dialer := newProxyAwareWebsocketDialer( + &config.Config{SDKConfig: sdkconfig.SDKConfig{ProxyURL: "http://global-proxy.example.com:8080"}}, + &cliproxyauth.Auth{ProxyURL: "direct"}, + ) + + if dialer.Proxy != nil { + t.Fatal("expected websocket proxy function to be nil for direct mode") + } +} diff --git a/internal/runtime/executor/proxy_helpers.go b/internal/runtime/executor/proxy_helpers.go index ab0f626a..5511497b 100644 --- a/internal/runtime/executor/proxy_helpers.go +++ b/internal/runtime/executor/proxy_helpers.go @@ -2,16 +2,14 @@ package executor import ( "context" - "net" "net/http" - "net/url" "strings" "time" "github.com/router-for-me/CLIProxyAPI/v6/internal/config" cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth" + "github.com/router-for-me/CLIProxyAPI/v6/sdk/proxyutil" log "github.com/sirupsen/logrus" - "golang.org/x/net/proxy" ) // newProxyAwareHTTPClient creates an HTTP client with proper proxy configuration priority: @@ -72,45 +70,10 @@ func newProxyAwareHTTPClient(ctx context.Context, cfg *config.Config, auth *clip // Returns: // - *http.Transport: A configured transport, or nil if the proxy URL is invalid func buildProxyTransport(proxyURL string) *http.Transport { - if proxyURL == "" { + transport, _, errBuild := proxyutil.BuildHTTPTransport(proxyURL) + if errBuild != nil { + log.Errorf("%v", errBuild) return nil } - - parsedURL, errParse := url.Parse(proxyURL) - if errParse != nil { - log.Errorf("parse proxy URL failed: %v", errParse) - return nil - } - - var transport *http.Transport - - // Handle different proxy schemes - if parsedURL.Scheme == "socks5" { - // Configure SOCKS5 proxy with optional authentication - var proxyAuth *proxy.Auth - if parsedURL.User != nil { - username := parsedURL.User.Username() - password, _ := parsedURL.User.Password() - proxyAuth = &proxy.Auth{User: username, Password: password} - } - dialer, errSOCKS5 := proxy.SOCKS5("tcp", parsedURL.Host, proxyAuth, proxy.Direct) - if errSOCKS5 != nil { - log.Errorf("create SOCKS5 dialer failed: %v", errSOCKS5) - return nil - } - // Set up a custom transport using the SOCKS5 dialer - transport = &http.Transport{ - DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) { - return dialer.Dial(network, addr) - }, - } - } else if parsedURL.Scheme == "http" || parsedURL.Scheme == "https" { - // Configure HTTP or HTTPS proxy - transport = &http.Transport{Proxy: http.ProxyURL(parsedURL)} - } else { - log.Errorf("unsupported proxy scheme: %s", parsedURL.Scheme) - return nil - } - return transport } diff --git a/internal/runtime/executor/proxy_helpers_test.go b/internal/runtime/executor/proxy_helpers_test.go new file mode 100644 index 00000000..4ae5c937 --- /dev/null +++ b/internal/runtime/executor/proxy_helpers_test.go @@ -0,0 +1,30 @@ +package executor + +import ( + "context" + "net/http" + "testing" + + "github.com/router-for-me/CLIProxyAPI/v6/internal/config" + cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth" + sdkconfig "github.com/router-for-me/CLIProxyAPI/v6/sdk/config" +) + +func TestNewProxyAwareHTTPClientDirectBypassesGlobalProxy(t *testing.T) { + t.Parallel() + + client := newProxyAwareHTTPClient( + context.Background(), + &config.Config{SDKConfig: sdkconfig.SDKConfig{ProxyURL: "http://global-proxy.example.com:8080"}}, + &cliproxyauth.Auth{ProxyURL: "direct"}, + 0, + ) + + transport, ok := client.Transport.(*http.Transport) + if !ok { + t.Fatalf("transport type = %T, want *http.Transport", client.Transport) + } + if transport.Proxy != nil { + t.Fatal("expected direct transport to disable proxy function") + } +} diff --git a/internal/util/proxy.go b/internal/util/proxy.go index aea52ba8..9b57ca17 100644 --- a/internal/util/proxy.go +++ b/internal/util/proxy.go @@ -4,50 +4,25 @@ package util import ( - "context" - "net" "net/http" - "net/url" "github.com/router-for-me/CLIProxyAPI/v6/sdk/config" + "github.com/router-for-me/CLIProxyAPI/v6/sdk/proxyutil" log "github.com/sirupsen/logrus" - "golang.org/x/net/proxy" ) // SetProxy configures the provided HTTP client with proxy settings from the configuration. // It supports SOCKS5, HTTP, and HTTPS proxies. The function modifies the client's transport // to route requests through the configured proxy server. func SetProxy(cfg *config.SDKConfig, httpClient *http.Client) *http.Client { - var transport *http.Transport - // Attempt to parse the proxy URL from the configuration. - proxyURL, errParse := url.Parse(cfg.ProxyURL) - if errParse == nil { - // Handle different proxy schemes. - if proxyURL.Scheme == "socks5" { - // Configure SOCKS5 proxy with optional authentication. - var proxyAuth *proxy.Auth - if proxyURL.User != nil { - username := proxyURL.User.Username() - password, _ := proxyURL.User.Password() - proxyAuth = &proxy.Auth{User: username, Password: password} - } - dialer, errSOCKS5 := proxy.SOCKS5("tcp", proxyURL.Host, proxyAuth, proxy.Direct) - if errSOCKS5 != nil { - log.Errorf("create SOCKS5 dialer failed: %v", errSOCKS5) - return httpClient - } - // Set up a custom transport using the SOCKS5 dialer. - transport = &http.Transport{ - DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) { - return dialer.Dial(network, addr) - }, - } - } else if proxyURL.Scheme == "http" || proxyURL.Scheme == "https" { - // Configure HTTP or HTTPS proxy. - transport = &http.Transport{Proxy: http.ProxyURL(proxyURL)} - } + if cfg == nil || httpClient == nil { + return httpClient + } + + transport, _, errBuild := proxyutil.BuildHTTPTransport(cfg.ProxyURL) + if errBuild != nil { + log.Errorf("%v", errBuild) } - // If a new transport was created, apply it to the HTTP client. if transport != nil { httpClient.Transport = transport } diff --git a/sdk/cliproxy/rtprovider.go b/sdk/cliproxy/rtprovider.go index dad4fc23..5c4f579a 100644 --- a/sdk/cliproxy/rtprovider.go +++ b/sdk/cliproxy/rtprovider.go @@ -1,16 +1,13 @@ package cliproxy import ( - "context" - "net" "net/http" - "net/url" "strings" "sync" coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth" + "github.com/router-for-me/CLIProxyAPI/v6/sdk/proxyutil" log "github.com/sirupsen/logrus" - "golang.org/x/net/proxy" ) // defaultRoundTripperProvider returns a per-auth HTTP RoundTripper based on @@ -39,35 +36,12 @@ func (p *defaultRoundTripperProvider) RoundTripperFor(auth *coreauth.Auth) http. if rt != nil { return rt } - // Parse the proxy URL to determine the scheme. - proxyURL, errParse := url.Parse(proxyStr) - if errParse != nil { - log.Errorf("parse proxy URL failed: %v", errParse) + transport, _, errBuild := proxyutil.BuildHTTPTransport(proxyStr) + if errBuild != nil { + log.Errorf("%v", errBuild) return nil } - var transport *http.Transport - // Handle different proxy schemes. - if proxyURL.Scheme == "socks5" { - // Configure SOCKS5 proxy with optional authentication. - username := proxyURL.User.Username() - password, _ := proxyURL.User.Password() - proxyAuth := &proxy.Auth{User: username, Password: password} - dialer, errSOCKS5 := proxy.SOCKS5("tcp", proxyURL.Host, proxyAuth, proxy.Direct) - if errSOCKS5 != nil { - log.Errorf("create SOCKS5 dialer failed: %v", errSOCKS5) - return nil - } - // Set up a custom transport using the SOCKS5 dialer. - transport = &http.Transport{ - DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) { - return dialer.Dial(network, addr) - }, - } - } else if proxyURL.Scheme == "http" || proxyURL.Scheme == "https" { - // Configure HTTP or HTTPS proxy. - transport = &http.Transport{Proxy: http.ProxyURL(proxyURL)} - } else { - log.Errorf("unsupported proxy scheme: %s", proxyURL.Scheme) + if transport == nil { return nil } p.mu.Lock() diff --git a/sdk/cliproxy/rtprovider_test.go b/sdk/cliproxy/rtprovider_test.go new file mode 100644 index 00000000..f907081e --- /dev/null +++ b/sdk/cliproxy/rtprovider_test.go @@ -0,0 +1,22 @@ +package cliproxy + +import ( + "net/http" + "testing" + + coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth" +) + +func TestRoundTripperForDirectBypassesProxy(t *testing.T) { + t.Parallel() + + provider := newDefaultRoundTripperProvider() + rt := provider.RoundTripperFor(&coreauth.Auth{ProxyURL: "direct"}) + transport, ok := rt.(*http.Transport) + if !ok { + t.Fatalf("transport type = %T, want *http.Transport", rt) + } + if transport.Proxy != nil { + t.Fatal("expected direct transport to disable proxy function") + } +} diff --git a/sdk/proxyutil/proxy.go b/sdk/proxyutil/proxy.go new file mode 100644 index 00000000..591ec9d9 --- /dev/null +++ b/sdk/proxyutil/proxy.go @@ -0,0 +1,139 @@ +package proxyutil + +import ( + "context" + "fmt" + "net" + "net/http" + "net/url" + "strings" + + "golang.org/x/net/proxy" +) + +// Mode describes how a proxy setting should be interpreted. +type Mode int + +const ( + // ModeInherit means no explicit proxy behavior was configured. + ModeInherit Mode = iota + // ModeDirect means outbound requests must bypass proxies explicitly. + ModeDirect + // ModeProxy means a concrete proxy URL was configured. + ModeProxy + // ModeInvalid means the proxy setting is present but malformed or unsupported. + ModeInvalid +) + +// Setting is the normalized interpretation of a proxy configuration value. +type Setting struct { + Raw string + Mode Mode + URL *url.URL +} + +// Parse normalizes a proxy configuration value into inherit, direct, or proxy modes. +func Parse(raw string) (Setting, error) { + trimmed := strings.TrimSpace(raw) + setting := Setting{Raw: trimmed} + + if trimmed == "" { + setting.Mode = ModeInherit + return setting, nil + } + + if strings.EqualFold(trimmed, "direct") || strings.EqualFold(trimmed, "none") { + setting.Mode = ModeDirect + return setting, nil + } + + parsedURL, errParse := url.Parse(trimmed) + if errParse != nil { + setting.Mode = ModeInvalid + return setting, fmt.Errorf("parse proxy URL failed: %w", errParse) + } + if parsedURL.Scheme == "" || parsedURL.Host == "" { + setting.Mode = ModeInvalid + return setting, fmt.Errorf("proxy URL missing scheme/host") + } + + switch parsedURL.Scheme { + case "socks5", "http", "https": + setting.Mode = ModeProxy + setting.URL = parsedURL + return setting, nil + default: + setting.Mode = ModeInvalid + return setting, fmt.Errorf("unsupported proxy scheme: %s", parsedURL.Scheme) + } +} + +// NewDirectTransport returns a transport that bypasses environment proxies. +func NewDirectTransport() *http.Transport { + if transport, ok := http.DefaultTransport.(*http.Transport); ok && transport != nil { + clone := transport.Clone() + clone.Proxy = nil + return clone + } + return &http.Transport{Proxy: nil} +} + +// BuildHTTPTransport constructs an HTTP transport for the provided proxy setting. +func BuildHTTPTransport(raw string) (*http.Transport, Mode, error) { + setting, errParse := Parse(raw) + if errParse != nil { + return nil, setting.Mode, errParse + } + + switch setting.Mode { + case ModeInherit: + return nil, setting.Mode, nil + case ModeDirect: + return NewDirectTransport(), setting.Mode, nil + case ModeProxy: + if setting.URL.Scheme == "socks5" { + var proxyAuth *proxy.Auth + if setting.URL.User != nil { + username := setting.URL.User.Username() + password, _ := setting.URL.User.Password() + proxyAuth = &proxy.Auth{User: username, Password: password} + } + dialer, errSOCKS5 := proxy.SOCKS5("tcp", setting.URL.Host, proxyAuth, proxy.Direct) + if errSOCKS5 != nil { + return nil, setting.Mode, fmt.Errorf("create SOCKS5 dialer failed: %w", errSOCKS5) + } + return &http.Transport{ + Proxy: nil, + DialContext: func(_ context.Context, network, addr string) (net.Conn, error) { + return dialer.Dial(network, addr) + }, + }, setting.Mode, nil + } + return &http.Transport{Proxy: http.ProxyURL(setting.URL)}, setting.Mode, nil + default: + return nil, setting.Mode, nil + } +} + +// BuildDialer constructs a proxy dialer for settings that operate at the connection layer. +func BuildDialer(raw string) (proxy.Dialer, Mode, error) { + setting, errParse := Parse(raw) + if errParse != nil { + return nil, setting.Mode, errParse + } + + switch setting.Mode { + case ModeInherit: + return nil, setting.Mode, nil + case ModeDirect: + return proxy.Direct, setting.Mode, nil + case ModeProxy: + dialer, errDialer := proxy.FromURL(setting.URL, proxy.Direct) + if errDialer != nil { + return nil, setting.Mode, fmt.Errorf("create proxy dialer failed: %w", errDialer) + } + return dialer, setting.Mode, nil + default: + return nil, setting.Mode, nil + } +} diff --git a/sdk/proxyutil/proxy_test.go b/sdk/proxyutil/proxy_test.go new file mode 100644 index 00000000..bea413dc --- /dev/null +++ b/sdk/proxyutil/proxy_test.go @@ -0,0 +1,89 @@ +package proxyutil + +import ( + "net/http" + "testing" +) + +func TestParse(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + input string + want Mode + wantErr bool + }{ + {name: "inherit", input: "", want: ModeInherit}, + {name: "direct", input: "direct", want: ModeDirect}, + {name: "none", input: "none", want: ModeDirect}, + {name: "http", input: "http://proxy.example.com:8080", want: ModeProxy}, + {name: "https", input: "https://proxy.example.com:8443", want: ModeProxy}, + {name: "socks5", input: "socks5://proxy.example.com:1080", want: ModeProxy}, + {name: "invalid", input: "bad-value", want: ModeInvalid, wantErr: true}, + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + setting, errParse := Parse(tt.input) + if tt.wantErr && errParse == nil { + t.Fatal("expected error, got nil") + } + if !tt.wantErr && errParse != nil { + t.Fatalf("unexpected error: %v", errParse) + } + if setting.Mode != tt.want { + t.Fatalf("mode = %d, want %d", setting.Mode, tt.want) + } + }) + } +} + +func TestBuildHTTPTransportDirectBypassesProxy(t *testing.T) { + t.Parallel() + + transport, mode, errBuild := BuildHTTPTransport("direct") + if errBuild != nil { + t.Fatalf("BuildHTTPTransport returned error: %v", errBuild) + } + if mode != ModeDirect { + t.Fatalf("mode = %d, want %d", mode, ModeDirect) + } + if transport == nil { + t.Fatal("expected transport, got nil") + } + if transport.Proxy != nil { + t.Fatal("expected direct transport to disable proxy function") + } +} + +func TestBuildHTTPTransportHTTPProxy(t *testing.T) { + t.Parallel() + + transport, mode, errBuild := BuildHTTPTransport("http://proxy.example.com:8080") + if errBuild != nil { + t.Fatalf("BuildHTTPTransport returned error: %v", errBuild) + } + if mode != ModeProxy { + t.Fatalf("mode = %d, want %d", mode, ModeProxy) + } + if transport == nil { + t.Fatal("expected transport, got nil") + } + + req, errRequest := http.NewRequest(http.MethodGet, "https://example.com", nil) + if errRequest != nil { + t.Fatalf("http.NewRequest returned error: %v", errRequest) + } + + proxyURL, errProxy := transport.Proxy(req) + if errProxy != nil { + t.Fatalf("transport.Proxy returned error: %v", errProxy) + } + if proxyURL == nil || proxyURL.String() != "http://proxy.example.com:8080" { + t.Fatalf("proxy URL = %v, want http://proxy.example.com:8080", proxyURL) + } +}