proxy mode for http proxies

httpcore/__init__.py

@@ -34,7 +34,7 @@
     WriteError,
     WriteTimeout,
 )
-from ._models import URL, Origin, Request, Response
+from ._models import URL, Origin, ProxyMode, Request, Response
 from ._ssl import default_ssl_context
 from ._sync import (
     ConnectionInterface,
@@ -75,8 +75,9 @@ def __init__(self, *args, **kwargs):  # type: ignore
     "request",
     "stream",
     # models
-    "Origin",
     "URL",
+    "Origin",
+    "ProxyMode",
     "Request",
     "Response",
     # async

httpcore/_async/http_proxy.py

@@ -8,6 +8,7 @@
 from .._models import (
     URL,
     Origin,
+    ProxyMode,
     Request,
     Response,
     enforce_bytes,
@@ -25,7 +26,6 @@
 HeadersAsSequence = Sequence[Tuple[Union[bytes, str], Union[bytes, str]]]
 HeadersAsMapping = Mapping[Union[bytes, str], Union[bytes, str]]
 
-
 logger = logging.getLogger("httpcore.proxy")
 
 
@@ -74,6 +74,7 @@ def __init__(
         uds: Optional[str] = None,
         network_backend: Optional[AsyncNetworkBackend] = None,
         socket_options: Optional[Iterable[SOCKET_OPTION]] = None,
+        mode: ProxyMode = ProxyMode.DEFAULT,
     ) -> None:
         """
         A connection pool for making HTTP requests.
@@ -108,6 +109,7 @@ def __init__(
                 `AF_INET6` address (IPv6).
             uds: Path to a Unix Domain Socket to use instead of TCP sockets.
             network_backend: A backend instance to use for handling network I/O.
+            mode: Allow HTTP connection be tunnelable and HTTPS be forwardable.
         """
         super().__init__(
             ssl_context=ssl_context,
@@ -125,6 +127,7 @@ def __init__(
         self._ssl_context = ssl_context
         self._proxy_url = enforce_url(proxy_url, name="proxy_url")
         self._proxy_headers = enforce_headers(proxy_headers, name="proxy_headers")
+        self._mode = mode
         if proxy_auth is not None:
             username = enforce_bytes(proxy_auth[0], name="proxy_auth")
             password = enforce_bytes(proxy_auth[1], name="proxy_auth")
@@ -134,7 +137,13 @@ def __init__(
             ] + self._proxy_headers
 
     def create_connection(self, origin: Origin) -> AsyncConnectionInterface:
-        if origin.scheme == b"http":
+        is_tls = origin.scheme == b"https"
+
+        forwarable = not (self._mode & ProxyMode.HTTP_TUNNEL)
+        if is_tls:
+            forwarable = bool(self._mode & ProxyMode.HTTPS_FORWARD)
+
+        if forwarable:
             return AsyncForwardHTTPConnection(
                 proxy_origin=self._proxy_url.origin,
                 proxy_headers=self._proxy_headers,
@@ -151,6 +160,7 @@ def create_connection(self, origin: Origin) -> AsyncConnectionInterface:
             http1=self._http1,
             http2=self._http2,
             network_backend=self._network_backend,
+            is_tls=is_tls,
         )
 
 
@@ -228,6 +238,7 @@ def __init__(
         http2: bool = False,
         network_backend: Optional[AsyncNetworkBackend] = None,
         socket_options: Optional[Iterable[SOCKET_OPTION]] = None,
+        is_tls: bool = True,
     ) -> None:
         self._connection: AsyncConnectionInterface = AsyncHTTPConnection(
             origin=proxy_origin,
@@ -244,6 +255,7 @@ def __init__(
         self._http2 = http2
         self._connect_lock = AsyncLock()
         self._connected = False
+        self._is_tls = is_tls
 
     async def handle_async_request(self, request: Request) -> Response:
         timeouts = request.extensions.get("timeout", {})
@@ -280,31 +292,33 @@ async def handle_async_request(self, request: Request) -> Response:
                     raise ProxyError(msg)
 
                 stream = connect_response.extensions["network_stream"]
-
-                # Upgrade the stream to SSL
-                ssl_context = (
-                    default_ssl_context()
-                    if self._ssl_context is None
-                    else self._ssl_context
-                )
-                alpn_protocols = ["http/1.1", "h2"] if self._http2 else ["http/1.1"]
-                ssl_context.set_alpn_protocols(alpn_protocols)
-
-                kwargs = {
-                    "ssl_context": ssl_context,
-                    "server_hostname": self._remote_origin.host.decode("ascii"),
-                    "timeout": timeout,
-                }
-                async with Trace("start_tls", logger, request, kwargs) as trace:
-                    stream = await stream.start_tls(**kwargs)
-                    trace.return_value = stream
-
-                # Determine if we should be using HTTP/1.1 or HTTP/2
-                ssl_object = stream.get_extra_info("ssl_object")
-                http2_negotiated = (
-                    ssl_object is not None
-                    and ssl_object.selected_alpn_protocol() == "h2"
-                )
+                http2_negotiated = False
+
+                if self._is_tls:
+                    # Upgrade the stream to SSL
+                    ssl_context = (
+                        default_ssl_context()
+                        if self._ssl_context is None
+                        else self._ssl_context
+                    )
+                    alpn_protocols = ["http/1.1", "h2"] if self._http2 else ["http/1.1"]
+                    ssl_context.set_alpn_protocols(alpn_protocols)
+
+                    kwargs = {
+                        "ssl_context": ssl_context,
+                        "server_hostname": self._remote_origin.host.decode("ascii"),
+                        "timeout": timeout,
+                    }
+                    async with Trace("start_tls", logger, request, kwargs) as trace:
+                        stream = await stream.start_tls(**kwargs)
+                        trace.return_value = stream
+
+                    # Determine if we should be using HTTP/1.1 or HTTP/2
+                    ssl_object = stream.get_extra_info("ssl_object")
+                    http2_negotiated = (
+                        ssl_object is not None
+                        and ssl_object.selected_alpn_protocol() == "h2"
+                    )
 
                 # Create the HTTP/1.1 or HTTP/2 connection
                 if http2_negotiated or (self._http2 and not self._http1):

httpcore/_models.py

@@ -1,3 +1,4 @@
+import enum
 from typing import (
     Any,
     AsyncIterable,
@@ -481,3 +482,9 @@ async def aclose(self) -> None:
             )
         if hasattr(self.stream, "aclose"):
             await self.stream.aclose()
+
+
+class ProxyMode(enum.IntFlag):
+    DEFAULT = 0
+    HTTPS_FORWARD = 1
+    HTTP_TUNNEL = 2

httpcore/_sync/http_proxy.py

@@ -8,6 +8,7 @@
 from .._models import (
     URL,
     Origin,
+    ProxyMode,
     Request,
     Response,
     enforce_bytes,
@@ -25,7 +26,6 @@
 HeadersAsSequence = Sequence[Tuple[Union[bytes, str], Union[bytes, str]]]
 HeadersAsMapping = Mapping[Union[bytes, str], Union[bytes, str]]
 
-
 logger = logging.getLogger("httpcore.proxy")
 
 
@@ -74,6 +74,7 @@ def __init__(
         uds: Optional[str] = None,
         network_backend: Optional[NetworkBackend] = None,
         socket_options: Optional[Iterable[SOCKET_OPTION]] = None,
+        mode: ProxyMode = ProxyMode.DEFAULT,
     ) -> None:
         """
         A connection pool for making HTTP requests.
@@ -108,6 +109,7 @@ def __init__(
                 `AF_INET6` address (IPv6).
             uds: Path to a Unix Domain Socket to use instead of TCP sockets.
             network_backend: A backend instance to use for handling network I/O.
+            mode: Allow HTTP connection be tunnelable and HTTPS be forwardable.
         """
         super().__init__(
             ssl_context=ssl_context,
@@ -125,6 +127,7 @@ def __init__(
         self._ssl_context = ssl_context
         self._proxy_url = enforce_url(proxy_url, name="proxy_url")
         self._proxy_headers = enforce_headers(proxy_headers, name="proxy_headers")
+        self._mode = mode
         if proxy_auth is not None:
             username = enforce_bytes(proxy_auth[0], name="proxy_auth")
             password = enforce_bytes(proxy_auth[1], name="proxy_auth")
@@ -134,7 +137,13 @@ def __init__(
             ] + self._proxy_headers
 
     def create_connection(self, origin: Origin) -> ConnectionInterface:
-        if origin.scheme == b"http":
+        is_tls = origin.scheme == b"https"
+
+        forwarable = not (self._mode & ProxyMode.HTTP_TUNNEL)
+        if is_tls:
+            forwarable = bool(self._mode & ProxyMode.HTTPS_FORWARD)
+
+        if forwarable:
             return ForwardHTTPConnection(
                 proxy_origin=self._proxy_url.origin,
                 proxy_headers=self._proxy_headers,
@@ -151,6 +160,7 @@ def create_connection(self, origin: Origin) -> ConnectionInterface:
             http1=self._http1,
             http2=self._http2,
             network_backend=self._network_backend,
+            is_tls=is_tls,
         )
 
 
@@ -228,6 +238,7 @@ def __init__(
         http2: bool = False,
         network_backend: Optional[NetworkBackend] = None,
         socket_options: Optional[Iterable[SOCKET_OPTION]] = None,
+        is_tls: bool = True,
     ) -> None:
         self._connection: ConnectionInterface = HTTPConnection(
             origin=proxy_origin,
@@ -244,6 +255,7 @@ def __init__(
         self._http2 = http2
         self._connect_lock = Lock()
         self._connected = False
+        self._is_tls = is_tls
 
     def handle_request(self, request: Request) -> Response:
         timeouts = request.extensions.get("timeout", {})
@@ -280,31 +292,33 @@ def handle_request(self, request: Request) -> Response:
                     raise ProxyError(msg)
 
                 stream = connect_response.extensions["network_stream"]
-
-                # Upgrade the stream to SSL
-                ssl_context = (
-                    default_ssl_context()
-                    if self._ssl_context is None
-                    else self._ssl_context
-                )
-                alpn_protocols = ["http/1.1", "h2"] if self._http2 else ["http/1.1"]
-                ssl_context.set_alpn_protocols(alpn_protocols)
-
-                kwargs = {
-                    "ssl_context": ssl_context,
-                    "server_hostname": self._remote_origin.host.decode("ascii"),
-                    "timeout": timeout,
-                }
-                with Trace("start_tls", logger, request, kwargs) as trace:
-                    stream = stream.start_tls(**kwargs)
-                    trace.return_value = stream
-
-                # Determine if we should be using HTTP/1.1 or HTTP/2
-                ssl_object = stream.get_extra_info("ssl_object")
-                http2_negotiated = (
-                    ssl_object is not None
-                    and ssl_object.selected_alpn_protocol() == "h2"
-                )
+                http2_negotiated = False
+
+                if self._is_tls:
+                    # Upgrade the stream to SSL
+                    ssl_context = (
+                        default_ssl_context()
+                        if self._ssl_context is None
+                        else self._ssl_context
+                    )
+                    alpn_protocols = ["http/1.1", "h2"] if self._http2 else ["http/1.1"]
+                    ssl_context.set_alpn_protocols(alpn_protocols)
+
+                    kwargs = {
+                        "ssl_context": ssl_context,
+                        "server_hostname": self._remote_origin.host.decode("ascii"),
+                        "timeout": timeout,
+                    }
+                    with Trace("start_tls", logger, request, kwargs) as trace:
+                        stream = stream.start_tls(**kwargs)
+                        trace.return_value = stream
+
+                    # Determine if we should be using HTTP/1.1 or HTTP/2
+                    ssl_object = stream.get_extra_info("ssl_object")
+                    http2_negotiated = (
+                        ssl_object is not None
+                        and ssl_object.selected_alpn_protocol() == "h2"
+                    )
 
                 # Create the HTTP/1.1 or HTTP/2 connection
                 if http2_negotiated or (self._http2 and not self._http1):