Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add no_proxy support #63314

Merged
merged 37 commits into from
Jun 13, 2024
Merged

Add no_proxy support #63314

merged 37 commits into from
Jun 13, 2024

Conversation

arthurpassos
Copy link
Contributor

@arthurpassos arthurpassos commented May 2, 2024

Changelog category (leave one):

  • New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Allow proxy to be bypassed for hosts specified in no_proxy env variable and ClickHouse proxy configuration.

Documentation entry for user-facing changes

  • [ X ] Documentation is written (mandatory for new features)

Information about CI checks: https://clickhouse.com/docs/en/development/continuous-integration/

Modify your CI run

NOTE: If your merge the PR with modified CI you MUST KNOW what you are doing
NOTE: Checked options will be applied if set before CI RunConfig/PrepareRunConfig step

Include tests (required builds will be added automatically):

  • Fast test
  • Integration Tests
  • Stateless tests
  • Stateful tests
  • Unit tests
  • Performance tests
  • All with ASAN
  • All with TSAN
  • All with Analyzer
  • All with Azure
  • Add your option here

Exclude tests:

  • Fast test
  • Integration Tests
  • Stateless tests
  • Stateful tests
  • Performance tests
  • All with ASAN
  • All with TSAN
  • All with MSAN
  • All with UBSAN
  • All with Coverage
  • All with Aarch64
  • Add your option here

Extra options:

  • do not test (only style check)
  • disable merge-commit (no merge from master before tests)
  • disable CI cache (job reuse)

Only specified batches in multi-batch jobs:

  • 1
  • 2
  • 3
  • 4

{
ret.append("|");
}
ret.append(host);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing escaping.

@alexey-milovidov
Copy link
Member

alexey-milovidov commented May 3, 2024

This feature looks too ad-hoc. Missing motivation about use cases. Why environment variables?

@arthurpassos
Copy link
Contributor Author

This feature looks too ad-hoc. Missing motivation about use cases.

Consider the scenario where a ClickHouse instance uses two different S3 installations: AWS and a private one. For the AWS one, the user wants all requests to go through their proxy, while for the private one, no. With the current implementation, there is no way to achieve this.

Why environment variables?

ClickHouse currently supports proxy configuration in two different places: env variables and configuration files. This PR will add the functionality to both, but I haven't had the time to implement for configuration files yet. Plus, it's pretty standard to support NO_PROXY through environment variables.

@arthurpassos arthurpassos changed the title Add NO_PROXY support Add no_proxy support May 3, 2024
@filimonov
Copy link
Contributor

Why environment variables?

Not invited by us, just most tools in linux support that.

https://stackoverflow.com/questions/62632642/how-to-use-no-proxy-on-linux-machines-wildcards-leading-dots
https://stackoverflow.com/questions/13559377/curl-bypass-proxy-for-localhost

You
Looking for some documentation about NO_PROXY env variable, and who support that.

ChatGPT
The NO_PROXY environment variable is used to specify a list of domain names, IP addresses, or subnets that should be excluded from proxying. When using a proxy server, all traffic is generally redirected through the proxy unless specified otherwise in NO_PROXY. This is particularly useful in environments where you want to avoid the overhead of proxying local or intranet communications.

How NO_PROXY Works:

  • Format: The NO_PROXY variable is a comma-separated list of domains and IP addresses that should bypass the proxy. For example: NO_PROXY=localhost,127.0.0.1,example.com,*.mycompany.com.
  • Wildcards: You can use an asterisk (*) as a wildcard to match any subdomain. For example, *.example.com would apply to subdomain.example.com, another.example.com, etc.
  • Ports: You can specify ports in NO_PROXY to exclude specific port traffic from being proxied. For example: example.com:8080.

Support for NO_PROXY:

  • Operating Systems: Most Unix-like operating systems, including Linux and macOS, support the NO_PROXY variable natively. Windows also supports environment variables for proxy settings, though the behavior can vary slightly depending on the implementation.
  • Programming Languages: Many programming languages and their standard libraries respect the NO_PROXY setting. For instance:
    • Python: The urllib library respects NO_PROXY.
    • Node.js: The request module and others respect NO_PROXY.
  • Tools and Applications: Most command-line tools and applications that use network requests support NO_PROXY. This includes tools like curl, wget, and many others.

Documentation and Standards:

While there isn't a formal RFC that defines the behavior of NO_PROXY, its usage is largely consistent across different environments due to convention. The best place to find documentation on how NO_PROXY is implemented in a specific tool or library is typically the official documentation for that tool or library.

If you're using a specific tool or programming environment and need to know how it handles NO_PROXY, it would be a good idea to look at the official documentation or the configuration settings related to proxy handling in that environment.

Curl: https://curl.se/libcurl/c/CURLOPT_NOPROXY.html
wget: https://www.gnu.org/software/wget/manual/html_node/Proxies.html
etc.

Discussion about standardizing that.

https://about.gitlab.com/blog/2021/01/27/we-need-to-talk-no-proxy/

@arthurpassos
Copy link
Contributor Author

@alexey-milovidov can you enable CI?

@arthurpassos
Copy link
Contributor Author

We should merge #63427 first

@arthurpassos arthurpassos marked this pull request as ready for review May 9, 2024 18:12
@evillique evillique added the can be tested Allows running workflows for external contributors label May 10, 2024
@robot-ch-test-poll robot-ch-test-poll added the pr-feature Pull request with new product feature label May 10, 2024
@robot-ch-test-poll
Copy link
Contributor

robot-ch-test-poll commented May 10, 2024

This is an automated comment for commit f026cc4 with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Check nameDescriptionStatus
Integration testsThe integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests❌ failure
Stress testRuns stateless functional tests concurrently from several clients to detect concurrency-related errors❌ failure
Successful checks
Check nameDescriptionStatus
A SyncIf it fails, ask a maintainer for help✅ success
AST fuzzerRuns randomly generated queries to catch program errors. The build type is optionally given in parenthesis. If it fails, ask a maintainer for help✅ success
CI runningA meta-check that indicates the running CI. Normally, it's in success or pending state. The failed status indicates some problems with the PR✅ success
ClickBenchRuns [ClickBench](https://github.com/ClickHouse/ClickBench/) with instant-attach table✅ success
ClickHouse build checkBuilds ClickHouse in various configurations for use in further steps. You have to fix the builds that fail. Build logs often has enough information to fix the error, but you might have to reproduce the failure locally. The cmake options can be found in the build log, grepping for cmake. Use these options and follow the general build process✅ success
Compatibility checkChecks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help✅ success
Docker keeper imageThe check to build and optionally push the mentioned image to docker hub✅ success
Docker server imageThe check to build and optionally push the mentioned image to docker hub✅ success
Docs checkBuilds and tests the documentation✅ success
Fast testNormally this is the first check that is ran for a PR. It builds ClickHouse and runs most of stateless functional tests, omitting some. If it fails, further checks are not started until it is fixed. Look at the report to see which tests fail, then reproduce the failure locally as described here✅ success
Flaky testsChecks if new added or modified tests are flaky by running them repeatedly, in parallel, with more randomization. Functional tests are run 100 times with address sanitizer, and additional randomization of thread scheduling. Integration tests are run up to 10 times. If at least once a new test has failed, or was too long, this check will be red. We don't allow flaky tests, read the doc✅ success
Install packagesChecks that the built packages are installable in a clear environment✅ success
Mergeable CheckChecks if all other necessary checks are successful✅ success
PR CheckChecks correctness of the PR's body✅ success
Performance ComparisonMeasure changes in query performance. The performance test report is described in detail here. In square brackets are the optional part/total tests✅ success
Stateful testsRuns stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc✅ success
Stateless testsRuns stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc✅ success
Style checkRuns a set of checks to keep the code style clean. If some of tests failed, see the related log from the report✅ success
Unit testsRuns the unit tests for different release types✅ success
Upgrade checkRuns stress tests on server version from last release and then tries to upgrade it to the version from the PR. It checks if the new server can successfully startup without any errors, crashes or sanitizer asserts✅ success

@arthurpassos
Copy link
Contributor Author

@evillique can you also enable ci on #63427? That pr needs to be merged before this one

@CheSema CheSema self-assigned this May 24, 2024
@@ -49,6 +49,7 @@ struct ProxyConfiguration
uint16_t port = 0;
bool tunneling = false;
Protocol original_request_protocol = Protocol::HTTP;
std::string no_proxy_hosts = "";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list is constructed from env. It is immutable for the rest of the program live.

Why we copy it to each connection?
Why do we leave it in raw format and parse each time?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm... if I had to argue, I would say simplicity and consistency with other types of resolvers that do not rely on environment variables. They always read stuff on the fly and generate a new configuration.

It is not a strong argument, tho. I could introduce some sort of static variable in EnvironmentProxyConfigurationResolver so that it reads only once from the environment and always returns that.

As for the native format, mostly because DB::ProxyConfiguration is 3rd party agnostic. Meaning it has no dependencies on Poco or AWS SDK. In any case, I am fine with converting it only once and storing the poco format in DB::ProxyConfiguration. If the need to abstract that ever appears, we can do it. For now, we can make this change.

What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The last commit is a possible implementation of the above idea, please take a look: 3ae8176.

@arthurpassos
Copy link
Contributor Author

arthurpassos commented Jun 11, 2024

@CheSema what dou you think of the current approach? env variables are queried only once. Poco regexp is build only once as well

@arthurpassos
Copy link
Contributor Author

I believe the stress test failure is already being tracked -- #65043

Failing everywhere - test_checking_s3_blobs_paranoid

@CheSema CheSema added this pull request to the merge queue Jun 13, 2024
Merged via the queue into ClickHouse:master with commit e8c0caa Jun 13, 2024
244 of 248 checks passed
@robot-clickhouse-ci-2 robot-clickhouse-ci-2 added the pr-synced-to-cloud The PR is synced to the cloud repo label Jun 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
can be tested Allows running workflows for external contributors pr-feature Pull request with new product feature pr-synced-to-cloud The PR is synced to the cloud repo
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants