Grpc-go: NO_PROXY does not work with DNS name but with IP
What version of gRPC are you using?
v1.23.0
What version of Go are you using (go version)?
go version go1.13.6 linux/amd64
What operating system (Linux, Windows, …) and version?
PRETTY_NAME="Debian GNU/Linux 10 (buster)", actuall it is the docker image golang:1.13.6-buster.
What did you do?
In my Kubernetes cluster, I set the env HTTP_PROXY to an HTTP proxy (a tinyproxy pod) and set NO_PROXY with the domain name in Kubernetes to bypass these traffics on gRPC clients.
For example, I set up a service not-proxied in the default namespace, and if I set NO_PROXY to .default.svc.local.cluster or not-proxied.default.svc.local.cluster, the dial address in client is not-proxied.default.svc.local.cluster, the gRPC call to these services still uses the HTTP proxy. Only If I set the NO_PROXY to the cluster IP of that service, these gRPC traffics will not use the HTTP proxy.
What did you expect to see?
The gRPC call to those services in NO_PROXY should not use the HTTP proxy.
What did you see instead?
The gRPC call to those services in NO_PROXY still uses HTTP proxy for I can get proxied logs from my HTTP proxy.
LSChyi
All 5 comments
Proxy is currently implemented as a dialer, so it doesn't see the hostname before name resolution.
A solution would be to also pass the un-resolved name, and check that against NO_PROXY.
For now, as a workaround, if you want to disable proxy for one ClientConn, override its dialer WithContextDialer.
menghanl
on 26 Feb 2020
We are hitting this same issue, I can submit a PR to do as @menghanl suggests.
danmux
on 29 Mar 2020
There is a recent change related to #3411 that may make this less important / needed.
danmux
on 29 Mar 2020
To add more details:
We want to support proxy at two levels:
- on the server name, before name resolution
- on the IP addresses, after name resolution
With the current set of APIs, there's no easy way to support both.
To do this, we will need to design another proxy API.
There was an old PR (#1095) that does this.
menghanl
on 3 Apr 2020
Makes sense.
We have worked around this by doing the env var detection up front. If it is not conducive to the round robin balancing we fall back to single direct host with passthrough - to prioritise honouring NO_PROXY
danmux
on 6 Apr 2020
Related issues
23doors
·
3Comments
arcana261
·
3Comments
kushp
·
4Comments
reterVision
·
3Comments
felixwang66
·
3Comments
Most helpful comment
Proxy is currently implemented as a dialer, so it doesn't see the hostname before name resolution.
A solution would be to also pass the un-resolved name, and check that against NO_PROXY.
For now, as a workaround, if you want to disable proxy for one ClientConn, override its dialer WithContextDialer.