Skip to content

net/tshttpproxy: fix WDAP/PAC proxy detection on Win10 1607 and earlier #16130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 29, 2025
Merged

net/tshttpproxy: fix WDAP/PAC proxy detection on Win10 1607 and earlier #16130

merged 1 commit into from
May 29, 2025

Conversation

nickkhyl
Copy link
Contributor

@nickkhyl nickkhyl commented May 29, 2025
edited
Loading

Using WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG on Windows versions older than Windows 10 1703 (build 15063) is not supported and causes WinHttpGetProxyForUrl to fail with ERROR_INVALID_PARAMETER. This results in failures reaching the control on environments where a proxy is required.

We use wingoes version detection to conditionally set the WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG flag
on Windows builds greater than 15063.

While there, we also update proxy detection to use WINHTTP_AUTO_DETECT_TYPE_DNS_A, as DNS-based proxy discovery might be required with Active Directory and in certain other environments.

Updates tailscale/corp#29168
Fixes #879

@review-ai-agent review.ai agent
Copy link

review-ai-agent bot commented May 29, 2025
edited
Loading

Pull Request Revisions

RevisionDescription
r5
Reduced proxy error retry durationModified Windows proxy error handling to set a shorter 10-second retry interval instead of one hour
r4
Dependency tracking file updatedMinor dependency tracking update in derper's depaware.txt, specifically for wingoes package from tailscale.com/util/winutil
r3
Migrated Windows build version checkReplaced local Windows build version checking with external wingoes library functionality, removing duplicated version constants
r2
Windows build number constant renamedRenamed Windows12_24H2 constant to Windows11_24H2 and updated WindowsServer2025 build number accordingly
r1
Windows proxy detection version checkAdded Windows build version check for proxy auto-configuration flag compatibility and introduced build number constants
✅ AI review completed for r5
Help React with emojis to give feedback on AI-generated reviews:
  • 👍 means the feedback was helpful and actionable
  • 👎 means the feedback was incorrect or unhelpful
💬 Replying to feedback with a comment helps us improve the system. Your input also contributes to shaping future interactions with the AI reviewer.

We'd love to hear from you—reach out anytime at team@review.ai.

review-ai-agent[bot]
review-ai-agent bot reviewed May 29, 2025
View reviewed changes
@nickkhyl nickkhyl force-pushed the nickkhyl/win-pac branch from 0654d72 to 393828b Compare May 29, 2025 15:53
@nickkhyl nickkhyl requested review from dblohm7 and bradfitz May 29, 2025 15:54
dblohm7
dblohm7 requested changes May 29, 2025
View reviewed changes
Copy link
Member

@dblohm7 dblohm7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we just use wingoes for the version detection?

@nickkhyl
Copy link
Contributor Author

Thanks for pointing out that we have something similar in wingoes.

But its implementation is based on RtlGetVersion, which returns the actual OS version info and doesn’t work well with compat shims. It's perfectly fine to use RtlGetVersion when we need version info for reporting purposes, but I'd rather keep using VerifyVersionInfo for checking API availability and alike. It's also what Microsoft seems to use in similar scenarios.

bradfitz
bradfitz approved these changes May 29, 2025
View reviewed changes
Copy link
Member

@bradfitz bradfitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find.

LGTM for the tshttpproxy bit at least.

You can Aaron can work out where the version checking goes.

I like the sync.OnceValue to only do the system call once.

net/tshttpproxy/tshttpproxy_windows.go
// which prevents proxy detection and can lead to failures reaching the control server
// on environments where a proxy is required.
//
// https://web.archive.org/web/20250529044903/https://learn.microsoft.com/en-us/windows/win32/api/winhttp/ns-winhttp-winhttp_autoproxy_options
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hah, using archive.org because Microsoft can't keep breaking their URLs every few years. lolsob.

@nickkhyl nickkhyl force-pushed the nickkhyl/win-pac branch 2 times, most recently from cba49ea to edc6eb2 Compare May 29, 2025 17:51
review-ai-agent[bot]
review-ai-agent bot reviewed May 29, 2025
View reviewed changes
@nickkhyl nickkhyl changed the title net/tshttpproxy,util/winutil/winenv: fix WDAP/PAC proxy detection on Win10 1607 and earlier net/tshttpproxy: fix WDAP/PAC proxy detection on Win10 1607 and earlier May 29, 2025
@nickkhyl
net/tshttpproxy: fix WDAP/PAC proxy detection on Win10 1607 and earlier
9dccb48 
Using WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG on Windows versions older than Windows 10 1703 (build 15063)
is not supported and causes WinHttpGetProxyForUrl to fail with ERROR_INVALID_PARAMETER. This results in failures
reaching the control on environments where a proxy is required.

We use wingoes version detection to conditionally set the WINHTTP_AUTOPROXY_ALLOW_AUTOCONFIG flag
on Windows builds greater than 15063.

While there, we also update proxy detection to use WINHTTP_AUTO_DETECT_TYPE_DNS_A, as DNS-based proxy discovery
might be required with Active Directory and in certain other environments.

Updates tailscale/corp#29168
Fixes #879

Signed-off-by: Nick Khyl <nickk@tailscale.com>
@nickkhyl nickkhyl force-pushed the nickkhyl/win-pac branch from edc6eb2 to 9dccb48 Compare May 29, 2025 17:55
@nickkhyl
Copy link
Contributor Author

Updated this PR to use wingoes, as we already use it in other places; filed tailscale/corp#29174 to update its implementation to avoid using RtlGetVersion due to potential compat shim issues.

@nickkhyl nickkhyl requested a review from dblohm7 May 29, 2025 17:57
dblohm7
dblohm7 approved these changes May 29, 2025
View reviewed changes
Copy link
Member

@dblohm7 dblohm7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@nickkhyl nickkhyl merged commit 191afd3 into main May 29, 2025
91 of 93 checks passed
@nickkhyl nickkhyl deleted the nickkhyl/win-pac branch May 29, 2025 19:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@review-ai-agent review-ai-agent[bot] review-ai-agent[bot] left review comments

@bradfitz bradfitz bradfitz approved these changes

@dblohm7 dblohm7 dblohm7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Windows 8.1: tshttpproxy: winhttp: GetProxyForURL("...log.tailscale.io..."): The parameter is incorrect./0x57
3 participants
@nickkhyl @bradfitz @dblohm7