feat: enable using HTTP(S)_PROXY in router (#1136)

Co-authored-by: Jens Neuse <jens.neuse@gmx.de>

docker-compose.full.yml

@@ -316,6 +316,9 @@ services:
       GRAPHQL_METRICS_COLLECTOR_ENDPOINT: http://graphqlmetrics:4005
       GRAPH_API_TOKEN: ${ROUTER_TOKEN}
       CDN_URL: http://cdn:11000
+      HTTPS_PROXY: ${HTTPS_PROXY}
+      HTTP_PROXY: ${HTTP_PROXY}
+      NO_PROXY: ${NO_PROXY}
     restart: on-failure
     volumes:
       # Mount the example config from the repo into the working dir of the router binary location
@@ -396,6 +399,27 @@ services:
       - default
     restart: on-failure
 
+  # Use this to intercept request e.g. from the router by setting the HTTP(S)_PROXY env var to http://mitmproxy:9051.
+  # docker compose -f docker-compose.full.yml --profile proxy up -d mitmproxy
+  mitmproxy:
+    image: mitmproxy/mitmproxy:latest
+    command:
+      - mitmweb
+      - --web-host
+      - 0.0.0.0
+      - --web-port
+      - '8081'
+      - --mode
+      - regular@8080
+    restart: on-failure
+    profiles:
+      - proxy
+    networks:
+      - primary
+    ports:
+      - '9051:8080' # proxy
+      - '9050:8081' # web interface
+
 # This network is shared between this file and docker-compose.yml to
 # allow the demo subgraphs to communicate with the rest of the infra-networks:
 networks:

helm/cosmo/charts/router/README.md

@@ -21,7 +21,10 @@ This is the official Helm Chart for the WunderGraph Cosmo Router.
 | configuration.executionConfig | string | `""` | The execution config file to statically configure the router. If set, polling of the config is disabled. If your config exceeds 1MB (Kubernetes limit), you have to mount it as a file and set the path in routerConfigPath instead |
 | configuration.graphApiToken | string | `"replace-me"` | The router token is used to authenticate the router against the controlplane (required) |
 | configuration.graphqlMetricsCollectorUrl | string | `""` | The URL of the Cosmo GraphQL Metrics Collector. Should be internal to the cluster. Default to cloud if not set. |
+| configuration.httpProxy | string | `""` | The URL of the HTTP proxy server. Default is an empty string. |
+| configuration.httpsProxy | string | `""` | The URL of the HTTPS proxy server. Default is an empty string. |
 | configuration.logLevel | string | `"info"` | The log level of the router. Default to info if not set. |
+| configuration.noProxy | string | `""` | NO_PROXY is a comma-separated list of hosts or domains for which the proxy should not be used. |
 | configuration.otelCollectorUrl | string | `""` | The URL of the Cosmo GraphQL OTEL Collector. Should be internal to the cluster. Default to cloud if not set. |
 | configuration.prometheus.enabled | bool | `true` | Enables prometheus metrics support. Default is true. |
 | configuration.prometheus.path | string | `"/metrics"` | The HTTP path where metrics are exposed. Default is "/metrics". |

helm/cosmo/charts/router/templates/deployment.yaml

@@ -128,6 +128,27 @@ spec:
                   name: {{ include "router.secretName" . }}
                   key: graphApiToken
             {{- end }}
+            {{- if .Values.configuration.httpsProxy }}
+            - name: HTTPS_PROXY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "router.secretName" . }}
+                  key: httpsProxy
+            {{- end }}
+            {{- if .Values.configuration.httpProxy }}
+            - name: HTTP_PROXY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "router.secretName" . }}
+                  key: httpProxy
+            {{- end }}
+            {{- if .Values.configuration.noProxy }}
+            - name: NO_PROXY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "router.secretName" . }}
+                  key: noProxy
+            {{- end }}
             - name: PROMETHEUS_ENABLED
               valueFrom:
                 configMapKeyRef:

helm/cosmo/charts/router/templates/secret.yaml

@@ -11,4 +11,13 @@ metadata:
     {{- include "router.labels" . | nindent 4 }}
 data:
   graphApiToken: {{ .Values.configuration.graphApiToken | b64enc | quote }}
+  {{- if .Values.configuration.httpsProxy }}
+  httpsProxy: "{{ .Values.configuration.httpsProxy }}"
+  {{- end }}
+  {{- if .Values.configuration.httpProxy }}
+  httpProxy: "{{ .Values.configuration.httpProxy }}"
+  {{- end }}
+  {{- if .Values.configuration.noProxy }}
+  noProxy: "{{ .Values.configuration.noProxy }}"
+  {{- end }}
 {{- end }}

helm/cosmo/charts/router/values.yaml

@@ -225,4 +225,13 @@ configuration:
     # -- The port where metrics are exposed. Default is port 8088.
     port: 8088
     # -- The HTTP path where metrics are exposed. Default is "/metrics".
-    path: "/metrics"
+    path: "/metrics"
+
+  # Use this section to configure the router's HTTP(S) proxy settings.
+  # When set the proxy is enabled.
+  # -- The URL of the HTTPS proxy server. Default is an empty string.
+  httpsProxy: ''
+  # -- The URL of the HTTP proxy server. Default is an empty string.
+  httpProxy: ''
+  # -- NO_PROXY is a comma-separated list of hosts or domains for which the proxy should not be used.
+  noProxy: ''

router-tests/integration_test.go

@@ -7,6 +7,9 @@ import (
 	"io"
 	"math/rand"
 	"net/http"
+	"net/http/httptest"
+	"net/http/httputil"
+	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -303,6 +306,34 @@ func TestAnonymousQuery(t *testing.T) {
 	})
 }
 
+func TestProxy(t *testing.T) {
+
+	fakeSubgraph := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"data":{"employees":[{"id":1234}]}}`))
+	}))
+
+	u, err := url.Parse(fakeSubgraph.URL)
+	require.NoError(t, err)
+
+	proxy := httptest.NewServer(httputil.NewSingleHostReverseProxy(u))
+	require.NoError(t, err)
+
+	testenv.Run(t, &testenv.Config{
+		RouterOptions: []core.Option{
+			core.WithProxy(func(req *http.Request) (*url.URL, error) {
+				return url.Parse(proxy.URL)
+			}),
+		},
+	}, func(t *testing.T, xEnv *testenv.Environment) {
+		res := xEnv.MakeGraphQLRequestOK(testenv.GraphQLRequest{
+			Query: `{ employees { id } }`,
+		})
+		require.Equal(t, `{"data":{"employees":[{"id":1234}]}}`, res.Body)
+	})
+}
+
 func TestTracing(t *testing.T) {
 	t.Parallel()
 

router/.env.example

@@ -9,4 +9,9 @@ GRAPH_API_TOKEN=<generated_with_wgc>
 CDN_URL=http://127.0.0.1:11000
 NATS_URL=nats://localhost:4222
 #CONFIG_PATH=debug.config.yaml
-#GRAPH_CONFIG_SIGN_KEY=7kZKCz7DaLpvHKtaFEupDsBvDD9EEmUB
+#GRAPH_CONFIG_SIGN_KEY=7kZKCz7DaLpvHKtaFEupDsBvDD9EEmUB
+
+# HTTP(S)_PROXY configuration
+HTTPS_PROXY=""
+HTTP_PROXY=""
+NO_PROXY=""

router/cmd/instance.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"fmt"
+	"net/http"
 	"os"
 
 	"github.com/KimMachineGun/automemlimit/memlimit"
@@ -170,6 +171,11 @@ func NewRouter(params Params, additionalOptions ...core.Option) (*core.Router, e
 		core.WithRateLimitConfig(&cfg.RateLimit),
 	}
 
+	// HTTP_PROXY, HTTPS_PROXY and NO_PROXY
+	if hasProxyConfigured() {
+		core.WithProxy(http.ProxyFromEnvironment)
+	}
+
 	options = append(options, additionalOptions...)
 
 	if cfg.RouterRegistration && cfg.Graph.Token != "" {
@@ -206,3 +212,10 @@ func NewRouter(params Params, additionalOptions ...core.Option) (*core.Router, e
 
 	return core.NewRouter(options...)
 }
+
+func hasProxyConfigured() bool {
+	_, httpProxy := os.LookupEnv("HTTP_PROXY")
+	_, httpsProxy := os.LookupEnv("HTTPS_PROXY")
+	_, noProxy := os.LookupEnv("NO_PROXY")
+	return httpProxy || httpsProxy || noProxy
+}

router/core/graph_server.go

@@ -89,15 +89,15 @@ type (
 )
 
 // newGraphServer creates a new server instance.
-func newGraphServer(ctx context.Context, r *Router, routerConfig *nodev1.RouterConfig) (*graphServer, error) {
+func newGraphServer(ctx context.Context, r *Router, routerConfig *nodev1.RouterConfig, proxy ProxyFunc) (*graphServer, error) {
 	ctx, cancel := context.WithCancel(ctx)
 	s := &graphServer{
 		context:                 ctx,
 		cancelFunc:              cancel,
 		Config:                  &r.Config,
 		websocketStats:          r.WebsocketStats,
 		metricStore:             rmetric.NewNoopMetrics(),
-		executionTransport:      newHTTPTransport(r.subgraphTransportOptions),
+		executionTransport:      newHTTPTransport(r.subgraphTransportOptions, proxy),
 		playgroundHandler:       r.playgroundHandler,
 		baseRouterConfigVersion: routerConfig.GetVersion(),
 		inFlightRequests:        &atomic.Uint64{},

router/core/router.go

@@ -82,6 +82,7 @@ type (
 		modules           []Module
 		WebsocketStats    WebSocketsStatistics
 		playgroundHandler func(http.Handler) http.Handler
+		proxy             ProxyFunc
 	}
 
 	SubgraphTransportOptions struct {
@@ -482,7 +483,7 @@ func NewRouter(opts ...Option) (*Router, error) {
 
 // newGraphServer creates a new server.
 func (r *Router) newServer(ctx context.Context, cfg *nodev1.RouterConfig) error {
-	server, err := newGraphServer(ctx, r, cfg)
+	server, err := newGraphServer(ctx, r, cfg, r.proxy)
 	if err != nil {
 		r.logger.Error("Failed to create graph server. Keeping the old server", zap.Error(err))
 		return err
@@ -1413,6 +1414,12 @@ func WithHealthChecks(healthChecks health.Checker) Option {
 	}
 }
 
+func WithProxy(proxy ProxyFunc) Option {
+	return func(r *Router) {
+		r.proxy = proxy
+	}
+}
+
 func WithReadinessCheckPath(path string) Option {
 	return func(r *Router) {
 		r.readinessCheckPath = path
@@ -1635,7 +1642,9 @@ func WithStorageProviders(cfg config.StorageProviders) Option {
 	}
 }
 
-func newHTTPTransport(opts *SubgraphTransportOptions) *http.Transport {
+type ProxyFunc func(req *http.Request) (*url.URL, error)
+
+func newHTTPTransport(opts *SubgraphTransportOptions, proxy ProxyFunc) *http.Transport {
 	dialer := &net.Dialer{
 		Timeout:   opts.DialTimeout,
 		KeepAlive: opts.KeepAliveProbeInterval,
@@ -1661,6 +1670,9 @@ func newHTTPTransport(opts *SubgraphTransportOptions) *http.Transport {
 		TLSHandshakeTimeout:   opts.TLSHandshakeTimeout,
 		ResponseHeaderTimeout: opts.ResponseHeaderTimeout,
 		ExpectContinueTimeout: opts.ExpectContinueTimeout,
+		// Will return nil when HTTP(S)_PROXY does not exist or is empty.
+		// This will prevent the transport from handling the proxy when it is not needed.
+		Proxy: proxy,
 	}
 }