Reverse proxy ignores ca_file

[dmitriyvolk]

Check FAQs Please check Frequently Asked Questions before opening a bug report.

Describe the bug Reverse proxy ignores the ca_file argument.

When the reverse proxy calls upstream.wrap() (https://github.com/abhinavsingh/proxy.py/blob/develop/proxy/http/server/reverse.py#L97) it omits the ca_cert argument. Therefore the SSLContext being created doesn't have the CA file.

This makes it impossible to reverse-proxy to servers with self-signed certificates, which is exactly what I need to do in some cases.

To Reproduce Steps to reproduce the behavior:

1. Run proxy.py as 'proxy --enable-reverse-proxy --plugins --ca-file '
2. Deploy an HTTPS server with a self-signed certificate listening at https://myserver
3. Have MyPlugin like this:

   class MyPlugin(ReverseProxyBasePlugin):
   def routes(self) -> List[Union[str, Tuple[str, List[bytes]]]]:
       return [
           (r"/blah$", [b"https://myserver/"]),
       ]

4. Do curl http://localhost:8899/blah to trigger error
5. See error

   2022-10-12 19:38:32,768 - pid:45420 [W] handler.handle_readables:234 - Exception when receiving from client connection#29 with reason SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')

Expected behavior Upstream connection succeeds.

Version information

• OS: macOS Monterey
• Browser curl
• Device: MBP
• proxy.py Version 2.4.3

Additional context N/A

Screenshots N/A

[dmitriyvolk]

The PoC PR https://github.com/abhinavsingh/proxy.py/pull/1280 makes it work as expected.

[ddl-ebrown]

Looks like #1283 implemented this around 6 months ago, but it still hasn't shipped in a release yet. Are you cutting a new release anytime soon @abhinavsingh ? Thanks!

[abhinavsingh]

@ddl-ebrown Thanks for reminding me about it. Just started release workflow for v2.4.4rc4 https://github.com/abhinavsingh/proxy.py/actions/runs/4417674343 , should be out soon.

[ddl-ebrown]

Awesome - thank you!