Don't apply the IP range blacklist to proxy connections (#9084)

It is expected that the proxy would be on a private IP address so the configured proxy should be connected to regardless of the IP range blacklist.
2025-05-02 13:36:02 -04:00 · 2021-01-12 18:20:30 +01:00 · 2021-01-12 18:20:30 +01:00 · e385c8b473
commit e385c8b473
parent fa6deb298b
4 changed files with 145 additions and 3 deletions
--- a/synapse/http/client.py
+++ b/synapse/http/client.py
@ -341,6 +341,7 @@ class SimpleHttpClient:

        self.agent = ProxyAgent(
            self.reactor,
+            hs.get_reactor(),
            connectTimeout=15,
            contextFactory=self.hs.get_http_client_context_factory(),
            pool=pool,
--- a/synapse/http/proxyagent.py
+++ b/synapse/http/proxyagent.py
@ -39,6 +39,10 @@ class ProxyAgent(_AgentBase):
        reactor: twisted reactor to place outgoing
            connections.

+        proxy_reactor: twisted reactor to use for connections to the proxy server
+                       reactor might have some blacklisting applied (i.e. for DNS queries),
+                       but we need unblocked access to the proxy.
+
        contextFactory (IPolicyForHTTPS): A factory for TLS contexts, to control the
            verification parameters of OpenSSL.  The default is to use a
            `BrowserLikePolicyForHTTPS`, so unless you have special
@ -59,6 +63,7 @@ class ProxyAgent(_AgentBase):
    def __init__(
        self,
        reactor,
+        proxy_reactor=None,
        contextFactory=BrowserLikePolicyForHTTPS(),
        connectTimeout=None,
        bindAddress=None,
@ -68,6 +73,11 @@ class ProxyAgent(_AgentBase):
    ):
        _AgentBase.__init__(self, reactor, pool)

+        if proxy_reactor is None:
+            self.proxy_reactor = reactor
+        else:
+            self.proxy_reactor = proxy_reactor
+
        self._endpoint_kwargs = {}
        if connectTimeout is not None:
            self._endpoint_kwargs["timeout"] = connectTimeout
@ -75,11 +85,11 @@ class ProxyAgent(_AgentBase):
            self._endpoint_kwargs["bindAddress"] = bindAddress

        self.http_proxy_endpoint = _http_proxy_endpoint(
-            http_proxy, reactor, **self._endpoint_kwargs
+            http_proxy, self.proxy_reactor, **self._endpoint_kwargs
        )

        self.https_proxy_endpoint = _http_proxy_endpoint(
-            https_proxy, reactor, **self._endpoint_kwargs
+            https_proxy, self.proxy_reactor, **self._endpoint_kwargs
        )

        self._policy_for_https = contextFactory
@ -137,7 +147,7 @@ class ProxyAgent(_AgentBase):
            request_path = uri
        elif parsed_uri.scheme == b"https" and self.https_proxy_endpoint:
            endpoint = HTTPConnectProxyEndpoint(
-                self._reactor,
+                self.proxy_reactor,
                self.https_proxy_endpoint,
                parsed_uri.host,
                parsed_uri.port,