Support allowed hosts for migrations to work with proxy (#32025) (#32026)

Backport #32025 by @wolfogre Fix #32024. Follow #27655. After this PR, all usage of "new dial context" needs to provide a proxy, so I dropped the old `NewDialContext` and renamed `NewDialContextWithProxy` to `NewDialContext`. Co-authored-by: Jason Song <i@wolfogre.com>
2025-10-31 11:41:32 +01:00 · 2024-09-11 14:54:19 +08:00 · 2024-09-11 14:54:19 +08:00 · 0629c08a6d
commit 0629c08a6d
parent 54d828f8ec
4 changed files with 3 additions and 11 deletions
--- a/modules/hostmatcher/http.go
+++ b/modules/hostmatcher/http.go
@ -13,11 +13,7 @@ import (
 )

 // NewDialContext returns a DialContext for Transport, the DialContext will do allow/block list check
-func NewDialContext(usage string, allowList, blockList *HostMatchList) func(ctx context.Context, network, addr string) (net.Conn, error) {
-	return NewDialContextWithProxy(usage, allowList, blockList, nil)
-}
-
-func NewDialContextWithProxy(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) {
+func NewDialContext(usage string, allowList, blockList *HostMatchList, proxy *url.URL) func(ctx context.Context, network, addr string) (net.Conn, error) {
 	// How Go HTTP Client works with redirection:
 	//   transport.RoundTrip URL=http://domain.com, Host=domain.com
 	//   transport.DialContext addrOrHost=domain.com:80
--- a/services/migrations/http_client.go
+++ b/services/migrations/http_client.go
@ -24,6 +24,6 @@ func NewMigrationHTTPTransport() *http.Transport {
 	return &http.Transport{
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Migrations.SkipTLSVerify},
 		Proxy:           proxy.Proxy(),
-		DialContext:     hostmatcher.NewDialContext("migration", allowList, blockList),
+		DialContext:     hostmatcher.NewDialContext("migration", allowList, blockList, setting.Proxy.ProxyURLFixed),
 	}
 }
--- a/services/migrations/migrate.go
+++ b/services/migrations/migrate.go
@ -499,9 +499,5 @@ func Init() error {
 	// TODO: at the moment, if ALLOW_LOCALNETWORKS=false, ALLOWED_DOMAINS=domain.com, and domain.com has IP 127.0.0.1, then it's still allowed.
 	// if we want to block such case, the private&loopback should be added to the blockList when ALLOW_LOCALNETWORKS=false

-	if setting.Proxy.Enabled && setting.Proxy.ProxyURLFixed != nil {
-		allowList.AppendPattern(setting.Proxy.ProxyURLFixed.Host)
-	}
-
 	return nil
 }
--- a/services/webhook/deliver.go
+++ b/services/webhook/deliver.go
@ -303,7 +303,7 @@ func Init() error {
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: setting.Webhook.SkipTLSVerify},
 			Proxy:           webhookProxy(allowedHostMatcher),
-			DialContext:     hostmatcher.NewDialContextWithProxy("webhook", allowedHostMatcher, nil, setting.Webhook.ProxyURLFixed),
+			DialContext:     hostmatcher.NewDialContext("webhook", allowedHostMatcher, nil, setting.Webhook.ProxyURLFixed),
 		},
 	}