Fix NO_PROXY addr logic

integration/proxy_helpers_test.go

@@ -481,3 +481,19 @@ func mustStartALPNLocalProxy(t *testing.T, addr string, protocol alpncommon.Prot
 	}()
 	return lp
 }
+
+func makeNodeConfig(nodeName, authAddr string) *service.Config {
+	nodeConfig := service.MakeDefaultConfig()
+	nodeConfig.Hostname = nodeName
+	nodeConfig.Token = "token"
+	nodeConfig.AuthServers = []utils.NetAddr{
+		{
+			AddrNetwork: "tcp",
+			Addr:        authAddr,
+		},
+	}
+	nodeConfig.Auth.Enabled = false
+	nodeConfig.Proxy.Enabled = false
+	nodeConfig.SSH.Enabled = true
+	return nodeConfig
+}

integration/proxy_test.go

@@ -24,6 +24,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"strconv"
 	"testing"
 	"time"
@@ -640,3 +641,72 @@ func TestALPNProxyDialProxySSHWithoutInsecureMode(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, "hello world\n", output.String())
 }
+
+// TestALPNProxyHTTPProxyNoProxyDial tests if a node joining to root cluster
+// takes into account http_proxy and no_proxy env variables.
+func TestALPNProxyHTTPProxyNoProxyDial(t *testing.T) {
+	lib.SetInsecureDevMode(true)
+	defer lib.SetInsecureDevMode(false)
+
+	rc := NewInstance(InstanceConfig{
+		ClusterName: "root.example.com",
+		HostID:      uuid.New(),
+		NodeName:    Loopback,
+		log:         testlog.FailureOnly(t),
+		Ports:       singleProxyPortSetup(),
+	})
+	username := mustGetCurrentUser(t).Username
+	rc.AddUser(username, []string{username})
+
+	rcConf := service.MakeDefaultConfig()
+	rcConf.DataDir = t.TempDir()
+	rcConf.Auth.Enabled = true
+	rcConf.Auth.NetworkingConfig.SetProxyListenerMode(types.ProxyListenerMode_Multiplex)
+	rcConf.Auth.Preference.SetSecondFactor("off")
+	rcConf.Proxy.Enabled = true
+	rcConf.Proxy.DisableWebInterface = true
+	rcConf.SSH.Enabled = false
+
+	err := rc.CreateEx(t, nil, rcConf)
+	require.NoError(t, err)
+
+	err = rc.Start()
+	require.NoError(t, err)
+	defer rc.StopAll()
+
+	// Create and start http_proxy server.
+	ps := &proxyServer{}
+	ts := httptest.NewServer(ps)
+	defer ts.Close()
+
+	u, err := url.Parse(ts.URL)
+	require.NoError(t, err)
+
+	t.Setenv("http_proxy", u.Host)
+	t.Setenv("no_proxy", "127.0.0.1")
+
+	rcProxyAddr := net.JoinHostPort(Loopback, rc.GetPortWeb())
+
+	// Start the node, due to no_proxy=127.0.0.1 env variable the connection established
+	// to the proxy should not go through the http_proxy server.
+	_, err = rc.StartNode(makeNodeConfig("first-root-node", rcProxyAddr))
+	require.NoError(t, err)
+
+	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(time.Second*30))
+	defer cancel()
+
+	err = waitForNodeCount(ctx, rc, "root.example.com", 1)
+	require.NoError(t, err)
+
+	require.Zero(t, ps.Count())
+
+	// Unset the no_proxy=127.0.0.1 env variable. After that a new node
+	// should take into account the http_proxy address and connection should go through the http_proxy.
+	require.NoError(t, os.Unsetenv("no_proxy"))
+	_, err = rc.StartNode(makeNodeConfig("second-root-node", rcProxyAddr))
+	require.NoError(t, err)
+	err = waitForNodeCount(ctx, rc, "root.example.com", 2)
+	require.NoError(t, err)
+
+	require.NotZero(t, ps.Count())
+}

lib/reversetunnel/transport.go

@@ -95,7 +95,7 @@ func (t *TunnelAuthDialer) DialContext(ctx context.Context, network string, addr
 		opts = append(opts, proxy.WithALPNDialer())
 	}
 
-	dialer := proxy.DialerFromEnvironment(addr, opts...)
+	dialer := proxy.DialerFromEnvironment(t.ProxyAddr, opts...)
 	sconn, err := dialer.Dial("tcp", t.ProxyAddr, t.ClientConfig)
 	if err != nil {
 		return nil, trace.Wrap(err)