make preemptive authentication work for proxy connections

[jalogisch]

Expected Behavior

All supported proxy methods by OkHttp should work in Graylog.

Current Behavior

2020-12-01T09:34:10.020+01:00 WARN [OkHttpClientProvider$ProxyAuthenticator] Graylog only supports the "basic" authentication scheme but the proxy server asks for one of the following: [okhttp-preemptive]

Possible Solution

Updating OkHttp and enable the feature, since version 3.12 this preemptive auth is supported ( https://github.com/square/okhttp/issues/2435#issuecomment-438519500 )

Your Environment

• Graylog Version: 3.3 / 4.0

[z#844364]

[bernd]

When we implemented proxy authentication for okhttp there was no preemptive authentication support. It has been added in https://github.com/square/okhttp/pull/4376 and is available since okhttp 3.12.

Since then okhttp is calling the proxy authenticator with a OkHttp-Preemptive challenge scheme before connecting to the proxy when the http_proxy_uri contains credentials. Our code only supports the Basic scheme so far. To support OkHttp-Preemptive as well, we need to adjust the following code. Because allowing preemptive authentication can have security implications (sending credentials to a proxy without knowing if they are actually needed), we should probably introduce a config option to enable it. (e.g. http_proxy_allow_preemptive_authentication - disabled by default)

Not supporting preemtive authentication doesn't mean proxy authentication doesn't work. The HTTP client will use reactive authentication as fallback automatically. Using preemptive authentication just improves the connection time because it saves one roundtrip to the proxy server.

https://github.com/Graylog2/graylog2-server/blob/02b507027d1a3d5889eed14103a0e760a4fd989d/graylog2-server/src/main/java/org/graylog2/shared/bindings/providers/OkHttpClientProvider.java#L151-L167

[devatnull]

Hello, is there a plan to support this type of proxy anytime soon?