ProxyAgent configure requestTls per origin

[ayhernandez-godaddy]

👋 Hello. When using the Agent, I can configure it as a global dispatcher such that it can pass client certificates to origins that require it. For example,

setGlobalDispatcher(new Agent({
  factory(origin, opts) {
    if (origin === 'mysecureapi.com') {
      opts.connect = {
        cert: '...',
        key: '...'
      };
    }
    return new Pool(origin, opts);
  }
}));

// Doesn't pass the client cert ✅
undici.request('https://otherapi.com/foo', ...);

// Passes the client cert ✅
undici.request('https://mysecureapi.com/baz', ...);

Now let's suppose I want to replace the global dispatcher above with a ProxyAgent. I'm not seeing a way to set it up so that only requests to mysecureapi.com have a client cert sent, because it doesn't look like the requestTls field can be configured per origin.

Is there anything I'm misunderstanding with how ProxyAgent is intended to be used, or is this just a new feature to be added?

[metcoder95]

The ProxyAgent supports the clientFactory option you can use to customize the client instantiation and add the attached certs as you need based on the origin: https://undici.nodejs.org/#/docs/api/ProxyAgent?id=parameter-proxyagentoptions

The strategy should be similar as the example you shared

[ayhernandez-godaddy]

Looks like clientFactory is only called once on initialization, and it is passed the proxy url not the request origin: https://github.com/nodejs/undici/blob/main/lib/dispatcher/proxy-agent.js#L63

[metcoder95]

True, I oversaw that; it is meant to handle the Proxy connection, sorry for the confusion. I should factory instead, that one is forwarded to the Agent as it's used underneath.

I'd say the ProxyAgent is meant for single origin Proxy but multiple-origin requests as it uses the Agent under the hood.

[ayhernandez-godaddy]

I think this line of code means that even trying to use factory doesn't work. Correct me if I'm wrong, but the fact that the connector for the tunneled requests is created only once here means it's not possible to configure tls settings on a per-origin basis.

I'd say the ProxyAgent is meant for single origin Proxy but multiple-origin requests

That is my use case I'm outlining above, the intent is that the requests for otherapi.com and mysecureapi.com are both sent through the same proxy origin, e.g., myproxy.com is able to open a tunnel for both of those requests. And the issue I'm running into is I'm not currently seeing a way to have the client certificate passed only when mysecureapi.com is called through the ProxyAgent

[metcoder95]

Ah got it now, see what you are trying to achieve.
Yeah, the short answer is that it cannot be done in that way; you can have two different ProxyAgents set and used on the Agent#factory that alters this based on the origin you are looking for, but currently, ProxyAgent does not support that level of granularity.

But I see a potential use case there that will be worth it to explore, would you like to open a PR for it?

[mcollina]

The solution is to have a "MetaAgent", that delegates to another Agent depending on the origin. You can see some similar logic at https://github.com/mcollina/fastify-undici-dispatcher/blob/main/index.js.

[ayhernandez-godaddy]

Setting different ProxyAgents based on origin in Agent#factory works for me. Thank you for the suggestions!