From c5550d28edaec1a4ab8b1fb87098b80491f0fda3 Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Fri, 8 Apr 2022 11:07:37 -0600
Subject: [PATCH] config: fix DefaultTransport so it is still a *http.Transport
 (#3257)

* config: fix DefaultTransport so it is still a *http.Transport

* remove printlns

* Update config/http.go

Co-authored-by: Denis Mishin <dmishin@pomerium.com>

* remove unnecessary check

Co-authored-by: Denis Mishin <dmishin@pomerium.com>
---
 config/http.go | 64 ++++++++++++++++++++------------------------------
 1 file changed, 25 insertions(+), 39 deletions(-)

diff --git a/config/http.go b/config/http.go
index e858db89b..aeceedd9a 100644
--- a/config/http.go
+++ b/config/http.go
@@ -3,63 +3,49 @@ package config
 import (
 	"context"
 	"crypto/tls"
+	"net"
 	"net/http"
-	"sync/atomic"
+	"sync"
 
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/tripper"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
-
-	"github.com/rs/zerolog"
 )
 
-type httpTransport struct {
-	underlying *http.Transport
-	transport  atomic.Value
-}
-
 // NewHTTPTransport creates a new http transport. If CA or CAFile is set, the transport will
 // add the CA to system cert pool.
-func NewHTTPTransport(src Source) http.RoundTripper {
-	ctx := log.WithContext(context.TODO(), func(c zerolog.Context) zerolog.Context {
-		return c.Caller()
-	})
-	t := new(httpTransport)
-	t.underlying, _ = http.DefaultTransport.(*http.Transport)
-	src.OnConfigChange(ctx, func(ctx context.Context, cfg *Config) {
-		t.update(ctx, cfg.Options)
-	})
-	t.update(ctx, src.GetConfig().Options)
-	return t
-}
-
-func (t *httpTransport) update(ctx context.Context, options *Options) {
-	nt := new(http.Transport)
-	if t.underlying != nil {
-		nt = t.underlying.Clone()
-	}
-	if options.CA != "" || options.CAFile != "" {
-		rootCAs, err := cryptutil.GetCertPool(options.CA, options.CAFile)
+func NewHTTPTransport(src Source) *http.Transport {
+	var (
+		lock      sync.Mutex
+		tlsConfig *tls.Config
+	)
+	update := func(ctx context.Context, cfg *Config) {
+		rootCAs, err := cryptutil.GetCertPool(cfg.Options.CA, cfg.Options.CAFile)
 		if err == nil {
-			nt.TLSClientConfig = &tls.Config{
+			lock.Lock()
+			tlsConfig = &tls.Config{
 				RootCAs:    rootCAs,
 				MinVersion: tls.VersionTLS12,
 			}
+			lock.Unlock()
 		} else {
 			log.Error(ctx).Err(err).Msg("config: error getting cert pool")
 		}
 	}
-	t.transport.Store(nt)
-}
+	src.OnConfigChange(context.Background(), update)
+	update(context.Background(), src.GetConfig())
 
-// RoundTrip executes an HTTP request.
-func (t *httpTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	return t.transport.Load().(http.RoundTripper).RoundTrip(req)
-}
-
-// Clone returns a clone of the transport.
-func (t *httpTransport) Clone() *http.Transport {
-	return t.transport.Load().(*http.Transport).Clone()
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.DialTLSContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+		lock.Lock()
+		d := &tls.Dialer{
+			Config: tlsConfig,
+		}
+		lock.Unlock()
+		return d.DialContext(ctx, network, addr)
+	}
+	transport.ForceAttemptHTTP2 = true
+	return transport
 }
 
 // NewPolicyHTTPTransport creates a new http RoundTripper for a policy.