From cb946e772731265cec673ad9f2d045a3706ba649 Mon Sep 17 00:00:00 2001
From: Andrew Cholakian <andrew@andrewvc.com>
Date: Mon, 13 Jan 2020 15:03:52 -0600
Subject: [PATCH 1/6] [Heartbeat] Pass TLS options to forward proxies

---
 heartbeat/monitors/active/http/http.go        |  1 +
 .../common/transport/tlscommon/tls_config.go  | 23 ++++++++++++-------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/heartbeat/monitors/active/http/http.go b/heartbeat/monitors/active/http/http.go
index b033058b4a23..ef6c43b9c58f 100644
--- a/heartbeat/monitors/active/http/http.go
+++ b/heartbeat/monitors/active/http/http.go
@@ -138,6 +138,7 @@ func newRoundTripper(config *Config, tls *transport.TLSConfig) (*http.Transport,
 		Proxy:             proxy,
 		Dial:              dialer.Dial,
 		DialTLS:           tlsDialer.Dial,
+		TLSClientConfig:   tls.ToConfig(),
 		DisableKeepAlives: true,
 	}, nil
 }
diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go
index 44331b08c74f..db1bbc819a79 100644
--- a/libbeat/common/transport/tlscommon/tls_config.go
+++ b/libbeat/common/transport/tlscommon/tls_config.go
@@ -66,13 +66,9 @@ type TLSConfig struct {
 	ClientAuth tls.ClientAuthType
 }
 
-// BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`.
-func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config {
-	if c == nil {
-		// use default TLS settings, if config is empty.
-		return &tls.Config{ServerName: host}
-	}
-
+// ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with
+// ServerName set, use that method for servers with SNI.
+func (c *TLSConfig) ToConfig() *tls.Config {
 	minVersion, maxVersion := extractMinMaxVersion(c.Versions)
 	insecure := c.Verification != VerifyFull
 	if insecure {
@@ -80,7 +76,6 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config {
 	}
 
 	return &tls.Config{
-		ServerName:         host,
 		MinVersion:         minVersion,
 		MaxVersion:         maxVersion,
 		Certificates:       c.Certificates,
@@ -93,3 +88,15 @@ func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config {
 		ClientAuth:         c.ClientAuth,
 	}
 }
+
+// BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`.
+func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config {
+	if c == nil {
+		// use default TLS settings, if config is empty.
+		return &tls.Config{ServerName: host}
+	}
+
+	config := c.ToConfig()
+	config.ServerName = host
+	return config
+}

From 95115faeffd63ff27c8a15d2f06911f555720fb3 Mon Sep 17 00:00:00 2001
From: Andrew Cholakian <andrew@andrewvc.com>
Date: Thu, 23 Jan 2020 16:47:11 -0600
Subject: [PATCH 2/6] Add test

---
 heartbeat/monitors/active/http/http_test.go | 29 +++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/heartbeat/monitors/active/http/http_test.go b/heartbeat/monitors/active/http/http_test.go
index 9066306de86e..8d64dbd40257 100644
--- a/heartbeat/monitors/active/http/http_test.go
+++ b/heartbeat/monitors/active/http/http_test.go
@@ -39,6 +39,7 @@ import (
 	"github.com/elastic/beats/libbeat/beat"
 	"github.com/elastic/beats/libbeat/common"
 	"github.com/elastic/beats/libbeat/common/file"
+	"github.com/elastic/beats/libbeat/outputs/transport"
 	btesting "github.com/elastic/beats/libbeat/testing"
 	"github.com/elastic/go-lookslike"
 	"github.com/elastic/go-lookslike/isdef"
@@ -498,3 +499,31 @@ func TestRedirect(t *testing.T) {
 		event.Fields,
 	)
 }
+
+func TestNewRoundTripper(t *testing.T) {
+	configs := map[string]Config{
+		"Plain":      {Timeout: time.Second},
+		"With Proxy": {Timeout: time.Second, ProxyURL: "http://localhost:1234"},
+	}
+
+	for name, config := range configs {
+		t.Run(name, func(t *testing.T) {
+			transp, err := newRoundTripper(&config, &transport.TLSConfig{})
+			require.NoError(t, err)
+
+			if config.ProxyURL == "" {
+				require.Nil(t, transp.Proxy)
+			} else {
+				require.NotNil(t, transp.Proxy)
+			}
+
+			// It's hard to compare func types in tests
+			require.NotNil(t, transp.Dial)
+			require.NotNil(t, transport.TLSDialer)
+
+			require.Equal(t, (&transport.TLSConfig{}).ToConfig(), transp.TLSClientConfig)
+			require.True(t, transp.DisableKeepAlives)
+		})
+	}
+
+}

From 5b9c22dae049e854711f121ea5230e2a7d2d931b Mon Sep 17 00:00:00 2001
From: Andrew Cholakian <andrew@andrewvc.com>
Date: Fri, 24 Jan 2020 08:08:14 -0600
Subject: [PATCH 3/6] Handle nil configs

---
 libbeat/common/transport/tlscommon/tls_config.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go
index db1bbc819a79..7054a73bec8e 100644
--- a/libbeat/common/transport/tlscommon/tls_config.go
+++ b/libbeat/common/transport/tlscommon/tls_config.go
@@ -69,6 +69,10 @@ type TLSConfig struct {
 // ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with
 // ServerName set, use that method for servers with SNI.
 func (c *TLSConfig) ToConfig() *tls.Config {
+	if c == nil {
+		return nil
+	}
+
 	minVersion, maxVersion := extractMinMaxVersion(c.Versions)
 	insecure := c.Verification != VerifyFull
 	if insecure {

From 7390d057bba8cf20851657b3554f8bc367a8a06c Mon Sep 17 00:00:00 2001
From: Andrew Cholakian <andrew@andrewvc.com>
Date: Fri, 24 Jan 2020 08:09:41 -0600
Subject: [PATCH 4/6] Handle nil configs correctly

---
 libbeat/common/transport/tlscommon/tls_config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libbeat/common/transport/tlscommon/tls_config.go b/libbeat/common/transport/tlscommon/tls_config.go
index 7054a73bec8e..a7e69ea3ab49 100644
--- a/libbeat/common/transport/tlscommon/tls_config.go
+++ b/libbeat/common/transport/tlscommon/tls_config.go
@@ -70,7 +70,7 @@ type TLSConfig struct {
 // ServerName set, use that method for servers with SNI.
 func (c *TLSConfig) ToConfig() *tls.Config {
 	if c == nil {
-		return nil
+		return &tls.Config{}
 	}
 
 	minVersion, maxVersion := extractMinMaxVersion(c.Versions)

From 5a4e09c98180fed5321750b5f1ab5e8eca07f8ab Mon Sep 17 00:00:00 2001
From: Andrew Cholakian <andrew@andrewvc.com>
Date: Fri, 24 Jan 2020 16:44:45 -0600
Subject: [PATCH 5/6] Add to other beats

---
 libbeat/kibana/client.go                | 5 +++--
 libbeat/outputs/elasticsearch/client.go | 7 ++++---
 metricbeat/helper/http.go               | 7 ++++---
 x-pack/filebeat/input/httpjson/input.go | 1 +
 4 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/libbeat/kibana/client.go b/libbeat/kibana/client.go
index a690180d6bcc..c5154dd2bba6 100644
--- a/libbeat/kibana/client.go
+++ b/libbeat/kibana/client.go
@@ -136,8 +136,9 @@ func NewClientWithConfig(config *ClientConfig) (*Client, error) {
 			Password: password,
 			HTTP: &http.Client{
 				Transport: &http.Transport{
-					Dial:    dialer.Dial,
-					DialTLS: tlsDialer.Dial,
+					Dial:            dialer.Dial,
+					DialTLS:         tlsDialer.Dial,
+					TLSClientConfig: tlsConfig.ToConfig(),
 				},
 				Timeout: config.Timeout,
 			},
diff --git a/libbeat/outputs/elasticsearch/client.go b/libbeat/outputs/elasticsearch/client.go
index 5692fe12a7d4..10541f080131 100644
--- a/libbeat/outputs/elasticsearch/client.go
+++ b/libbeat/outputs/elasticsearch/client.go
@@ -213,9 +213,10 @@ func NewClient(
 			Headers:  s.Headers,
 			http: &http.Client{
 				Transport: &http.Transport{
-					Dial:    dialer.Dial,
-					DialTLS: tlsDialer.Dial,
-					Proxy:   proxy,
+					Dial:            dialer.Dial,
+					DialTLS:         tlsDialer.Dial,
+					TLSClientConfig: s.TLS.ToConfig(),
+					Proxy:           proxy,
 				},
 				Timeout: s.Timeout,
 			},
diff --git a/metricbeat/helper/http.go b/metricbeat/helper/http.go
index a65678325c57..1dde8cd3a622 100644
--- a/metricbeat/helper/http.go
+++ b/metricbeat/helper/http.go
@@ -96,9 +96,10 @@ func newHTTPFromConfig(config Config, name string, hostData mb.HostData) (*HTTP,
 		hostData: hostData,
 		client: &http.Client{
 			Transport: &http.Transport{
-				Dial:    dialer.Dial,
-				DialTLS: tlsDialer.Dial,
-				Proxy:   http.ProxyFromEnvironment,
+				Dial:            dialer.Dial,
+				DialTLS:         tlsDialer.Dial,
+				TLSClientConfig: tlsConfig.ToConfig(),
+				Proxy:           http.ProxyFromEnvironment,
 			},
 			Timeout: config.Timeout,
 		},
diff --git a/x-pack/filebeat/input/httpjson/input.go b/x-pack/filebeat/input/httpjson/input.go
index 798766f3a433..8ba0c6550de4 100644
--- a/x-pack/filebeat/input/httpjson/input.go
+++ b/x-pack/filebeat/input/httpjson/input.go
@@ -260,6 +260,7 @@ func (in *httpjsonInput) run() error {
 		Transport: &http.Transport{
 			Dial:              dialer.Dial,
 			DialTLS:           tlsDialer.Dial,
+			TLSClientConfig:   tlsConfig.ToConfig(),
 			DisableKeepAlives: true,
 		},
 		Timeout: in.config.HTTPClientTimeout,

From 19658f3d1b57c192e323ed3c7c8328ee9a583a12 Mon Sep 17 00:00:00 2001
From: Andrew Cholakian <andrew@andrewvc.com>
Date: Mon, 27 Jan 2020 08:00:35 -0600
Subject: [PATCH 6/6] Add changelog

---
 CHANGELOG.next.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 705e5aeebfdb..df603a71bc38 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -44,6 +44,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix missing output in dockerlogbeat {pull}15719[15719]
 - Fix logging target settings being ignored when Beats are started via systemd or docker. {issue}12024[12024] {pull}15422[15442]
 - Do not load dashboards where not available. {pull}15802[15802]
+- Fix issue where TLS settings would be ignored when a forward proxy was in use. {pull}15516{15516}
 
 *Auditbeat*