Tunnel GitHub LFS through HTTPS forward proxy

Summary:
Fixes the `Network is unreachable (os error 101)` failure observed on par-msl/jarvis E2E (Sandcastle workflow 1130403506487189108) where gitimport's hyper-openssl HTTPS client tried to reach `github.com:443` directly from a Sandcastle worker. Workers can't route external traffic without going through `http://fwdproxy:8080` — git/curl auto-pick up `https_proxy` env, but Rust hyper-openssl does not.

The GitHub LFS Batch client now wraps its `HttpsConnector` in `hyper_proxy2::ProxyConnector` so each batch POST / signed-URL GET tunnels through the proxy via HTTP CONNECT before the TLS handshake to github.com runs over that tunnel.

**Default**: `http://fwdproxy:8080` (Meta's prod forward proxy). Reaching github.com from any Meta host requires this, so making it the default avoids the footgun of "I forgot to pass --github-lfs-https-proxy and now my run fails after 5 minutes of LFS retries". Override via `--github-lfs-https-proxy <URL>` for a different proxy, or pass `--github-lfs-no-https-proxy` to disable entirely (useful for OSS / outside-Meta runs where github.com is directly reachable).

Implementation notes:

- New `build_github_https_client(proxy_url: Option<String>)` returns `Client<ProxyConnector<HttpsConnector<HttpConnector>>, _>`. `GitHubLfs.client` type changes accordingly. The other LFS modes (Upstream, Internal) are untouched — they talk to intra-DC endpoints and don't need a proxy.
- `from_proxy_unsecured(inner, proxy)` is used because fwdproxy is plain `http://`; the inner `HttpsConnector` still handles TLS to the actual target after CONNECT establishes the tunnel.
- `Intercept::None` (used when proxy is `None`) keeps a single client type whether or not a proxy is configured — avoids a sum type on the client field. Dummy `http://unused.invalid` URI is required by the API but never dialed.
- Both new flags require `--github-lfs-url` (clap `requires`), matching the existing `--github-lfs-token-file` constraint.
- CLI surface: `--github-lfs-https-proxy <URL>` (default `http://fwdproxy:8080`) + `--github-lfs-no-https-proxy` (bool, opt-out).

WWW Sandcastle (`SandcastleGithubMirrorSyncCommand`) doesn't need any change — the default kicks in automatically.

Reviewed By: lmvasquezg

Differential Revision: D106645417

fbshipit-source-id: 8055238d474ddf9f16b821c5515c17940928b006

Author: RajivTS

eden/mononoke/git/gitimport/src/main.rs

@@ -242,6 +242,25 @@ struct GitimportArgs {
     /// hours). Required when `--github-lfs-url` is set.
     #[clap(long, requires = "github_lfs_url")]
     github_lfs_token_file: Option<PathBuf>,
+    /// HTTP forward proxy URL used to tunnel GitHub LFS Batch API requests
+    /// through via HTTP CONNECT. Defaults to Meta's prod forward proxy
+    /// (`http://fwdproxy:8080`), which is required to reach github.com from
+    /// any Meta host (Sandcastle workers, devservers, OD sandboxes). Pair
+    /// with `--github-lfs-no-https-proxy` to disable proxying entirely
+    /// (e.g. when running outside Meta in OSS environments where github.com
+    /// is reachable directly). Only applies to the `--github-lfs-url` code
+    /// path; the other LFS modes ignore it.
+    #[clap(
+        long,
+        requires = "github_lfs_url",
+        default_value = "http://fwdproxy:8080"
+    )]
+    github_lfs_https_proxy: String,
+    /// Disable HTTPS proxying for GitHub LFS Batch requests, overriding the
+    /// default `--github-lfs-https-proxy`. Use when running outside Meta
+    /// (OSS) where github.com is reachable directly without a forward proxy.
+    #[clap(long, requires = "github_lfs_url")]
+    github_lfs_no_https_proxy: bool,
     /// TLS parameters for this service used for outbound LFS connections
     #[clap(flatten)]
     tls_args: Option<TLSArgs>,
@@ -407,9 +426,15 @@ async fn async_main(app: MononokeApp) -> Result<(), Error> {
                         "--github-lfs-token-file is required when --github-lfs-url is set",
                     )
                 })?;
+                let https_proxy = if args.github_lfs_no_https_proxy {
+                    None
+                } else {
+                    Some(args.github_lfs_https_proxy)
+                };
                 GitImportLfs::new_github(
                     github_lfs_url,
                     token_file,
+                    https_proxy,
                     args.allow_dangling_lfs_pointers,
                     args.lfs_import_max_attempts,
                     Some(LFS_SIMULTANEOUS_CONNECTION_LIMIT),

eden/mononoke/git/import_tools/BUCK

@@ -27,6 +27,7 @@ rust_library(
         "fbsource//third-party/rust:http",
         "fbsource//third-party/rust:http-body-util",
         "fbsource//third-party/rust:hyper-openssl",
+        "fbsource//third-party/rust:hyper-proxy2",
         "fbsource//third-party/rust:hyper-util",
         "fbsource//third-party/rust:linked-hash-map",
         "fbsource//third-party/rust:openssl",

eden/mononoke/git/import_tools/Cargo.toml

@@ -36,6 +36,7 @@ gix-object = "0.60.0"
 http = "1.4.0"
 http-body-util = "0.1.0"
 hyper-openssl = { version = "0.10", features = ["client-legacy", "tokio"] }
+hyper-proxy2 = { version = "0.1", features = ["rustls"], default-features = false }
 hyper-util = { version = "0.1.20", features = ["client-legacy", "http1", "http2", "server-auto", "service", "tokio"] }
 lfs_protocol = { version = "0.1.0", path = "../../common/lfs_protocol" }
 linked-hash-map = { version = "0.5", features = ["serde_impl"] }

eden/mononoke/git/import_tools/src/gitlfs.rs

@@ -36,6 +36,9 @@ use http::Uri;
 use http_body_util::BodyExt as _;
 use http_body_util::Full;
 use hyper_openssl::client::legacy::HttpsConnector;
+use hyper_proxy2::Intercept;
+use hyper_proxy2::Proxy;
+use hyper_proxy2::ProxyConnector;
 use hyper_util::client::legacy::Client;
 use hyper_util::client::legacy::connect::HttpConnector;
 use hyper_util::rt::TokioExecutor;
@@ -72,6 +75,13 @@ use tracing::warn;
 fn build_https_client(
     tls_args: Option<TLSArgs>,
 ) -> Result<Client<HttpsConnector<HttpConnector>, Full<Bytes>>, Error> {
+    let connector = build_https_connector(tls_args)?;
+    Ok(Client::builder(TokioExecutor::new()).build(connector))
+}
+
+fn build_https_connector(
+    tls_args: Option<TLSArgs>,
+) -> Result<HttpsConnector<HttpConnector>, Error> {
     let mut ssl_connector = SslConnector::builder(SslMethod::tls_client())?;
     if let Some(tls_args) = tls_args {
         ssl_connector.set_ca_file(tls_args.tls_ca)?;
@@ -80,9 +90,33 @@ fn build_https_client(
     };
     let mut http_connector = HttpConnector::new();
     http_connector.enforce_http(false);
-    let connector =
-        HttpsConnector::with_connector(http_connector, ssl_connector).map_err(Error::from)?;
-    Ok(Client::builder(TokioExecutor::new()).build(connector))
+    HttpsConnector::with_connector(http_connector, ssl_connector).map_err(Error::from)
+}
+
+/// Builds an HTTPS client for the GitHub LFS path, optionally tunneling
+/// HTTPS through an `http://...` forward proxy via CONNECT. Required when
+/// running inside Meta's prod fleet (e.g. Sandcastle workers), where direct
+/// outbound traffic to github.com is blocked and must go through
+/// `http://fwdproxy:8080`. When `proxy_url` is `None` the proxy connector
+/// is configured with `Intercept::None`, which makes it a no-op pass-through
+/// over the underlying `HttpsConnector` (the only reason it's still wrapped
+/// is to keep one client type regardless of whether a proxy is configured).
+fn build_github_https_client(
+    proxy_url: Option<String>,
+) -> Result<Client<ProxyConnector<HttpsConnector<HttpConnector>>, Full<Bytes>>, Error> {
+    let inner = build_https_connector(None)?;
+    let (intercept, proxy_uri) = match proxy_url {
+        Some(url) => {
+            let uri = url
+                .parse::<Uri>()
+                .with_context(|| format!("parsing --https-proxy URL {url}"))?;
+            (Intercept::All, uri)
+        }
+        None => (Intercept::None, "http://unused.invalid".parse::<Uri>()?),
+    };
+    let proxy_connector =
+        ProxyConnector::from_proxy_unsecured(inner, Proxy::new(intercept, proxy_uri));
+    Ok(Client::builder(TokioExecutor::new()).build(proxy_connector))
 }
 
 /// URL pattern used by the upstream LFS server to serve a single object keyed by SHA256.
@@ -187,8 +221,10 @@ pub struct GitHubLfs {
     /// GitHub's per-installation rate limits when importing wide trees).
     conn_limit_sem: Option<Arc<Semaphore>>,
     /// HTTPS client built with the system trust store (no Meta mTLS) so it
-    /// can talk to github.com.
-    client: Client<HttpsConnector<HttpConnector>, Full<Bytes>>,
+    /// can talk to github.com, optionally tunneling through an `http://...`
+    /// forward proxy via CONNECT (required from Sandcastle / prod workers
+    /// where direct outbound traffic to github.com is blocked).
+    client: Client<ProxyConnector<HttpsConnector<HttpConnector>>, Full<Bytes>>,
 }
 
 impl fmt::Debug for GitHubLfs {
@@ -303,19 +339,22 @@ impl GitImportLfs {
     /// Build a `GitImportLfs` that fetches LFS objects from a GitHub LFS Batch
     /// API endpoint authenticated with a GitHub App installation token read
     /// from `token_file`. The HTTPS client is built with the system trust
-    /// store (not Meta mTLS) since it talks to github.com. The token is read
-    /// lazily on first use and re-read from disk after a 401/403, so an
-    /// out-of-process refresher can rotate the file while gitimport is
-    /// running (installation tokens expire after ~1h; large imports take
-    /// several hours).
+    /// store (not Meta mTLS) since it talks to github.com, optionally
+    /// tunneling through `https_proxy_url` via HTTP CONNECT (required from
+    /// Sandcastle / prod workers where direct outbound traffic to github.com
+    /// is blocked). The token is read lazily on first use and re-read from
+    /// disk after a 401/403, so an out-of-process refresher can rotate the
+    /// file while gitimport is running (installation tokens expire after
+    /// ~1h; large imports take several hours).
     pub fn new_github(
         batch_url: String,
         token_file: PathBuf,
+        https_proxy_url: Option<String>,
         allow_not_found: bool,
         max_attempts: u32,
         conn_limit: Option<usize>,
     ) -> Result<Self, Error> {
-        let client = build_https_client(None)?;
+        let client = build_github_https_client(https_proxy_url)?;
         let github = GitHubLfs {
             batch_url,
             token_file,