Skip to content

fix(http): preserve TLS options for proxy tunnels#10957

Merged
jasonsaayman merged 1 commit into
v1.xfrom
fix/issue-10953-proxy-origin-tls
May 28, 2026
Merged

fix(http): preserve TLS options for proxy tunnels#10957
jasonsaayman merged 1 commit into
v1.xfrom
fix/issue-10953-proxy-origin-tls

Conversation

@jasonsaayman

@jasonsaayman jasonsaayman commented May 28, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Member

Summary

Fixes a Node HTTP adapter regression where custom httpsAgent TLS options were not applied to the tunneled HTTPS origin after CONNECT proxy setup.

Linked issue

Closes #10953

Changes

  • Merge user httpsAgent.options into the HttpsProxyAgent callback options used for the post-CONNECT TLS upgrade.
  • Add an HTTP CONNECT proxy regression test with a self-signed HTTPS origin trusted via httpsAgent.ca.
  • Record the bug fix in the pre-release changelog.

Checklist

  • Tests added or updated (or N/A with reason)
  • Docs / types updated if public API changed (index.d.ts and index.d.cts)
  • No breaking changes (or called out explicitly above)

Summary by cubic

Fixes a Node HTTP adapter regression that dropped httpsAgent TLS options (e.g., ca, rejectUnauthorized) when connecting to an HTTPS origin through a CONNECT proxy. Restores expected TLS behavior for tunneled requests.

Description

  • Summary of changes
    • Merge user httpsAgent.options into HttpsProxyAgent constructor and its callback so post-CONNECT TLS uses the same options.
    • Add an integration test for CONNECT → HTTPS with a self-signed origin trusted via httpsAgent.ca.
    • Add a pre-release changelog entry.
  • Reasoning
    • Without forwarding these options, tunneled HTTPS requests could not trust custom CAs or honor rejectUnauthorized, causing failures.
  • Additional context

Docs

  • Propose a brief note in /docs/ explaining that httpsAgent TLS options are honored for HTTPS origins behind HTTP CONNECT proxies, with an example showing proxy + httpsAgent (custom ca, rejectUnauthorized).

Testing

  • Added an integration test that sets up:
    • An HTTP proxy handling CONNECT.
    • An HTTPS origin with a self-signed cert.
    • A request using httpsAgent.ca to trust the origin and verify payload and plaintext is not leaked.
  • Updated a unit test name to reflect constructor-option merging. No other test changes required.

Semantic version impact

  • Patch: bug fix with no API changes.

Written for commit 1b359a8. Summary will update on new commits.

Review in cubic

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 28, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

@jasonsaayman jasonsaayman self-assigned this May 28, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix labels May 28, 2026
@jasonsaayman jasonsaayman merged commit 3dec28f into v1.x May 28, 2026
29 checks passed
@jasonsaayman jasonsaayman deleted the fix/issue-10953-proxy-origin-tls branch May 28, 2026 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jasonsaayman jasonsaayman

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Problem handling self signed cert for proxy in 1.16.1

1 participant

@jasonsaayman