fix: always verify TLS on aibridgeproxyd upstream transport (#26131) … · coder/coder@0374b00
@@ -290,14 +290,21 @@ func New(ctx context.Context, logger slog.Logger, opts Options) (*Server, error)
290290proxy.CertStore = NewCertCache()
291291 }
292292293-// Always set secure TLS defaults, overriding goproxy's default.
294-// This ensures secure TLS connections for:
295-// - HTTPS upstream proxy connections
296-// - MITM'd requests if aibridge uses HTTPS
293+// Override goproxy's default transport, which has InsecureSkipVerify: true.
294+// This applies to all proxy.Tr traffic: MITM'd requests forwarded to aibridge,
295+// passthrough requests, and HTTPS upstream proxy connections. Proxy is
296+// intentionally unset so MITM'd requests go directly to aibridge, never
297+// through an upstream proxy or HTTPS_PROXY env var.
297298rootCAs, err := x509.SystemCertPool()
298299if err != nil {
299300return nil, xerrors.Errorf("failed to load system certificate pool: %w", err)
300301 }
302+proxy.Tr = &http.Transport{
303+TLSClientConfig: &tls.Config{
304+MinVersion: tls.VersionTLS12,
305+RootCAs: rootCAs,
306+ },
307+ }
301308302309srv := &Server{
303310ctx: ctx,
@@ -334,15 +341,6 @@ func New(ctx context.Context, logger slog.Logger, opts Options) (*Server, error)
334341 }
335342 }
336343337-// Set transport without Proxy to ensure MITM'd requests go directly to aibridge,
338-// not through any upstream proxy.
339-proxy.Tr = &http.Transport{
340-TLSClientConfig: &tls.Config{
341-MinVersion: tls.VersionTLS12,
342-RootCAs: rootCAs,
343- },
344- }
345-346344// Add custom CA certificate if provided (for corporate proxies with private CAs).
347345// If no CA certificate is provided, the system certificate pool is used.
348346if opts.UpstreamProxyCA != "" {