fix: always verify TLS on aibridgeproxyd upstream transport (#26131) … · coder/coder@6293c89
@@ -303,14 +303,21 @@ func New(ctx context.Context, logger slog.Logger, opts Options) (*Server, error)
303303proxy.CertStore = NewCertCache()
304304 }
305305306-// Always set secure TLS defaults, overriding goproxy's default.
307-// This ensures secure TLS connections for:
308-// - HTTPS upstream proxy connections
309-// - MITM'd requests if aibridge uses HTTPS
306+// Override goproxy's default transport, which has InsecureSkipVerify: true.
307+// This applies to all proxy.Tr traffic: MITM'd requests forwarded to aibridge,
308+// passthrough requests, and HTTPS upstream proxy connections. Proxy is
309+// intentionally unset so MITM'd requests go directly to aibridge, never
310+// through an upstream proxy or HTTPS_PROXY env var.
310311rootCAs, err := x509.SystemCertPool()
311312if err != nil {
312313return nil, xerrors.Errorf("failed to load system certificate pool: %w", err)
313314 }
315+proxy.Tr = &http.Transport{
316+TLSClientConfig: &tls.Config{
317+MinVersion: tls.VersionTLS12,
318+RootCAs: rootCAs,
319+ },
320+ }
314321315322srv := &Server{
316323ctx: ctx,
@@ -353,15 +360,6 @@ func New(ctx context.Context, logger slog.Logger, opts Options) (*Server, error)
353360 }
354361 }
355362356-// Set transport without Proxy to ensure MITM'd requests go directly to aibridge,
357-// not through any upstream proxy.
358-proxy.Tr = &http.Transport{
359-TLSClientConfig: &tls.Config{
360-MinVersion: tls.VersionTLS12,
361-RootCAs: rootCAs,
362- },
363- }
364-365363// Add custom CA certificate if provided (for corporate proxies with private CAs).
366364// If no CA certificate is provided, the system certificate pool is used.
367365if opts.UpstreamProxyCA != "" {