fix: always verify TLS on aibridgeproxyd upstream transport (#26131) … · coder/coder@d875dd1
@@ -289,14 +289,21 @@ func New(ctx context.Context, logger slog.Logger, opts Options) (*Server, error)
289289proxy.CertStore = NewCertCache()
290290 }
291291292-// Always set secure TLS defaults, overriding goproxy's default.
293-// This ensures secure TLS connections for:
294-// - HTTPS upstream proxy connections
295-// - MITM'd requests if aibridge uses HTTPS
292+// Override goproxy's default transport, which has InsecureSkipVerify: true.
293+// This applies to all proxy.Tr traffic: MITM'd requests forwarded to aibridge,
294+// passthrough requests, and HTTPS upstream proxy connections. Proxy is
295+// intentionally unset so MITM'd requests go directly to aibridge, never
296+// through an upstream proxy or HTTPS_PROXY env var.
296297rootCAs, err := x509.SystemCertPool()
297298if err != nil {
298299return nil, xerrors.Errorf("failed to load system certificate pool: %w", err)
299300 }
301+proxy.Tr = &http.Transport{
302+TLSClientConfig: &tls.Config{
303+MinVersion: tls.VersionTLS12,
304+RootCAs: rootCAs,
305+ },
306+ }
300307301308srv := &Server{
302309ctx: ctx,
@@ -333,15 +340,6 @@ func New(ctx context.Context, logger slog.Logger, opts Options) (*Server, error)
333340 }
334341 }
335342336-// Set transport without Proxy to ensure MITM'd requests go directly to aibridge,
337-// not through any upstream proxy.
338-proxy.Tr = &http.Transport{
339-TLSClientConfig: &tls.Config{
340-MinVersion: tls.VersionTLS12,
341-RootCAs: rootCAs,
342- },
343- }
344-345343// Add custom CA certificate if provided (for corporate proxies with private CAs).
346344// If no CA certificate is provided, the system certificate pool is used.
347345if opts.UpstreamProxyCA != "" {