Add a test for the previous change

2026-04-11 11:18:30 +00:00 · 2026-03-12 22:57:11 -04:00
parent 125272f34b
commit 188035fb6d
3 changed files with 51 additions and 0 deletions
--- a/test/proxy/basic_squid.conf
+++ b/test/proxy/basic_squid.conf
@@ -15,6 +15,7 @@ acl localnet src fc00::/7       	# RFC 4193 local private network range
 acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

 acl SSL_ports port 443
+acl SSL_ports port 1025-65535
 acl Safe_ports port 80		# http
 acl Safe_ports port 21		# ftp
 acl Safe_ports port 443		# https
--- a/test/proxy/digest_squid.conf
+++ b/test/proxy/digest_squid.conf
@@ -15,6 +15,7 @@ acl localnet src fc00::/7       	# RFC 4193 local private network range
 acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

 acl SSL_ports port 443
+acl SSL_ports port 1025-65535
 acl Safe_ports port 80		# http
 acl Safe_ports port 21		# ftp
 acl Safe_ports port 443		# https
--- a/test/test_proxy.cc
+++ b/test/test_proxy.cc
@@ -109,6 +109,55 @@ TEST(RedirectTest, YouTubeSSLDigest) {

 // ----------------------------------------------------------------------------

+#ifdef CPPHTTPLIB_SSL_ENABLED
+TEST(RedirectTest, TLSVerificationOnProxyRedirect) {
+  // Untrusted HTTPS server with self-signed cert
+  SSLServer untrusted_svr("cert.pem", "key.pem");
+  untrusted_svr.Get("/", [](const Request &, Response &res) {
+    res.set_content("MITM'd", "text/plain");
+  });
+
+  auto untrusted_port = untrusted_svr.bind_to_any_port("0.0.0.0");
+  auto t1 = thread([&]() { untrusted_svr.listen_after_bind(); });
+  auto se1 = detail::scope_exit([&] {
+    untrusted_svr.stop();
+    t1.join();
+  });
+
+  // HTTP server that redirects to the untrusted HTTPS server
+  // Use host.docker.internal so the proxy container can reach the host
+  Server redirect_svr;
+  redirect_svr.Get("/", [&](const Request &, Response &res) {
+    res.set_redirect(
+        "https://host.docker.internal:" + to_string(untrusted_port) + "/");
+  });
+
+  auto redirect_port = redirect_svr.bind_to_any_port("0.0.0.0");
+  auto t2 = thread([&]() { redirect_svr.listen_after_bind(); });
+  auto se2 = detail::scope_exit([&] {
+    redirect_svr.stop();
+    t2.join();
+  });
+
+  // Wait until servers are up
+  untrusted_svr.wait_until_ready();
+  redirect_svr.wait_until_ready();
+
+  // Client with proxy + follow_location, verification ON (default)
+  Client cli("host.docker.internal", redirect_port);
+  cli.set_proxy("localhost", 3128);
+  cli.set_proxy_basic_auth("hello", "world");
+  cli.set_follow_location(true);
+
+  auto res = cli.Get("/");
+
+  // Self-signed cert must be rejected
+  ASSERT_TRUE(res == nullptr);
+}
+#endif
+
+// ----------------------------------------------------------------------------
+
 template <typename T> void BaseAuthTestFromHTTPWatch(T &cli) {
  cli.set_proxy("localhost", 3128);
  cli.set_proxy_basic_auth("hello", "world");