From 188035fb6d9c397b017f317542073bb1b76ea46d Mon Sep 17 00:00:00 2001
From: yhirose <yuji.hirose.bug@gmail.com>
Date: Thu, 12 Mar 2026 22:57:11 -0400
Subject: [PATCH] Add a test for the previous change

---
 test/proxy/basic_squid.conf  |  1 +
 test/proxy/digest_squid.conf |  1 +
 test/test_proxy.cc           | 49 ++++++++++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+)

diff --git a/test/proxy/basic_squid.conf b/test/proxy/basic_squid.conf
index e9d1aeb..1a3ec24 100644
--- a/test/proxy/basic_squid.conf
+++ b/test/proxy/basic_squid.conf
@@ -15,6 +15,7 @@ acl localnet src fc00::/7       	# RFC 4193 local private network range
 acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
 
 acl SSL_ports port 443
+acl SSL_ports port 1025-65535
 acl Safe_ports port 80		# http
 acl Safe_ports port 21		# ftp
 acl Safe_ports port 443		# https
diff --git a/test/proxy/digest_squid.conf b/test/proxy/digest_squid.conf
index f38135f..90b9da5 100644
--- a/test/proxy/digest_squid.conf
+++ b/test/proxy/digest_squid.conf
@@ -15,6 +15,7 @@ acl localnet src fc00::/7       	# RFC 4193 local private network range
 acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
 
 acl SSL_ports port 443
+acl SSL_ports port 1025-65535
 acl Safe_ports port 80		# http
 acl Safe_ports port 21		# ftp
 acl Safe_ports port 443		# https
diff --git a/test/test_proxy.cc b/test/test_proxy.cc
index 66c8ef6..e878647 100644
--- a/test/test_proxy.cc
+++ b/test/test_proxy.cc
@@ -109,6 +109,55 @@ TEST(RedirectTest, YouTubeSSLDigest) {
 
 // ----------------------------------------------------------------------------
 
+#ifdef CPPHTTPLIB_SSL_ENABLED
+TEST(RedirectTest, TLSVerificationOnProxyRedirect) {
+  // Untrusted HTTPS server with self-signed cert
+  SSLServer untrusted_svr("cert.pem", "key.pem");
+  untrusted_svr.Get("/", [](const Request &, Response &res) {
+    res.set_content("MITM'd", "text/plain");
+  });
+
+  auto untrusted_port = untrusted_svr.bind_to_any_port("0.0.0.0");
+  auto t1 = thread([&]() { untrusted_svr.listen_after_bind(); });
+  auto se1 = detail::scope_exit([&] {
+    untrusted_svr.stop();
+    t1.join();
+  });
+
+  // HTTP server that redirects to the untrusted HTTPS server
+  // Use host.docker.internal so the proxy container can reach the host
+  Server redirect_svr;
+  redirect_svr.Get("/", [&](const Request &, Response &res) {
+    res.set_redirect(
+        "https://host.docker.internal:" + to_string(untrusted_port) + "/");
+  });
+
+  auto redirect_port = redirect_svr.bind_to_any_port("0.0.0.0");
+  auto t2 = thread([&]() { redirect_svr.listen_after_bind(); });
+  auto se2 = detail::scope_exit([&] {
+    redirect_svr.stop();
+    t2.join();
+  });
+
+  // Wait until servers are up
+  untrusted_svr.wait_until_ready();
+  redirect_svr.wait_until_ready();
+
+  // Client with proxy + follow_location, verification ON (default)
+  Client cli("host.docker.internal", redirect_port);
+  cli.set_proxy("localhost", 3128);
+  cli.set_proxy_basic_auth("hello", "world");
+  cli.set_follow_location(true);
+
+  auto res = cli.Get("/");
+
+  // Self-signed cert must be rejected
+  ASSERT_TRUE(res == nullptr);
+}
+#endif
+
+// ----------------------------------------------------------------------------
+
 template <typename T> void BaseAuthTestFromHTTPWatch(T &cli) {
   cli.set_proxy("localhost", 3128);
   cli.set_proxy_basic_auth("hello", "world");