fix(proxy): forward Proxy-Authorization header to HTTPS proxies for HTTP targets (#2872)

Closes #2870

Author: 0x676e67

src/proxy.rs

@@ -2,6 +2,7 @@ use std::error::Error;
 use std::fmt;
 use std::sync::Arc;
 
+use http::uri::Scheme;
 use http::{header::HeaderValue, HeaderMap, Uri};
 use hyper_util::client::proxy::matcher;
 
@@ -452,12 +453,12 @@ impl Proxy {
 }
 
 fn cache_maybe_has_http_auth(url: &Url, extra: &Option<HeaderValue>) -> bool {
- url.scheme() == "http"
+ (url.scheme() == "http" || url.scheme() == "https")
  && (url.username().len() > 0 || url.password().is_some() || extra.is_some())
 }
 
 fn cache_maybe_has_http_custom_headers(url: &Url, extra: &Option<HeaderMap>) -> bool {
- url.scheme() == "http" && extra.is_some()
+ (url.scheme() == "http" || url.scheme() == "https") && extra.is_some()
 }
 
 impl fmt::Debug for Proxy {
@@ -551,7 +552,8 @@ impl Matcher {
 
  pub(crate) fn http_non_tunnel_basic_auth(&self, dst: &Uri) -> Option<HeaderValue> {
  if let Some(proxy) = self.intercept(dst) {
- if proxy.uri().scheme_str() == Some("http") {
+ let scheme = proxy.uri().scheme();
+ if scheme == Some(&Scheme::HTTP) || scheme == Some(&Scheme::HTTPS) {
  return proxy.basic_auth().cloned();
  }
  }
@@ -565,7 +567,8 @@ impl Matcher {
 
  pub(crate) fn http_non_tunnel_custom_headers(&self, dst: &Uri) -> Option<HeaderMap> {
  if let Some(proxy) = self.intercept(dst) {
- if proxy.uri().scheme_str() == Some("http") {
+ let scheme = proxy.uri().scheme();
+ if scheme == Some(&Scheme::HTTP) || scheme == Some(&Scheme::HTTPS) {
  return proxy.custom_headers().cloned();
  }
  }
@@ -912,7 +915,7 @@ mod tests {
  let m = Proxy::all("https://letme:in@yo.local")
  .unwrap()
  .into_matcher();
- assert!(!m.maybe_has_http_auth(), "https always tunnels");
+ assert!(m.maybe_has_http_auth(), "https forwards");
 
  let m = Proxy::all("http://letme:in@yo.local")
  .unwrap()