fix: apply cafile to proxied TLS connections

MarshallOfSound · MarshallOfSound · commit 8d78f6d25011 · 2026-04-20T16:59:05.000-07:00
EnvHttpProxyAgent forwards opts to an internal ProxyAgent for proxied
requests, which reads origin TLS config from requestTls rather than
connect. Set connect/requestTls/proxyTls so the custom CA is honored
on both direct and proxied paths. Adds a test covering https origin
behind an HTTP CONNECT proxy with a custom CA.
diff --git a/lib/download.js b/lib/download.js
@@ -53,7 +53,14 @@ async function createDispatcher (gyp) {
 
   const opts = {}
   if (gyp.opts.cafile) {
-    opts.connect = { ca: await readCAFile(gyp.opts.cafile) }
+    const ca = await readCAFile(gyp.opts.cafile)
+    // EnvHttpProxyAgent forwards opts to both its internal Agent (direct) and
+    // ProxyAgent (proxied). Agent reads TLS config from `connect`; ProxyAgent
+    // reads it from `requestTls` (origin) / `proxyTls` (proxy). Set all three
+    // so the custom CA is applied regardless of which path a request takes.
+    opts.connect = { ca }
+    opts.requestTls = { ca }
+    opts.proxyTls = { ca }
   }
   if (gyp.opts.proxy) {
     opts.httpProxy = gyp.opts.proxy
diff --git a/test/test-download.js b/test/test-download.js
@@ -112,6 +112,54 @@ describe('download', function () {
     assert.strictEqual(proxyUsed, true)
   })
 
+  it('download over https with proxy and custom ca', async function () {
+    const cafile = path.join(__dirname, 'fixtures/ca-proxy.crt')
+    await fs.writeFile(cafile, certs['ca.crt'], 'utf8')
+
+    const server = https.createServer({
+      ca: await readCAFile(cafile),
+      cert: certs['server.crt'],
+      key: certs['server.key']
+    }, (_, res) => res.end('ok'))
+
+    let proxyUsed = false
+    const pserver = http.createServer()
+    pserver.on('connect', (req, clientSocket, head) => {
+      proxyUsed = true
+      const [targetHost, targetPort] = req.url.split(':')
+      const serverSocket = net.connect(targetPort, targetHost, () => {
+        clientSocket.write('HTTP/1.1 200 Connection Established\r\n\r\n')
+        serverSocket.write(head)
+        serverSocket.pipe(clientSocket)
+        clientSocket.pipe(serverSocket)
+      })
+      clientSocket.on('error', () => serverSocket.destroy())
+      serverSocket.on('error', () => clientSocket.destroy())
+    })
+
+    after(async () => {
+      await new Promise((resolve) => server.close(resolve))
+      await new Promise((resolve) => pserver.close(resolve))
+      await fs.unlink(cafile)
+    })
+
+    const host = 'localhost'
+    await new Promise((resolve) => server.listen(0, host, resolve))
+    const { port } = server.address()
+    await new Promise((resolve) => pserver.listen(port + 1, host, resolve))
+    const gyp = {
+      opts: {
+        cafile,
+        proxy: `http://${host}:${port + 1}`,
+        noproxy: 'bad'
+      },
+      version: '42'
+    }
+    const res = await download(gyp, `https://${host}:${port}`)
+    assert.strictEqual(await res.text(), 'ok')
+    assert.strictEqual(proxyUsed, true)
+  })
+
   it('download over http with noproxy', async function () {
     const server = http.createServer((req, res) => {
       assert.strictEqual(req.headers['user-agent'], `node-gyp v42 (node ${process.version})`)
