Skip to content

fix httpx client mount verify setting #5632#5635

Merged
adhami3310 merged 1 commit into
reflex-dev:mainfrom
ruhz3:fix/ssl-verification-proxy-mounts
Jul 29, 2025
Merged

fix httpx client mount verify setting #5632#5635
adhami3310 merged 1 commit into
reflex-dev:mainfrom
ruhz3:fix/ssl-verification-proxy-mounts

Conversation

@ruhz3
Copy link
Copy Markdown
Contributor

@ruhz3 ruhz3 commented Jul 29, 2025
edited
Loading

All Submissions:

  • Have you followed the guidelines stated in CONTRIBUTING.md file?
  • Have you checked to ensure there aren't any other open Pull Requests for the desired changed?

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Changes To Core Features:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable?
  • Have you successfully ran tests with your changes locally?

Title: Fix SSL Verification Inconsistency in HTTPX Client Proxy Mounts

Description:

This pull request addresses an inconsistency in SSL verification settings within the HTTPX client configuration used by Reflex. Currently, when the environment variable SSL_NO_VERIFY=1 is set, the main HTTP transport correctly disables SSL verification, but proxy mounts continue to enforce SSL certificate verification. This leads to inconsistent behavior and potential SSL certificate errors in environments using proxies, such as corporate networks with self-signed certificates, development setups, CI/CD pipelines, or networks with SSL inspection.

The changes ensure that SSL verification settings are uniformly applied across both the main HTTP transport and proxy mounts, resolving errors like those encountered during reflex init when SSL_NO_VERIFY=1 is set. This fix enhances reliability in the following scenarios:

  • Corporate environments with self-signed certificates or custom CAs
  • Development environments requiring SSL verification bypass
  • CI/CD pipelines operating behind corporate proxies
  • Network environments with SSL inspection/filtering

Changes Made:

  • Modified the HTTPX client configuration to propagate the SSL_NO_VERIFY setting to proxy mounts.
  • Added tests to verify consistent SSL verification behavior across main and proxy transports.
  • Ensured backward compatibility with existing functionality.

Testing:

  • Locally ran tests to confirm the fix resolves the SSL verification inconsistency.
  • Verified functionality in a simulated proxy environment with SSL_NO_VERIFY=1.
  • Ensured no regression in standard HTTP transport behavior.

closes #5632

@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented Jul 29, 2025

CodSpeed Performance Report

Merging #5635 will not alter performance

Comparing ruhz3:fix/ssl-verification-proxy-mounts (f50c3b5) with main (00cdc4d)

Summary

✅ 8 untouched benchmarks

greptile-apps[bot]
greptile-apps Bot reviewed Jul 29, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR fixes an SSL verification inconsistency in Reflex's HTTPX client configuration. The issue was that when the SSL_NO_VERIFY=1 environment variable is set, the main HTTP transport correctly disables SSL verification, but proxy mounts were still enforcing SSL certificate verification. This inconsistency caused SSL certificate errors in proxy environments, particularly during reflex init commands.

The fix is elegantly simple: it extracts the SSL verification setting once using _httpx_verify_kwarg() and applies it consistently to both the main HTTP transport and all proxy mounts in the get_httpx_client() function. Previously, the main transport used verify=_httpx_verify_kwarg() while proxy mounts used the default verification behavior.

This change integrates well with Reflex's existing network utilities in reflex/utils/net.py, which already handles environment-based SSL configuration through the _httpx_verify_kwarg() helper function. The fix ensures that all HTTP transports (main and proxy) respect the same SSL verification policy, making the behavior predictable and consistent across different network environments.

Confidence score: 4/5

  • This is a safe and well-targeted bug fix that addresses a clear inconsistency issue.
  • The change is minimal, focused, and maintains backward compatibility while fixing the specific SSL verification problem.
  • No files need additional attention as the change is straightforward and contained.

1 file reviewed, no comments

Edit Code Review Bot Settings | Greptile

adhami3310
adhami3310 approved these changes Jul 29, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@adhami3310 adhami3310 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks reasonable!

@adhami3310 adhami3310 merged commit 1aafe9a into reflex-dev:main Jul 29, 2025
39 of 41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adhami3310 adhami3310 adhami3310 approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix SSL verification consistency in HTTP client proxy mounts

2 participants

@ruhz3 @adhami3310