Skip to content

lib: add NODE_PROXY_TUNNEL env var to disable CONNECT tunneling#62926

Open
mcollina wants to merge 1 commit intonodejs:mainfrom
mcollina:proxy-tunnel-nodejs
Open

lib: add NODE_PROXY_TUNNEL env var to disable CONNECT tunneling#62926
mcollina wants to merge 1 commit intonodejs:mainfrom
mcollina:proxy-tunnel-nodejs

Conversation

@mcollina
Copy link
Copy Markdown
Member

@mcollina mcollina commented Apr 24, 2026

When NODE_USE_ENV_PROXY or --use-env-proxy is enabled and the proxy does not support the HTTP CONNECT method, undici loops forever retrying CONNECT requests. Add NODE_PROXY_TUNNEL env var to control whether proxy connections use CONNECT tunneling.

When set to false/0, EnvHttpProxyAgent passes proxyTunnel: false to ProxyAgent, which uses Http1ProxyWrapper for direct HTTP forwarding instead of CONNECT tunneling.

Refs: nodejs/undici#5093

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 24, 2026

Review requested:

  • @nodejs/http
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added needs-ci PRs that need a full CI run. process Issues and PRs related to the process subsystem. labels Apr 24, 2026
@mcollina mcollina requested a review from joyeecheung April 24, 2026 14:25
@mcollina mcollina added the semver-minor PRs that contain new features and should be released in the next minor version. label Apr 24, 2026
@mcollina mcollina force-pushed the proxy-tunnel-nodejs branch from c0bc38c to 20d97d0 Compare April 24, 2026 14:40
@joyeecheung
Copy link
Copy Markdown
Member

joyeecheung commented Apr 24, 2026

IIUC this is what nodejs/undici#4083 is about. Shouldn't this be the default behavior? For http.request, we just rewrite the request instead of tunneling at all to stay aligned with curl's behavior, I think we should do the same for fetch as well and just don't bother tunneling pure HTTP requests.

@mcollina mcollina mentioned this pull request Apr 24, 2026
Open
joyeecheung
joyeecheung reviewed Apr 24, 2026
View reviewed changes
Comment thread lib/internal/process/pre_execution.js
if (envProxyTunnel !== undefined) {
proxyTunnel = envProxyTunnel === 'true' || envProxyTunnel === '1';
}
const envHttpProxyAgent = new EnvHttpProxyAgent({ proxyTunnel });
Copy link
Copy Markdown
Member

@joyeecheung joyeecheung Apr 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this disable tunneling for HTTPS requests too? If so, that sounds like an insecure behavior - HTTPS should always be tunneled while HTTP doesn't need tunneling. That's what curl has and also what http/https.request implements. If it only disables tunneling for HTTP, I think we can just unconditionally set it to false and don't need to add an env var for this unless anyone specifically requests being able to tunnel pure HTTP requests (I doubt anyone would actually need it considering that's not what curl and most other runtimes do)

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 24, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.65%. Comparing base (c3dd52a) to head (4b0007d).
⚠️ Report is 83 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62926      +/-   ##
==========================================
+ Coverage   89.61%   89.65%   +0.03%     
==========================================
  Files         706      706              
  Lines      219136   219375     +239     
  Branches    41981    42055      +74     
==========================================
+ Hits       196376   196675     +299     
+ Misses      14671    14592      -79     
- Partials     8089     8108      +19
Files with missing lines Coverage Δ
lib/internal/process/pre_execution.js 98.27% <100.00%> (-0.12%) ⬇️

... and 77 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mcollina
lib: add NODE_PROXY_TUNNEL env var to disable CONNECT tunneling
4b0007d 
When NODE_USE_ENV_PROXY or --use-env-proxy is enabled and the proxy
does not support the HTTP CONNECT method, undici loops forever retrying
CONNECT requests. Add NODE_PROXY_TUNNEL env var to control whether
proxy connections use CONNECT tunneling.

When set to false/0, EnvHttpProxyAgent passes proxyTunnel: false to
ProxyAgent, which uses Http1ProxyWrapper for direct HTTP forwarding
instead of CONNECT tunneling.

Refs: nodejs/undici#5093
@mcollina mcollina force-pushed the proxy-tunnel-nodejs branch from 20d97d0 to 4b0007d Compare April 25, 2026 06:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joyeecheung joyeecheung joyeecheung left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

needs-ci PRs that need a full CI run. process Issues and PRs related to the process subsystem. semver-minor PRs that contain new features and should be released in the next minor version.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mcollina @nodejs-github-bot @joyeecheung