awslabs · alextwoods · Oct 22, 2025 · Oct 15, 2025 · Oct 21, 2025 · Oct 21, 2025
diff --git a/crt/aws-c-http b/crt/aws-c-http
diff --git a/src/main/java/software/amazon/awssdk/crt/auth/credentials/CognitoCredentialsProvider.java b/src/main/java/software/amazon/awssdk/crt/auth/credentials/CognitoCredentialsProvider.java
@@ -204,6 +204,7 @@ private CognitoCredentialsProvider(CognitoCredentialsProviderBuilder builder) {
         int proxyAuthorizationType = 0;
         String proxyAuthorizationUsername = null;
         String proxyAuthorizationPassword = null;
+        String noProxyHosts = null;
         HttpProxyOptions proxyOptions = builder.getHttpProxyOptions();
         if (proxyOptions != null) {
             proxyConnectionType = proxyOptions.getConnectionType().getValue();
@@ -217,6 +218,9 @@ private CognitoCredentialsProvider(CognitoCredentialsProviderBuilder builder) {
             proxyAuthorizationType = proxyOptions.getAuthorizationType().getValue();
             proxyAuthorizationUsername = proxyOptions.getAuthorizationUsername();
             proxyAuthorizationPassword = proxyOptions.getAuthorizationPassword();
+            if (proxyOptions.getNoProxyHosts() != null) {
+                noProxyHosts = proxyOptions.getNoProxyHosts();
+            }
         }
 
         long nativeHandle = cognitoCredentialsProviderNew(
@@ -234,6 +238,7 @@ private CognitoCredentialsProvider(CognitoCredentialsProviderBuilder builder) {
                 proxyAuthorizationType,
                 proxyAuthorizationUsername != null ? proxyAuthorizationUsername.getBytes(UTF8) : null,
                 proxyAuthorizationPassword != null ? proxyAuthorizationPassword.getBytes(UTF8) : null,
+                noProxyHosts != null ? noProxyHosts.getBytes(UTF8) : null,
                 builder.loginTokenSource);
 
         acquireNativeHandle(nativeHandle);
@@ -305,7 +310,8 @@ private static native long cognitoCredentialsProviderNew(CognitoCredentialsProvi
                                                           int proxyAuthorizationType,
                                                           byte[] proxyAuthorizationUsername,
                                                           byte[] proxyAuthorizationPassword,
-                                                         CognitoLoginTokenSource loginTokenSource);
+                                                          byte[] noProxyHosts,
+                                                          CognitoLoginTokenSource loginTokenSource);
 
     private static native void completeLoginTokenFetch(long invocationHandle, byte[] marshalledLogins, Throwable ex);
 }
diff --git a/src/main/java/software/amazon/awssdk/crt/auth/credentials/X509CredentialsProvider.java b/src/main/java/software/amazon/awssdk/crt/auth/credentials/X509CredentialsProvider.java
@@ -155,6 +155,7 @@ private X509CredentialsProvider(X509CredentialsProviderBuilder builder) {
         int proxyAuthorizationType = 0;
         String proxyAuthorizationUsername = null;
         String proxyAuthorizationPassword = null;
+        String noProxyHosts = null;
         HttpProxyOptions proxyOptions = builder.getProxyOptions();
         if (proxyOptions != null) {
             proxyConnectionType = proxyOptions.getConnectionType().getValue();
@@ -168,6 +169,7 @@ private X509CredentialsProvider(X509CredentialsProviderBuilder builder) {
             proxyAuthorizationType = proxyOptions.getAuthorizationType().getValue();
             proxyAuthorizationUsername = proxyOptions.getAuthorizationUsername();
             proxyAuthorizationPassword = proxyOptions.getAuthorizationPassword();
+            noProxyHosts = proxyOptions.getNoProxyHosts();
         }
 
         long nativeHandle = x509CredentialsProviderNew(
@@ -183,7 +185,8 @@ private X509CredentialsProvider(X509CredentialsProviderBuilder builder) {
                 proxyTlsContextHandle,
                 proxyAuthorizationType,
                 proxyAuthorizationUsername != null ? proxyAuthorizationUsername.getBytes(UTF8) : null,
-                proxyAuthorizationPassword != null ? proxyAuthorizationPassword.getBytes(UTF8) : null);
+                proxyAuthorizationPassword != null ? proxyAuthorizationPassword.getBytes(UTF8) : null,
+                noProxyHosts != null ? noProxyHosts.getBytes(UTF8) : null);
 
         acquireNativeHandle(nativeHandle);
         addReferenceTo(clientBootstrap);
@@ -206,5 +209,6 @@ private static native long x509CredentialsProviderNew(X509CredentialsProvider th
                                                           long proxyTlsContext,
                                                           int proxyAuthorizationType,
                                                           byte[] proxyAuthorizationUsername,
-                                                          byte[] proxyAuthorizationPassword);
+                                                          byte[] proxyAuthorizationPassword,
+                                                          byte[] noProxyHosts);
 }
diff --git a/src/main/java/software/amazon/awssdk/crt/http/Http2StreamManager.java b/src/main/java/software/amazon/awssdk/crt/http/Http2StreamManager.java
@@ -78,6 +78,7 @@ private Http2StreamManager(Http2StreamManagerOptions options) {
         int proxyAuthorizationType = 0;
         String proxyAuthorizationUsername = null;
         String proxyAuthorizationPassword = null;
+        String noProxyHosts = null;
         HttpProxyOptions proxyOptions = connectionManagerOptions.getProxyOptions();
 
         if (proxyOptions != null) {
@@ -88,6 +89,7 @@ private Http2StreamManager(Http2StreamManagerOptions options) {
             proxyAuthorizationType = proxyOptions.getAuthorizationType().getValue();
             proxyAuthorizationUsername = proxyOptions.getAuthorizationUsername();
             proxyAuthorizationPassword = proxyOptions.getAuthorizationPassword();
+            noProxyHosts = proxyOptions.getNoProxyHosts();
         }
 
         HttpMonitoringOptions monitoringOptions = connectionManagerOptions.getMonitoringOptions();
@@ -113,6 +115,7 @@ private Http2StreamManager(Http2StreamManagerOptions options) {
                 proxyAuthorizationType,
                 proxyAuthorizationUsername != null ? proxyAuthorizationUsername.getBytes(UTF8) : null,
                 proxyAuthorizationPassword != null ? proxyAuthorizationPassword.getBytes(UTF8) : null,
+                noProxyHosts != null ? noProxyHosts.getBytes(UTF8) : null,
                 connectionManagerOptions.isManualWindowManagement(),
                 monitoringThroughputThresholdInBytesPerSecond,
                 monitoringFailureIntervalInSeconds,
@@ -254,6 +257,7 @@ private static native long http2StreamManagerNew(Http2StreamManager thisObj,
             int proxyAuthorizationType,
             byte[] proxyAuthorizationUsername,
             byte[] proxyAuthorizationPassword,
+            byte[] noProxyHosts,
             boolean isManualWindowManagement,
             long monitoringThroughputThresholdInBytesPerSecond,
             int monitoringFailureIntervalInSeconds,

diff --git a/src/main/java/software/amazon/awssdk/crt/http/HttpClientConnectionManager.java b/src/main/java/software/amazon/awssdk/crt/http/HttpClientConnectionManager.java
@@ -78,6 +78,7 @@ private HttpClientConnectionManager(HttpClientConnectionManagerOptions options)
         int proxyAuthorizationType = 0;
         String proxyAuthorizationUsername = null;
         String proxyAuthorizationPassword = null;
+        String noProxyHosts = null;
 
         if (proxyOptions != null) {
             proxyConnectionType = proxyOptions.getConnectionType().getValue();
@@ -87,6 +88,7 @@ private HttpClientConnectionManager(HttpClientConnectionManagerOptions options)
             proxyAuthorizationType = proxyOptions.getAuthorizationType().getValue();
             proxyAuthorizationUsername = proxyOptions.getAuthorizationUsername();
             proxyAuthorizationPassword = proxyOptions.getAuthorizationPassword();
+            noProxyHosts = proxyOptions.getNoProxyHosts();
         }
 
         int environmentVariableProxyConnectionType = 0;
@@ -123,6 +125,7 @@ private HttpClientConnectionManager(HttpClientConnectionManagerOptions options)
                                             proxyAuthorizationType,
                                             proxyAuthorizationUsername != null ? proxyAuthorizationUsername.getBytes(UTF8) : null,
                                             proxyAuthorizationPassword != null ? proxyAuthorizationPassword.getBytes(UTF8) : null,
+                                            noProxyHosts != null ? noProxyHosts.getBytes(UTF8) : null,
                                             environmentVariableProxyConnectionType,
                                             environmentVariableProxyTlsConnectionOptions != null
                                                     ? environmentVariableProxyTlsConnectionOptions.getNativeHandle()
@@ -259,6 +262,7 @@ private static native long httpClientConnectionManagerNew(HttpClientConnectionMa
                                                         int proxyAuthorizationType,
                                                         byte[] proxyAuthorizationUsername,
                                                         byte[] proxyAuthorizationPassword,
+                                                        byte[] noProxyHosts,
                                                         int environmentVariableProxyConnectionType,
                                                         long environmentVariableProxyTlsConnectionOptions,
                                                         int environmentVariableSetting,

diff --git a/src/main/java/software/amazon/awssdk/crt/http/HttpProxyOptions.java b/src/main/java/software/amazon/awssdk/crt/http/HttpProxyOptions.java
@@ -19,6 +19,7 @@ public class HttpProxyOptions {
     private TlsContext tlsContext;
     private HttpProxyAuthorizationType authorizationType;
     private HttpProxyConnectionType connectionType;
+    private String noProxyHosts;
 
     /**
      * what kind of authentication, if any, to use when connecting to a proxy server
@@ -182,4 +183,24 @@ public void setTlsContext(TlsContext tlsContext) {
      */
     public TlsContext getTlsContext() { return tlsContext; }
 
+    /**
+     * @return the nonProxyHosts setting for the proxy connection.
+     */
+    public String getNoProxyHosts() {
+        return noProxyHosts;
+    }
+
+    /**
+     * Sets the list of hosts for which not to use a proxy. This should be a comma seperated list
+     * of domain names, host names, or IP Addresses following the format used by CURL.
+     * The only wildcard available is a single "*" character, which matches all hosts,
+     * and effectively disables the proxy.
+     * IP addresses specified to this option can be provided using CIDR notation: an appended slash and number
+     * specifies the number of "network bits" out of the address to use in the comparison.
+     *
+     * @param noProxyHosts comma seperated list of hosts to skip proxy for.
+     */
+    public void setNoProxyHosts(String noProxyHosts) {
+        this.noProxyHosts = noProxyHosts;
+    }
 }
diff --git a/src/main/java/software/amazon/awssdk/crt/mqtt/MqttClientConnection.java b/src/main/java/software/amazon/awssdk/crt/mqtt/MqttClientConnection.java
@@ -187,7 +187,8 @@ private void SetupConfig(MqttConnectionConfig config) throws MqttException {
                         proxyTlsContext != null ? proxyTlsContext.getNativeHandle() : 0,
                         options.getAuthorizationType().getValue(),
                         options.getAuthorizationUsername(),
-                        options.getAuthorizationPassword());
+                        options.getAuthorizationPassword(),
+                        options.getNoProxyHosts());
             }
 
             addReferenceTo(config);
@@ -518,7 +519,8 @@ private static native void mqttClientConnectionSetHttpProxyOptions(long connecti
             long proxyTlsContext,
             int proxyAuthorizationType,
             String proxyAuthorizationUsername,
-            String proxyAuthorizationPassword) throws CrtRuntimeException;
+            String proxyAuthorizationPassword,
+            String noProxyHosts) throws CrtRuntimeException;
 
     private static native MqttClientConnectionOperationStatistics mqttClientConnectionGetOperationStatistics(
             long connection);

diff --git a/src/main/java/software/amazon/awssdk/crt/s3/S3Client.java b/src/main/java/software/amazon/awssdk/crt/s3/S3Client.java
@@ -38,6 +38,7 @@ public S3Client(S3ClientOptions options) throws CrtRuntimeException {
         int proxyAuthorizationType = 0;
         String proxyAuthorizationUsername = null;
         String proxyAuthorizationPassword = null;
+        String noProxyHosts = null;
         // Handle FileIoOptions from S3ClientOptions
         boolean fioOptionsSet = false;
         boolean shouldStream = false;
@@ -61,6 +62,7 @@ public S3Client(S3ClientOptions options) throws CrtRuntimeException {
             proxyAuthorizationType = proxyOptions.getAuthorizationType().getValue();
             proxyAuthorizationUsername = proxyOptions.getAuthorizationUsername();
             proxyAuthorizationPassword = proxyOptions.getAuthorizationPassword();
+            noProxyHosts = proxyOptions.getNoProxyHosts();
         }
 
         int environmentVariableProxyConnectionType = 0;
@@ -108,6 +110,7 @@ public S3Client(S3ClientOptions options) throws CrtRuntimeException {
                 proxyAuthorizationType,
                 proxyAuthorizationUsername != null ? proxyAuthorizationUsername.getBytes(UTF8) : null,
                 proxyAuthorizationPassword != null ? proxyAuthorizationPassword.getBytes(UTF8) : null,
+                noProxyHosts != null ? noProxyHosts.getBytes(UTF8) : null,
                 environmentVariableProxyConnectionType,
                 environmentVariableProxyTlsConnectionOptions != null
                         ? environmentVariableProxyTlsConnectionOptions.getNativeHandle()
@@ -267,6 +270,7 @@ private static native long s3ClientNew(S3Client thisObj, byte[] region, long cli
             int proxyAuthorizationType,
             byte[] proxyAuthorizationUsername,
             byte[] proxyAuthorizationPassword,
+            byte[] noProxyHosts,
             int environmentVariableProxyConnectionType,
             long environmentVariableProxyTlsConnectionOptions,
             int environmentVariableSetting,

diff --git a/src/native/credentials_provider.c b/src/native/credentials_provider.c
@@ -429,7 +429,8 @@ JNIEXPORT jlong JNICALL
         jlong jni_proxy_tls_context,
         jint jni_proxy_authorization_type,
         jbyteArray jni_proxy_authorization_username,
-        jbyteArray jni_proxy_authorization_password) {
+        jbyteArray jni_proxy_authorization_password,
+        jbyteArray jni_no_proxy_hosts) {
 
     (void)jni_class;
     (void)env;
@@ -471,6 +472,7 @@ JNIEXPORT jlong JNICALL
         jni_proxy_port,
         jni_proxy_authorization_username,
         jni_proxy_authorization_password,
+        jni_no_proxy_hosts,
         jni_proxy_authorization_type,
         (struct aws_tls_ctx *)jni_proxy_tls_context);
 
@@ -491,7 +493,12 @@ JNIEXPORT jlong JNICALL
     aws_jni_byte_cursor_from_jbyteArray_release(env, endpoint, options.endpoint);
 
     aws_http_proxy_options_jni_clean_up(
-        env, &proxy_options, jni_proxy_host, jni_proxy_authorization_username, jni_proxy_authorization_password);
+        env,
+        &proxy_options,
+        jni_proxy_host,
+        jni_proxy_authorization_username,
+        jni_proxy_authorization_password,
+        jni_no_proxy_hosts);
 
     aws_tls_connection_options_clean_up(&tls_connection_options);
 
@@ -929,6 +936,7 @@ jlong JNICALL Java_software_amazon_awssdk_crt_auth_credentials_CognitoCredential
     jint proxy_authorization_type,
     jbyteArray proxy_authorization_username,
     jbyteArray proxy_authorization_password,
+    jbyteArray no_proxy_hosts,
     jobject login_token_source) {
 
     (void)jni_class;
@@ -1015,6 +1023,7 @@ jlong JNICALL Java_software_amazon_awssdk_crt_auth_credentials_CognitoCredential
             proxy_port,
             proxy_authorization_username,
             proxy_authorization_password,
+            no_proxy_hosts,
             proxy_authorization_type,
             (struct aws_tls_ctx *)native_proxy_tls_context);
 
@@ -1034,7 +1043,7 @@ jlong JNICALL Java_software_amazon_awssdk_crt_auth_credentials_CognitoCredential
     aws_jni_byte_cursor_from_jbyteArray_release(env, marshalled_logins, logins_cursor);
 
     aws_http_proxy_options_jni_clean_up(
-        env, &proxy_options, proxy_host, proxy_authorization_username, proxy_authorization_password);
+        env, &proxy_options, proxy_host, proxy_authorization_username, proxy_authorization_password, no_proxy_hosts);
 
     aws_array_list_clean_up(&logins);
 

diff --git a/src/native/http2_stream_manager.c b/src/native/http2_stream_manager.c
@@ -106,6 +106,7 @@ JNIEXPORT jlong JNICALL Java_software_amazon_awssdk_crt_http_Http2StreamManager_
     jint jni_proxy_authorization_type,
     jbyteArray jni_proxy_authorization_username,
     jbyteArray jni_proxy_authorization_password,
+    jbyteArray jni_no_proxy_hosts,
     jboolean jni_manual_window_management,
     jlong jni_monitoring_throughput_threshold_in_bytes_per_second,
     jint jni_monitoring_failure_interval_in_seconds,
@@ -233,6 +234,7 @@ JNIEXPORT jlong JNICALL Java_software_amazon_awssdk_crt_http_Http2StreamManager_
         jni_proxy_port,
         jni_proxy_authorization_username,
         jni_proxy_authorization_password,
+        jni_no_proxy_hosts,
         jni_proxy_authorization_type,
         (struct aws_tls_ctx *)jni_proxy_tls_context);
 
@@ -246,7 +248,12 @@ JNIEXPORT jlong JNICALL Java_software_amazon_awssdk_crt_http_Http2StreamManager_
     }
 
     aws_http_proxy_options_jni_clean_up(
-        env, &proxy_options, jni_proxy_host, jni_proxy_authorization_username, jni_proxy_authorization_password);
+        env,
+        &proxy_options,
+        jni_proxy_host,
+        jni_proxy_authorization_username,
+        jni_proxy_authorization_password,
+        jni_no_proxy_hosts);
 
     if (new_tls_conn_opts) {
         aws_tls_connection_options_clean_up(&tls_conn_options);

diff --git a/src/native/http_connection_manager.c b/src/native/http_connection_manager.c
@@ -108,6 +108,7 @@ JNIEXPORT jlong JNICALL Java_software_amazon_awssdk_crt_http_HttpClientConnectio
     jint jni_proxy_authorization_type,
     jbyteArray jni_proxy_authorization_username,
     jbyteArray jni_proxy_authorization_password,
+    jbyteArray jni_no_proxy_hosts,
     jint jni_environment_variable_proxy_connection_type,
     jlong jni_environment_variable_proxy_tls_connection_options,
     jint jni_environment_variable_type,
@@ -220,6 +221,7 @@ JNIEXPORT jlong JNICALL Java_software_amazon_awssdk_crt_http_HttpClientConnectio
         jni_proxy_port,
         jni_proxy_authorization_username,
         jni_proxy_authorization_password,
+        jni_no_proxy_hosts,
         jni_proxy_authorization_type,
         (struct aws_tls_ctx *)jni_proxy_tls_context);
 
@@ -245,7 +247,12 @@ JNIEXPORT jlong JNICALL Java_software_amazon_awssdk_crt_http_HttpClientConnectio
     }
 
     aws_http_proxy_options_jni_clean_up(
-        env, &proxy_options, jni_proxy_host, jni_proxy_authorization_username, jni_proxy_authorization_password);
+        env,
+        &proxy_options,
+        jni_proxy_host,
+        jni_proxy_authorization_username,
+        jni_proxy_authorization_password,
+        jni_no_proxy_hosts);
 
     if (new_tls_conn_opts) {
         aws_tls_connection_options_clean_up(&tls_conn_options);

diff --git a/src/native/http_proxy_options.c b/src/native/http_proxy_options.c
@@ -33,6 +33,7 @@ void aws_http_proxy_options_jni_init(
     jint proxy_port,
     jbyteArray proxy_authorization_username,
     jbyteArray proxy_authorization_password,
+    jbyteArray no_proxy_hosts,
     int proxy_authorization_type,
     struct aws_tls_ctx *proxy_tls_ctx) {
 
@@ -54,6 +55,10 @@ void aws_http_proxy_options_jni_init(
         options->auth_password = aws_jni_byte_cursor_from_jbyteArray_acquire(env, proxy_authorization_password);
     }
 
+    if (no_proxy_hosts != NULL) {
+        options->no_proxy_hosts = aws_jni_byte_cursor_from_jbyteArray_acquire(env, no_proxy_hosts);
+    }
+
     if (proxy_tls_ctx != NULL) {
         aws_tls_connection_options_init_from_ctx(tls_options, proxy_tls_ctx);
         aws_tls_connection_options_set_server_name(tls_options, allocator, &options->host);
@@ -66,7 +71,8 @@ void aws_http_proxy_options_jni_clean_up(
     struct aws_http_proxy_options *options,
     jbyteArray proxy_host,
     jbyteArray proxy_authorization_username,
-    jbyteArray proxy_authorization_password) {
+    jbyteArray proxy_authorization_password,
+    jbyteArray no_proxy_hosts) {
 
     if (options->host.ptr != NULL) {
         aws_jni_byte_cursor_from_jbyteArray_release(env, proxy_host, options->host);
@@ -80,6 +86,10 @@ void aws_http_proxy_options_jni_clean_up(
         aws_jni_byte_cursor_from_jbyteArray_release(env, proxy_authorization_password, options->auth_password);
     }
 
+    if (options->no_proxy_hosts.ptr != NULL) {
+        aws_jni_byte_cursor_from_jbyteArray_release(env, no_proxy_hosts, options->no_proxy_hosts);
+    }
+
     if (options->tls_options != NULL) {
         aws_tls_connection_options_clean_up((struct aws_tls_connection_options *)options->tls_options);
     }
+2 −2		.github/workflows/handle-stale-discussions.yml
+1 −1		.github/workflows/stale_issue.yml
+2 −0		include/aws/http/private/proxy_impl.h
+6 −0		include/aws/http/proxy.h
+41 −15		integration-testing/http_client_test.py
+2 −1		source/connection_manager.c
+4 −3		source/http2_stream_manager.c
+33 −2		source/proxy_connection.c
+28 −14		source/proxy_strategy.c
+3 −1		tests/CMakeLists.txt
+18 −0		tests/proxy_test_helper.c
+6 −0		tests/proxy_test_helper.h
+18 −14		tests/py_localhost/README.md
+4 −1		tests/py_localhost/server.py
+78 −0		tests/test_proxy.c
+21 −22		tests/test_stream_manager.c