gravitational · atburke · Mar 23, 2022 · Feb 7, 2022 · Feb 8, 2022 · Feb 9, 2022
diff --git a/api/client/webclient/webclient.go b/api/client/webclient/webclient.go
@@ -46,6 +46,7 @@ func newWebClient(insecure bool, pool *x509.CertPool) *http.Client {
 				RootCAs:            pool,
 				InsecureSkipVerify: insecure,
 			},
+			Proxy: http.ProxyFromEnvironment,
 		},
 	}
 }

diff --git a/api/client/webclient/webclient_test.go b/api/client/webclient/webclient_test.go
@@ -22,6 +22,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -289,3 +290,12 @@ func TestExtract(t *testing.T) {
 		})
 	}
 }
+
+func TestNewWebClientRespectHTTPProxy(t *testing.T) {
+	os.Setenv("HTTPS_PROXY", "localhost:9999")
+	defer os.Unsetenv("HTTPS_PROXY")
+	client := newWebClient(false, nil)
+	_, err := client.Get("https://example.com")
+	// Client should try to proxy through nonexistent server at localhost.
+	require.Error(t, err)
+}
diff --git a/lib/client/https_client.go b/lib/client/https_client.go
@@ -41,6 +41,7 @@ func NewInsecureWebClient() *http.Client {
 	return &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: tlsConfig,
+			Proxy:           http.ProxyFromEnvironment,
 		},
 	}
 }
@@ -54,6 +55,7 @@ func newClientWithPool(pool *x509.CertPool) *http.Client {
 	return &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: tlsConfig,
+			Proxy:           http.ProxyFromEnvironment,
 		},
 	}
 }

diff --git a/lib/client/https_client_test.go b/lib/client/https_client_test.go
@@ -0,0 +1,42 @@
+/*
+Copyright 2022 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package client
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewInsecureWebClientHTTPProxy(t *testing.T) {
+	os.Setenv("HTTPS_PROXY", "localhost:9999")
+	defer os.Unsetenv("HTTPS_PROXY")
+	client := NewInsecureWebClient()
+	_, err := client.Get("https://example.com")
+	// Client should try to proxy through nonexistent server at localhost.
+	require.Error(t, err)
+}
+
+func TestNewClientWithPoolHTTPProxy(t *testing.T) {
+	os.Setenv("HTTPS_PROXY", "localhost:9999")
+	defer os.Unsetenv("HTTPS_PROXY")
+	client := newClientWithPool(nil)
+	_, err := client.Get("https://example.com")
+	// Client should try to proxy through nonexistent server at localhost.
+	require.Error(t, err)
+}
-Original file line number
+Diff line change
@@ Expand Up @@
     				RootCAs:            pool,
     				InsecureSkipVerify: insecure,
     			},
+    			Proxy: http.ProxyFromEnvironment,
     		},
     	}
     }
@@ Expand Down @@