Skip to content

Add gRFC for HTTPS proxy support. #530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
jwustrack wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Add gRFC for HTTPS proxy support. #530

jwustrack wants to merge 1 commit into from

Conversation

@jwustrack
Copy link

@jwustrack jwustrack commented Jan 9, 2026
edited
Loading

This PR adds a gRFC for HTTPS proxy support where the connection to the proxy itself is TLS-encrypted. This ensures that proxy authentication credentials (such as BasicAuth username and password) are transmitted securely rather than in plaintext.

The C implementation is provided in this PR: grpc/grpc#41377

This adresses issue grpc/grpc#30347

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Jan 9, 2026

CLA Not Signed

@jwustrack jwustrack mentioned this pull request Jan 9, 2026
Draft
@markdroth
Copy link
Member

markdroth commented Jan 9, 2026

We can't look at this until you sign the CLA.

atollena
atollena reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@atollena atollena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is something that datadog would benefit from for some internal use cases that currently use double proxying with a sidecar, so I'm supportive of it. Happy to help with the Go API, although you can probably focus on a single language (c-core).

A98-https-proxy-support.md
Many proxy deployments support HTTPS connections, where the client establishes a TLS connection to the proxy before sending the HTTP CONNECT request. This ensures that:
1. Proxy authentication credentials are encrypted
2. The target hostname in the CONNECT request is not visible to network observers
3. The proxy can be authenticated via its TLS certificate
Copy link
Contributor

@atollena atollena Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The proxy can also identify the client from its client TLS certificate, if provided. The identity can then be used the same way as basic proxy auth, and replace it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@atollena atollena atollena left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jwustrack @markdroth @atollena