Skip to content

fix(enterprise/aibridgeproxyd): always verify TLS on upstream transport#26131

Open
ssncferreira wants to merge 1 commit into
mainfrom
ssncf/aibridgeproxyd-verify-tls
Open

fix(enterprise/aibridgeproxyd): always verify TLS on upstream transport#26131
ssncferreira wants to merge 1 commit into
mainfrom
ssncf/aibridgeproxyd-verify-tls

Conversation

@ssncferreira
Copy link
Copy Markdown
Contributor

@ssncferreira ssncferreira commented Jun 8, 2026
edited
Loading

Problem

aibridgeproxyd's HTTP transport (proxy.Tr) was configured with secure TLS defaults only when an upstream proxy was set. Without one, it fell back to goproxy's default transport, which has InsecureSkipVerify: true, leaving the connection between the proxy and aibridge vulnerable to MITM on HTTPS deployments.

This PR moves the secure transport assignment outside the upstream proxy branch so it applies unconditionally.

Changes

  • Apply secure TLS defaults to proxy.Tr unconditionally (verified RootCAs, MinVersion: TLS 1.2).
  • Add TestProxy_AIBridgeTLSVerification to cover the verification path between the proxy and aibridge.

Notes

  • Behavior change for HTTPS_PROXY env var: previously, when UpstreamProxy was unset, proxy.Tr honored HTTP_PROXY and HTTPS_PROXY env vars. After this PR it does not, since MITM'd requests now always go directly to aibridge. This matches the behavior when UpstreamProxy is configured, which already ignored env vars.
  • HTTPS deployments with a private CA: when CoderAccessURL is HTTPS and its TLS certificate (or the load balancer's certificate fronting it) is signed by a CA not in the system trust store, the proxy will now fail with x509: certificate signed by unknown authority.

Closes https://linear.app/codercom/issue/AIGOV-386/ai-bridge-proxy-uses-goproxy-default-with-tls-verification-disabled

Note

Initially generated by Claude Opus 4.7, modified and reviewed by @ssncferreira

@ssncferreira Graphite App
Copy link
Copy Markdown
Contributor Author

ssncferreira commented Jun 8, 2026

This stack of pull requests is managed by Graphite. Learn more about stacking.

@linear-code
Copy link
Copy Markdown

linear-code Bot commented Jun 8, 2026

AIGOV-386

@ssncferreira ssncferreira marked this pull request as ready for review June 8, 2026 09:49
@jdomeracki-coder
Copy link
Copy Markdown
Contributor

jdomeracki-coder commented Jun 8, 2026

Are we worried that this might cause issues in real world deployments?

HTTPS deployments with a private CA: when CoderAccessURL is HTTPS and its TLS certificate (or the load balancer's certificate fronting it) is signed by a CA not in the system trust store, the proxy will now fail with x509: certificate signed by unknown authority.

If so, should we perhaps adjust the docs to mention that explicitly?

dannykopping
dannykopping approved these changes Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dannykopping dannykopping left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jdomeracki-coder
jdomeracki-coder approved these changes Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jdomeracki-coder jdomeracki-coder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving setting potential doc adjustments aside

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dannykopping dannykopping dannykopping approved these changes

@jdomeracki-coder jdomeracki-coder jdomeracki-coder approved these changes

Assignees

@ssncferreira ssncferreira

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ssncferreira @jdomeracki-coder @dannykopping