From bb72413b03c8f74f1bc88c7292a53a15db74cd20 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <stefan@eissing.org>
Date: Mon, 15 Jun 2026 17:13:00 +0200
Subject: [PATCH] cf-https-connect: do not engage on proxy origin

When talking to a forwarding proxy, do not start HTTPS Eyeballing.
We might support this in the future, but for now, the --httpx.x
arguments to do not apply to such a setup.

Add a test case for forward proxying without use of ALPN.

Closes #22033
---
 lib/cf-https-connect.c      |  5 +++++
 tests/http/test_10_proxy.py | 13 ++++++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/lib/cf-https-connect.c b/lib/cf-https-connect.c
index 3c326e95ef..a2b7b40ab6 100644
--- a/lib/cf-https-connect.c
+++ b/lib/cf-https-connect.c
@@ -810,7 +810,12 @@ CURLcode Curl_cf_https_setup(struct Curl_easy *data,
 
   DEBUGASSERT(conn->scheme->protocol == CURLPROTO_HTTPS);
 
+  /* This filter is intended for HTTPS using ALPN and does
+   * not support HTTPS Eyeballing to a proxy. */
   if((conn->scheme->protocol != CURLPROTO_HTTPS) ||
+#ifndef CURL_DISABLE_PROXY
+     conn->bits.origin_is_proxy ||
+#endif
      !conn->bits.tls_enable_alpn)
     goto out;
 
diff --git a/tests/http/test_10_proxy.py b/tests/http/test_10_proxy.py
index 94a13ef490..5843c30b08 100644
--- a/tests/http/test_10_proxy.py
+++ b/tests/http/test_10_proxy.py
@@ -84,15 +84,16 @@ class TestProxy:
     # upload via https: with proto (no tunnel)
     @pytest.mark.skipif(condition=not Env.have_ssl_curl(), reason="curl without SSL")
     @pytest.mark.parametrize("proto", Env.http_h1_h2_protos())
-    @pytest.mark.parametrize("fname, fcount", [
-        ['data.json', 5],
-        ['data-100k', 5],
-        ['data-1m', 2]
+    @pytest.mark.parametrize("fname, fcount, with_alpn", [
+        ['data.json', 5, False],
+        ['data.json', 5, True],
+        ['data-100k', 5, True],
+        ['data-1m', 2, True]
     ])
     @pytest.mark.skipif(condition=not Env.have_nghttpx(),
                         reason="no nghttpx available")
     def test_10_02_proxys_up(self, env: Env, httpd, nghttpx, proto,
-                             fname, fcount):
+                             fname, fcount, with_alpn):
         if proto == 'h2' and not env.curl_uses_lib('nghttp2'):
             pytest.skip('only supported with nghttp2')
         count = fcount
@@ -100,6 +101,8 @@ class TestProxy:
         curl = CurlClient(env=env)
         url = f'http://localhost:{env.http_port}/curltest/echo?id=[0-{count-1}]'
         xargs = curl.get_proxy_args(proto=proto)
+        if not with_alpn:
+            xargs.append('--no-alpn')
         r = curl.http_upload(urls=[url], data=f'@{srcfile}', alpn_proto=proto,
                              extra_args=xargs)
         r.check_response(count=count, http_status=200,