Use http:// for HTTPS_PROXY in unprivileged mode

blink-so[bot] · blink-so[bot] · commit 33295803b487 · 2025-09-16T18:31:17.000Z
HTTPS_PROXY should use http:// to establish CONNECT tunnels
to the proxy, not https://. This is the standard approach
for HTTP proxies handling HTTPS traffic via CONNECT.

The proxy will still perform TLS termination on the tunneled
connections for full request visibility.
diff --git a/jail/unprivileged.go b/jail/unprivileged.go
@@ -39,7 +39,7 @@ func (u *Unprivileged) Start() error {
 		"USER":        u.username,
 		"LOGNAME":     u.username,
 		"HTTP_PROXY":  fmt.Sprintf("http://localhost:%d", u.httpProxyPort),
-		"HTTPS_PROXY": fmt.Sprintf("https://localhost:%d", u.httpProxyPort),
+		"HTTPS_PROXY": fmt.Sprintf("http://localhost:%d", u.httpProxyPort),
 	})
 	return nil
 }

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ func (u *Unprivileged) Start() error {`
`39`	`39`	`"USER": u.username,`
`40`	`40`	`"LOGNAME": u.username,`
`41`	`41`	`"HTTP_PROXY": fmt.Sprintf("http://localhost:%d", u.httpProxyPort),`
`42`		`- "HTTPS_PROXY": fmt.Sprintf("https://localhost:%d", u.httpProxyPort),`
	`42`	`+ "HTTPS_PROXY": fmt.Sprintf("http://localhost:%d", u.httpProxyPort),`
`43`	`43`	`})`
`44`	`44`	`return nil`
`45`	`45`	`}`