fix(Net): address review findings in HTTPS proxy support

- Fix missing _proxySessionFactory registration in (host, port, ProxyConfig)
  constructor causing UnknownURISchemeException at connection time
- Fix HTTPSClientSession::proxyRequestPrefix() regression: return empty
  string in tunnel mode to avoid corrupting request URIs
- Fix empty proxyAuthenticate() override silently dropping credentials
  in non-tunnel HTTPS proxy mode
- Add protocol validation and connected-state check to setProxyConfig()
  and setGlobalProxyConfig()
- Wrap destructor unregisterProtocol() in try/catch to prevent
  std::terminate
- Include HTTP status code in proxyConnect() error message
- Use InvalidArgumentException instead of IllegalStateException for
  protocol validation
- Extract factory registration into initProxySessionFactory() helpers
  to prevent future missed-constructor bugs
- Modernize ProxyAuthentication to enum class with None/Basic/Digest/NTLM
- Use default member initializers in ProxyConfig (enables C++20
  designated initializers)
- Add [[nodiscard]] to key getters, modernize copy deletion to = delete
- Add 10 new unit tests covering ProxyConfig defaults, protocol
  validation, setters, request prefix, non-tunnel mode, global config,
  and bypass behavior
- Update HTTPTestServer to handle proxy requests without default port
- Fix copyright year and doc-comment style

Author: matejk

Net/include/Poco/Net/HTTPClientSession.h

@@ -183,7 +183,7 @@ class Net_API HTTPClientSession: public HTTPSession
 	void setProxyConfig(const ProxyConfig& config);
 		/// Sets the proxy configuration.
 
-	const ProxyConfig& getProxyConfig() const;
+	[[nodiscard]] const ProxyConfig& getProxyConfig() const;
 		/// Returns the proxy configuration.
 
 	static void setGlobalProxyConfig(const ProxyConfig& config);
@@ -196,7 +196,7 @@ class Net_API HTTPClientSession: public HTTPSession
 		/// The global proxy configuration should be set at start up, before
 		/// the first HTTPClientSession instance is created.
 
-	static const ProxyConfig& getGlobalProxyConfig();
+	[[nodiscard]] static const ProxyConfig& getGlobalProxyConfig();
 		/// Returns the global proxy configuration.
 
 	void setKeepAliveTimeout(const Poco::Timespan& timeout);
@@ -287,11 +287,11 @@ class Net_API HTTPClientSession: public HTTPSession
 		/// the request or response stream changes into
 		/// fail or bad state, but not eof state).
 
-	virtual bool secure() const;
+	[[nodiscard]] virtual bool secure() const;
 		/// Return true iff the session uses SSL or TLS,
 		/// or false otherwise.
 
-	bool bypassProxy() const;
+	[[nodiscard]] bool bypassProxy() const;
 		/// Returns true if the proxy should be bypassed
 		/// for the current host.
 
@@ -373,8 +373,11 @@ class Net_API HTTPClientSession: public HTTPSession
 
 	static ProxyConfig _globalProxyConfig;
 
-	HTTPClientSession(const HTTPClientSession&);
-	HTTPClientSession& operator = (const HTTPClientSession&);
+	void initProxySessionFactory();
+		/// Registers the "http" protocol with _proxySessionFactory.
+
+	HTTPClientSession(const HTTPClientSession&) = delete;
+	HTTPClientSession& operator = (const HTTPClientSession&) = delete;
 
 	friend class WebSocket;
 };
@@ -413,7 +416,7 @@ inline const std::string& HTTPClientSession::getProxyProtocol() const
 }
 
 
-inline bool HTTPClientSession::isProxyTunnel() const
+[[nodiscard]] inline bool HTTPClientSession::isProxyTunnel() const
 {
 	return _proxyConfig.tunnel;
 }

Net/include/Poco/Net/ProxyConfig.h

@@ -7,7 +7,7 @@
 //
 // Definition of the ProxyConfig class.
 //
-// Copyright (c) 2005-2026, Applied Informatics Software Engineering GmbH.
+// Copyright (c) 2026-2026, Applied Informatics Software Engineering GmbH.
 // and Contributors.
 //
 // SPDX-License-Identifier:	BSL-1.0
@@ -23,35 +23,33 @@ namespace Poco {
 namespace Net {
 
 
-enum ProxyAuthentication
+enum class ProxyAuthentication
 {
-	PROXY_AUTH_NONE,        /// No proxy authentication
-	PROXY_AUTH_HTTP_BASIC,  /// HTTP Basic proxy authentication (default, if username and password are supplied)
-	PROXY_AUTH_HTTP_DIGEST, /// HTTP Digest proxy authentication
-	PROXY_AUTH_NTLM         /// NTLMv2 proxy authentication
+	None,        /// No proxy authentication
+	Basic,       /// HTTP Basic proxy authentication (default, if username and password are supplied)
+	Digest,      /// HTTP Digest proxy authentication
+	NTLM         /// NTLMv2 proxy authentication
 };
 
 
 struct ProxyConfig
 	/// HTTP proxy server configuration.
 {
-	ProxyConfig():
-		port(HTTPSession::HTTP_PORT),
-		protocol("http"),
-		tunnel(true),
-		authMethod(PROXY_AUTH_HTTP_BASIC)
-	{
-	}
+	ProxyConfig() = default;
 
 	std::string host;
 		/// Proxy server host name or IP address.
-	Poco::UInt16 port;
+	Poco::UInt16 port = HTTPSession::HTTP_PORT;
 		/// Proxy server TCP port.
-	std::string protocol;
+	std::string protocol = "http";
 		/// Protocol to use (http or https).
-	bool tunnel;
+	bool tunnel = true;
 		/// Use proxy as tunnel (establish 2-way communication through CONNECT request).
 		/// If tunnel option is 'false' request will be sent directly to proxy without CONNECT request.
+		///
+		/// Warning: Setting tunnel to false for HTTPS sessions means the TLS connection
+		/// terminates at the proxy, not at the destination server. The proxy will see
+		/// the request in plaintext.
 	std::string username;
 		/// Proxy server username.
 	std::string password;
@@ -61,7 +59,7 @@ struct ProxyConfig
 		/// e.g. "localhost|127\.0\.0\.1|192\.168\.0\.\d+". Can also be an empty
 		/// string to disable proxy bypassing.
 
-	ProxyAuthentication authMethod;
+	ProxyAuthentication authMethod = ProxyAuthentication::Basic;
 		/// The authentication method to use - HTTP Basic or NTLM.
 };
 

Net/src/HTTPClientSession.cpp

@@ -31,6 +31,7 @@
 
 using Poco::NumberFormatter;
 using Poco::IllegalStateException;
+using Poco::InvalidArgumentException;
 
 
 namespace Poco {
@@ -52,7 +53,7 @@ HTTPClientSession::HTTPClientSession():
 	_responseReceived(false),
 	_ntlmProxyAuthenticated(false)
 {
-	_proxySessionFactory.registerProtocol("http", new HTTPSessionInstantiator);
+	initProxySessionFactory();
 }
 
 
@@ -69,7 +70,7 @@ HTTPClientSession::HTTPClientSession(const StreamSocket& socket):
 	_responseReceived(false),
 	_ntlmProxyAuthenticated(false)
 {
-	_proxySessionFactory.registerProtocol("http", new HTTPSessionInstantiator);
+	initProxySessionFactory();
 }
 
 
@@ -86,7 +87,7 @@ HTTPClientSession::HTTPClientSession(const SocketAddress& address):
 	_responseReceived(false),
 	_ntlmProxyAuthenticated(false)
 {
-	_proxySessionFactory.registerProtocol("http", new HTTPSessionInstantiator);
+	initProxySessionFactory();
 }
 
 
@@ -103,13 +104,15 @@ HTTPClientSession::HTTPClientSession(const std::string& host, Poco::UInt16 port)
 	_responseReceived(false),
 	_ntlmProxyAuthenticated(false)
 {
-	_proxySessionFactory.registerProtocol("http", new HTTPSessionInstantiator);
+	initProxySessionFactory();
 }
 
 
 HTTPClientSession::HTTPClientSession(const std::string& host, Poco::UInt16 port, const ProxyConfig& proxyConfig):
 	_host(host),
 	_port(port),
+	_sourceAddress4(IPAddress::wildcard(IPAddress::IPv4), 0),
+	_sourceAddress6(IPAddress::wildcard(IPAddress::IPv6), 0),
 	_proxyConfig(proxyConfig),
 	_keepAliveTimeout(DEFAULT_KEEP_ALIVE_TIMEOUT, 0),
 	_reconnect(false),
@@ -118,6 +121,7 @@ HTTPClientSession::HTTPClientSession(const std::string& host, Poco::UInt16 port,
 	_responseReceived(false),
 	_ntlmProxyAuthenticated(false)
 {
+	initProxySessionFactory();
 }
 
 
@@ -131,15 +135,28 @@ HTTPClientSession::HTTPClientSession(const StreamSocket& socket, const ProxyConf
 	_reconnect(false),
 	_mustReconnect(false),
 	_expectResponseBody(false),
-	_responseReceived(false)
+	_responseReceived(false),
+	_ntlmProxyAuthenticated(false)
 {
-	_proxySessionFactory.registerProtocol("http", new HTTPSessionInstantiator);
+	initProxySessionFactory();
 }
 
 
 HTTPClientSession::~HTTPClientSession()
 {
-	_proxySessionFactory.unregisterProtocol("http");
+	try
+	{
+		_proxySessionFactory.unregisterProtocol("http");
+	}
+	catch (...)
+	{
+	}
+}
+
+
+void HTTPClientSession::initProxySessionFactory()
+{
+	_proxySessionFactory.registerProtocol("http", new HTTPSessionInstantiator);
 }
 
 
@@ -197,7 +214,7 @@ const SocketAddress& HTTPClientSession::getSourceAddress6()
 void HTTPClientSession::setProxy(const std::string& host, Poco::UInt16 port, const std::string& protocol, bool tunnel)
 {
 	if (protocol != "http" && protocol != "https")
-		throw IllegalStateException("Protocol must be either http or https");
+		throw InvalidArgumentException("Protocol must be either http or https");
 
 	if (!connected())
 	{
@@ -231,7 +248,7 @@ void HTTPClientSession::setProxyPort(Poco::UInt16 port)
 void HTTPClientSession::setProxyProtocol(const std::string& protocol)
 {
 	if (protocol != "http" && protocol != "https")
-		throw IllegalStateException("Protocol must be either http or https");
+		throw InvalidArgumentException("Protocol must be either http or https");
 
 	if (!connected())
 		_proxyConfig.protocol = protocol;
@@ -270,12 +287,21 @@ void HTTPClientSession::setProxyPassword(const std::string& password)
 
 void HTTPClientSession::setProxyConfig(const ProxyConfig& config)
 {
-	_proxyConfig = config;
+	if (config.protocol != "http" && config.protocol != "https")
+		throw InvalidArgumentException("Protocol must be either http or https");
+
+	if (!connected())
+		_proxyConfig = config;
+	else
+		throw IllegalStateException("Cannot set the proxy configuration for an already connected session");
 }
 
 
 void HTTPClientSession::setGlobalProxyConfig(const ProxyConfig& config)
 {
+	if (config.protocol != "http" && config.protocol != "https")
+		throw InvalidArgumentException("Protocol must be either http or https");
+
 	_globalProxyConfig = config;
 }
 
@@ -509,8 +535,8 @@ std::string HTTPClientSession::proxyRequestPrefix() const
 {
 	std::string result("http://");
 	result.append(_host);
-	/// Do not append default by default, since this may break some servers.
-	/// One example of such server is GCS (Google Cloud Storage).
+	// Do not append default port, since this may break some servers.
+	// One example of such server is GCS (Google Cloud Storage).
 	if (_port != HTTPSession::HTTP_PORT)
 	{
 		result.append(":");
@@ -541,16 +567,16 @@ void HTTPClientSession::proxyAuthenticateImpl(HTTPRequest& request, const ProxyC
 {
 	switch (proxyConfig.authMethod)
 	{
-	case PROXY_AUTH_NONE:
+	case ProxyAuthentication::None:
 		break;
 
-	case PROXY_AUTH_HTTP_BASIC:
+	case ProxyAuthentication::Basic:
 		_proxyBasicCreds.setUsername(proxyConfig.username);
 		_proxyBasicCreds.setPassword(proxyConfig.password);
 		_proxyBasicCreds.proxyAuthenticate(request);
 		break;
 
-	case PROXY_AUTH_HTTP_DIGEST:
+	case ProxyAuthentication::Digest:
 		if (HTTPCredentials::hasDigestCredentials(request))
 		{
 			_proxyDigestCreds.updateProxyAuthInfo(request);
@@ -563,7 +589,7 @@ void HTTPClientSession::proxyAuthenticateImpl(HTTPRequest& request, const ProxyC
 		}
 		break;
 
-	case PROXY_AUTH_NTLM:
+	case ProxyAuthentication::NTLM:
 		if (_ntlmProxyAuthenticated)
 		{
 			_proxyNTLMCreds.updateProxyAuthInfo(request);
@@ -643,7 +669,7 @@ StreamSocket HTTPClientSession::proxyConnect()
 	proxySession->sendRequest(proxyRequest);
 	proxySession->receiveResponse(proxyResponse);
 	if (proxyResponse.getStatus() != HTTPResponse::HTTP_OK)
-		throw HTTPException("Cannot establish proxy connection", proxyResponse.getReason());
+		throw HTTPException("Cannot establish proxy connection (" + std::to_string(proxyResponse.getStatus()) + ")", proxyResponse.getReason());
 	return proxySession->detachSocket();
 }