bruno Bruno does not recognize proxys set by env var and thus skipping CONNECT calls

I have checked the following:

[X] I use the newest version of bruno.
[X] I've searched existing issues and found nothing related to my issue.

Describe the bug

I'm trying to get access tokens from Entra, but it always fails with a 500 coming from our proxy server. As I checked the proxy logs, it was clear, that bruno does not setup TLS and is trying to send plaintext to a https endpoint. The Proxy is set as ENV Variable on system level and bruno is a portable version on Windows 10.

Unfortunately, the network log stays empty in developer tools, so I cannot provide more details except of the proxy error message

The issue appears when using built-in auth mechanism, script pane and also for direct API calls.

.bru file to reproduce the bug

No response

Screenshots/Live demo link

Handshake failedThe SSL handshake could not be performed.Host: login.microsoftonline.comReason: Can't initialize server context:handshakefailed:server state 1:state 9:Application response 500 handshakefailedCompany Acceptable Use PolicyThis is an optional acceptable use disclaimer that appears on every page. You may change the wording or remove this section entirely in index.html.For assistance, please contact your system administrator.generated 2024-08-21 17:02:50 by McAfee Web Gatewayaxios/1.7.2 | | Handshake failed | The SSL handshake could not be performed. | Host: login.microsoftonline.comReason: Can't initialize server context:handshakefailed:server state 1:state 9:Application response 500 handshakefailed | Company Acceptable Use Policy | This is an optional acceptable use disclaimer that appears on every page. You may change the wording or remove this section entirely in index.html. | For assistance, please contact your system administrator. | generated 2024-08-21 17:02:50 by McAfee Web Gatewayaxios/1.7.2

Aug 21 '24 15:08 riskersen

I've created a tcpdump and noticed, that calls done by bruno are missing CONNECT calls:

dummy curl from windows:

vs bruno:

So it seems, that bruno is not aware, that I'm using a proxy. The proxy variables are set by env vars and not within brunos config:

C:\Users\me>set HTTPS_PROXY=http://proxy.zz:3128 HTTP_PROXY=http://proxy.zz:3128

Next test, setting HTTP_PROXY and HTTPS_PROXY to an empty string (set HTTP_PROXY="") + setting proxy in bruno results in empty calls to the proxy:

After unsetting HTTP_PROXY and HTTPS_PROXY in cmd with set HTTP_PROXY= and set HTTPS_PROXY= + starting bruno from this cmd, I'm able to call login.microsoftonline as intended.

From my perspective, the proxy support is really improvable, see also #2408

Enterprise level companies usually enforce the usage of proxies, so bruno should respect the environment variables (if set and not empty) and acknowledges them or should ignore them, if a proxy is explicitly configured in Bruno.

Unfortunately, my knowledge in node is close to zero :(

Aug 21 '24 17:08 riskersen

Thanks for reporting this @riskersen We are in the final stages of getting a PR merged that will solve the issue around skipping the CONNECT call

We expect a fix to be released early next week. cc @lohxt1 @byjrack

Aug 22 '24 08:08 helloanoop

And @riskersen likely it's all the same bug in Axios mentioned in #1372. For https_proxy env Axios assumes that the scheme will be https and thus sends a TLS handshake before it would try and CONNECT. Many proxies will just be listening on HTTP for efficiency so you get a variety of error conditions based on the proxy provider when the client sends the TLS handshake. Been a long standing bug in Axios, but the Bruno crew are just going to be a bit more explicit as you can see in #2724 to avoid triggering the bad logic in Axios.

Aug 22 '24 12:08 byjrack

Hello,

It seems that I have the same problem using the CLI. With Bruno, I get

With Curl

The proxy is set through HTTPS_PROXY environment variable

If I reset the HTTPS_PROXY environment variable and I add proxy configuration to "bruno.json" file, then everything is OK But our network configuration makes it unusable because

on our laptops, we don't need to configure any proxy (proxying is done at OS level)
on our servers, proxy need to be configured

Nov 28 '24 09:11 bhecquet

Hi, apologies for the late response. This issue has been resolved as per our latest version 1.35, as we have added the option to choose 'System proxy' in Bruno. Please check it out and let me know how it goes. Thanks!

Dec 03 '24 06:12 sreelakshmi-bruno

Hello @sreelakshmi-bruno

I just tested your suggestion but I cannot make it work In the application, I've set "system proxy" as suggested In collection, I've set proxy to "global" (not sure if it's the right way) I save collection, and execute it through the CLI on an other server that needs proxy access to go outside of our network

I get error "(Invalid URL)"

In the network capture I don't see any connection to the proxy

Dec 03 '24 16:12 bhecquet

Hi @bhecquet, this setting would only work in the app at present. We're yet to add this feature to the CLI. Can you try using the GUI?

Dec 05 '24 11:12 sreelakshmi-bruno

Hello @sreelakshmi-bruno , I don't have proxy on my windows machine, so It will be difficult for me to do the test. In our setup, proxy settings are only required for servers

Dec 06 '24 09:12 bhecquet

We are working on a fix for the CLI. Will post updates here. Thanks!

Dec 10 '24 11:12 sreelakshmi-bruno

Hi, can you test this issue with the beta version of CLI that I shared below and let me know if the problem persists? Thanks! npm i @usebruno/cli-next@latest -g

Jan 03 '25 07:01 sreelakshmi-bruno

Hello

I tested with 1.37 with support team and it works

Jan 03 '25 08:01 bhecquet

Hello, On the latest version 1.37, System Proxy is not working using ZScaler application. It seems that it does not recognize that a proxy is globally set. What do you need to analyze?

Jan 07 '25 11:01 renalddubusedenred

What is the error you are seeing? My org uses z and is surfaced by a PAC and ztunnel. 1.37 seems to work fine in seeing the proxy, but I am seeing issues w CA trust settings not applying.

Jan 07 '25 12:01 byjrack

What is the error you are seeing? My org uses z and is surfaced by a PAC and ztunnel. 1.37 seems to work fine in seeing the proxy, but I am seeing issues w CA trust settings not applying.

I want to call Azure WebService, which is secured by private endpoint. ZScaler is used to allow this communication. Using Postman and system proxy, I have no problem Using Bruno and system proxy, I get 403 - Forbidden error code.

Jan 07 '25 12:01 renalddubusedenred

403 would indicate its reaching the Azure endpoint, but it's missing an Auth header so it's rejecting the connection. Seems like Z and Bruno are fine together and I would look at your request to be sure the authorization is correct.

Jan 07 '25 12:01 byjrack

I had no Auth on my API (yes it's bad) I'm receiving this 403 error code because Azure don't allow my computer (private endpoint) because Bruno is not using the system proxy, and my computer is not recognize as an authenticated computer

Jan 07 '25 12:01 renalddubusedenred

Calling the same URL in my browser is working too. My error is related to Bruno

Jan 07 '25 13:01 renalddubusedenred

Ahh got it you are using Conditional Access on the authorization and your source IP is from public Z CIDRs and not your trusted private space.

Have you tried to send it direct to your private service endpoint for zscaler so it egresses on your trusted? Maybe it's having a hard time reading the PAC file (not sure if Bruno supports PACs honestly) and if you are not using an app forwarding rule for that domain so ztunnel steers it to egress on your trusted IP space it will default go the public edge.

If you don't know your private edge you can figure it out by reading the PAC file commonly. It's just a blob of javascript so you can look for the domain you are trying to access and the endpoint it should use for connection. Your network team could also create a ztunnel config for this so it happens transparently as any tool that is not "PAC" aware will have issues.

Jan 07 '25 13:01 byjrack

Hi, this issue has been resolved in 1.39. Please check it out.

Feb 26 '25 07:02 sreelakshmi-bruno

Hello, I had try the version 1.39.1 and the problem is still here. I cannot calls my APIs through internal proxy.

Mar 04 '25 13:03 renalddubusedenred

Hello, for me, it's OK

Mar 04 '25 15:03 bhecquet

Hello @renalddubusedenred, since it's working for others but not for you, we'll need a bit more information to help resolve the issue.

Please check the following:

Go to Preferences -> Proxy and ensure that System Proxy is selected. Verify if the values below are visible. Also, check the collection-level proxy setting to ensure it's configured correctly.

Additionally, as a workaround, instead of relying on the system proxy, could you try setting the proxy manually from Preferences -> Proxy until we can fix this issue?

Mar 05 '25 06:03 naman-bruno

Hello, with version 1.39.1 (portable), problem still exists. In my org a PAC proxy is used, I setted http_proxy and https_proxy envs and Bruno find them, but response returns a 403 error.

Edit 09:51 AM - 2025/03/07, after finding the correct proxy uri inside PAC script and setting it in manual mode, it works.

Mar 06 '25 15:03 davidefalco

Hello, Version 1.40 fix the issue. System proxy is now working. Thanks

Apr 03 '25 10:04 renalddubusedenred

I am closing this issue as resolved in v1.40, please feel free to reopen if the issue still persist

Apr 04 '25 11:04 anusree-bruno