Return 407 for proxy requests with missing auth instead of 404

madeye · claude · madeye · commit 69137e314f6b · 2026-03-12T17:40:54.000+08:00
Chrome needs a 407 Proxy-Authenticate challenge to trigger credential
sending. Non-proxy requests (no CONNECT, no absolute URI) still get
stealth nginx 404, so scanners can't distinguish the proxy from a
normal web server. Add Chrome auth challenge test.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -27,7 +27,7 @@ Stealth HTTPS forward proxy that auto-obtains TLS certs via ACME/Let's Encrypt a
 
 ### Key Design Decisions
 
-- **Stealth over standards**: Auth failures return 404, not 407. The proxy is indistinguishable from a misconfigured nginx to scanners.
+- **Stealth for non-proxy traffic**: Non-proxy requests (no absolute URI, no CONNECT) return nginx 404. Proxy requests with missing/wrong auth get 407 so real clients (Chrome) can authenticate.
 - **hyper 1.x with upgrades**: `http1::Builder` must use `.with_upgrades()` for CONNECT tunneling to work.
 - **Proxy detection**: `req.uri().authority().is_some()` (absolute URI) or `Method::CONNECT`.
 - **ACME on port 443 only**: Uses TLS-ALPN-01 challenge type, no port 80 listener needed.
diff --git a/src/lib.rs b/src/lib.rs
@@ -48,7 +48,7 @@ pub async fn handle_request(
     let auth_ok = auth::check_proxy_auth(&req, &config.users);
 
     if !auth_ok {
-        return Ok(stealth::fake_404(&config.stealth.server_name));
+        return Ok(stealth::proxy_auth_required(&config.stealth.server_name));
     }
 
     if req.method() == Method::CONNECT {
diff --git a/src/stealth.rs b/src/stealth.rs
@@ -1,8 +1,9 @@
 //! Stealth layer that hides the proxy from scanners and browsers.
 //!
-//! Non-proxy traffic (no absolute URI, no `CONNECT`) and failed auth both
-//! receive an identical nginx-style 404 response, making the proxy
-//! indistinguishable from a misconfigured web server.
+//! Non-proxy traffic (no absolute URI, no `CONNECT`) receives a nginx-style
+//! 404 response, making the proxy indistinguishable from a misconfigured web
+//! server. Proxy requests with missing/invalid auth get a `407` so that
+//! real clients (e.g. Chrome) can send credentials.
 
 use http_body_util::Full;
 use hyper::body::{Bytes, Incoming};
@@ -43,3 +44,18 @@ pub fn fake_404(server_name: &str) -> Response<Full<Bytes>> {
         .body(Full::new(Bytes::from(body)))
         .unwrap()
 }
+
+/// Build a 407 response requesting proxy authentication.
+///
+/// Sent when a proxy request (CONNECT or absolute URI) arrives without
+/// valid credentials. The `Proxy-Authenticate` header tells clients like
+/// Chrome to prompt for or resend credentials.
+pub fn proxy_auth_required(server_name: &str) -> Response<Full<Bytes>> {
+    Response::builder()
+        .status(StatusCode::PROXY_AUTHENTICATION_REQUIRED)
+        .header("Server", server_name)
+        .header("Proxy-Authenticate", "Basic realm=\"proxy\"")
+        .header("Content-Length", "0")
+        .body(Full::new(Bytes::new()))
+        .unwrap()
+}
diff --git a/tests/chrome_tests.rs b/tests/chrome_tests.rs
@@ -2,6 +2,15 @@ mod common;
 
 use common::echo_server::EchoServer;
 use common::test_server::TestServer;
+use https_proxy::config::UserConfig;
+
+fn test_users() -> Vec<UserConfig> {
+    vec![UserConfig {
+        username: "testuser".to_string(),
+        password: "testpass".to_string(),
+    }]
+}
+
 fn chrome_path() -> Option<String> {
     // Fixed paths (macOS)
     let candidates = [
@@ -31,9 +40,9 @@ fn chrome_path() -> Option<String> {
     None
 }
 
-/// Chrome fetches an HTTP URL through the HTTPS proxy (HTTP forward path).
+/// Chrome fetches an HTTP URL through the HTTPS proxy (no-auth, HTTP forward path).
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_chrome_http_forward_through_proxy() {
+async fn test_chrome_http_forward_no_auth() {
     let chrome = match chrome_path() {
         Some(p) => p,
         None => {
@@ -74,10 +83,9 @@ async fn test_chrome_http_forward_through_proxy() {
     );
 }
 
-/// Chrome sends CONNECT for HTTPS URLs through the proxy.
-/// Tests that HTTP/2 CONNECT tunneling works with enable_connect_protocol().
+/// Chrome sends CONNECT for HTTPS URLs (no-auth, tests H2 CONNECT tunnel).
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_chrome_https_connect_through_proxy() {
+async fn test_chrome_https_connect_no_auth() {
     let chrome = match chrome_path() {
         Some(p) => p,
         None => {
@@ -87,7 +95,6 @@ async fn test_chrome_https_connect_through_proxy() {
     };
 
     let server = TestServer::start_no_auth().await;
-
     let proxy_url = server.proxy_url();
 
     let output = tokio::task::spawn_blocking(move || {
@@ -121,3 +128,46 @@ async fn test_chrome_https_connect_through_proxy() {
         &stdout[..stdout.len().min(500)]
     );
 }
+
+/// When auth is required, Chrome gets a 407 Proxy-Authenticate challenge.
+/// Headless Chrome can't complete the auth handshake without extensions,
+/// so we verify it receives 407 (not 404) which enables interactive auth.
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_chrome_gets_407_when_auth_required() {
+    let chrome = match chrome_path() {
+        Some(p) => p,
+        None => {
+            eprintln!("Chrome/Chromium not found, skipping");
+            return;
+        }
+    };
+
+    let server = TestServer::start(test_users()).await;
+    let proxy_url = server.proxy_url();
+
+    let output = tokio::task::spawn_blocking(move || {
+        std::process::Command::new(&chrome)
+            .arg("--headless=new")
+            .arg("--disable-gpu")
+            .arg("--no-sandbox")
+            .arg("--disable-software-rasterizer")
+            .arg("--timeout=10000")
+            .arg(format!("--proxy-server={proxy_url}"))
+            .arg("--ignore-certificate-errors")
+            .arg("--dump-dom")
+            .arg("https://example.com/")
+            .output()
+            .unwrap()
+    })
+    .await
+    .unwrap();
+
+    let stdout = String::from_utf8_lossy(&output.stdout);
+
+    // Chrome should show ERR_PROXY_AUTH_REQUESTED (got 407), not
+    // ERR_TUNNEL_CONNECTION_FAILED (which would mean the proxy is broken).
+    assert!(
+        !stdout.contains("ERR_TUNNEL_CONNECTION_FAILED"),
+        "Should get auth challenge, not tunnel failure"
+    );
+}
diff --git a/tests/curl_tests.rs b/tests/curl_tests.rs
@@ -62,7 +62,7 @@ async fn test_curl_forward_through_proxy() {
 }
 
 #[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn test_curl_no_auth_gets_404() {
+async fn test_curl_no_auth_gets_407() {
     if !curl_available() {
         eprintln!("curl not found, skipping");
         return;
@@ -94,5 +94,8 @@ async fn test_curl_no_auth_gets_404() {
     .unwrap();
 
     let status_code = String::from_utf8_lossy(&output.stdout);
-    assert_eq!(status_code, "404", "missing auth should get stealth 404");
+    assert_eq!(
+        status_code, "407",
+        "missing auth on proxy request should get 407"
+    );
 }

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ pub async fn handle_request(`
`48`	`48`	`let auth_ok = auth::check_proxy_auth(&req, &config.users);`
`49`	`49`
`50`	`50`	`if !auth_ok {`
`51`		`- return Ok(stealth::fake_404(&config.stealth.server_name));`
	`51`	`+ return Ok(stealth::proxy_auth_required(&config.stealth.server_name));`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`if req.method() == Method::CONNECT {`