Fix: Connectivity check fails with Squid/Strict Proxies (Force CONNECT on port 80)

[Nixxeee]

The Issue

The current implementation forces CURLOPT_HTTPPROXYTUNNEL to true for all connectivity checks.
The check URL is currently http://www.msftncsi.com/ncsi.txt (Plain HTTP).

When CURLOPT_HTTPPROXYTUNNEL is enabled on an HTTP URL, cURL sends a CONNECT method request on port 80 (instead of a standard GET).
Most strict proxy configurations (like Squid's default safe_ports) explicitly block the CONNECT method on non-SSL ports to prevent protocol tunneling security risks.

This causes Unraid to incorrectly report "Offline" status even when connectivity is fine.

The Fix

This PR refactors proxy_online to make the tunneling option conditional:

1. It defines the check URL in a variable $checkurl.
2. It checks the scheme:
   • If https:// -> Enable Tunneling (True).
   • If http:// -> Disable Tunneling (False).

This ensures compatibility with standard proxy configurations while remaining robust if the check URL is changed to HTTPS in the future.

References / Community Reports

https://forums.unraid.net/topic/190733-712-outgoing-proxy-how/

Summary by CodeRabbit

• Bug Fixes
  • Improved outgoing proxy connection handling with dynamic URL detection and scheme-based tunneling configuration for enhanced compatibility.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The change modifies the OutgoingProxyLib.php to use a dynamic check URL for NC SI status instead of a hardcoded value, and conditionally enables HTTP proxy tunneling based on whether the check URL uses HTTPS.

Changes

Cohort / File(s)	Summary
Proxy Tunneling Logic emhttp/plugins/dynamix/include/OutgoingProxyLib.php	Dynamic check URL determination with conditional HTTP proxy tunneling enabled for HTTPS schemes; HTTP schemes maintain non-tunneling behavior

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A proxy hops through URLs so grand,
HTTPS tunnels now at hand,
Dynamic checks replace the old,
Schemes now guide this path untold! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main bug fix: conditional HTTP proxy tunneling based on URL scheme to resolve connectivity check failures with strict proxies.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@emhttp/plugins/dynamix/include/OutgoingProxyLib.php`:
- Around line 61-71: The current $checkurl is hardcoded to
"http://www.msftncsi.com/ncsi.txt" which makes the $isHttps check and
curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, $isHttps) dead code; update the code
to either (A) make $checkurl configurable (e.g., accept it from a function
parameter or configuration value) so parse_url($checkurl, PHP_URL_SCHEME) can be
'http' or 'https' at runtime and the existing $isHttps logic works, or (B) if
only HTTP will ever be used, remove the conditional and explicitly set
CURLOPT_HTTPPROXYTUNNEL to false to reflect the intended behavior; adjust
references to $checkurl and $isHttps accordingly.

[ljm42]

The purpose of the test is to confirm whether the server can read http://www.msftncsi.com/ncsi.txt over the proxy. If the proxy you want to use does not support http then the proxy needs to be improved, it does not make sense to disable the http check for everyone else. Or what am I missing?

[Nixxeee]

I think there is a misunderstanding on the technical cause of the failure. I am not trying to disable the HTTP check, but to fix how the request is made when a proxy is configured.

Currently, the code forces CURLOPT_HTTPPROXYTUNNEL = true.

When the URL is HTTP (like the NCSI test), cURL sends a CONNECT request to the proxy on port 80.
Most standard proxies (like Squid) strictly forbid the CONNECT method on port 80 for security reasons (it's reserved for SSL/443). They expect a standard GET for HTTP.
My PR doesn't disable the check for anyone; it simply ensures that:

If the URL is http://, we use a standard GET request (Tunneling OFF).
If the URL is https://, we use the CONNECT method (Tunneling ON).

This fix actually enables the check to work for everyone using a standard proxy, which is currently broken and leads to a false 'Offline' status.

[ljm42]

Thanks, I think you are right. I'll do some testing and will most likely recommend that this be merged.