lib/promscrape: fixes proxy autorization (VictoriaMetrics#6783)

* Adds custom dial func for HTTP-Connect and socks5 proxy tunnels.
  Standard golang http.transport exposes GetProxyConnectHeader function,
  but it doesn't allow to use separate tls config for proxy.
  It also not possible to enforce HTTP-Connect with standard http lib.
* For http scrape targets, by default http.Transport.Proxy function must
  be used. Since it has special case with full uri forward.
* Adds proxy.URL json methods that allow to properly copy internal
fields, like User/Password.
It should fix bug with proxy_url. When credentials specified at URL was
ignored.
* Adds tests for scrape client proxy requests

related issue VictoriaMetrics#6771

docs/CHANGELOG.md

@@ -43,6 +43,7 @@ The value of `instance` label for those scrape targets will be changed from `<ad
 * FEATURE: [vmbackup](https://docs.victoriametrics.com/vmbackup/), [vmrestore](https://docs.victoriametrics.com/vmrestore/), [vmbackupmanager](https://docs.victoriametrics.com/vmbackupmanager/): use exponential backoff for retries when uploading or downloading data from S3. This should reduce the number of failed uploads and downloads when S3 is temporarily unavailable. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6732).
 * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): do not allow enabling `-stream.keepInput` and `keep_metric_names` options together in [stream aggregation config](https://docs.victoriametrics.com/stream-aggregation/#stream-aggregation-config), as it may result in time series collision.
 
+* BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent): fixes `proxy_url` authorization for scrape targets. Previously proxy authorization configuration was ignored for `https` targets. See [this](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6771) issue for details.
 * BUGFIX: [vmagent](https://docs.victoriametrics.com/vmagent/) fix service discovery of Azure Virtual Machines for response contains `nextLink`. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6784).
 * BUGFIX: [vmalert](https://docs.victoriametrics.com/vmalert): respect HTTP headers defined in [notifier configuration file](https://docs.victoriametrics.com/vmalert/#notifier-configuration-file) for each request to notifiers. Previously, this param was ignored by mistake.
 * BUGFIX: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): correctly apply `-streamAggr.dropInputLabels` when global stream deduplication is enabled without `-streamAggr.config`. Previously, `-remoteWrite.streamAggr.dropInputLabels` was used instead.

go.mod

@@ -32,7 +32,7 @@ require (
 	github.com/valyala/histogram v1.2.0
 	github.com/valyala/quicktemplate v1.8.0
 	golang.org/x/oauth2 v0.21.0
-	golang.org/x/sys v0.22.0
+	golang.org/x/sys v0.23.0
 	google.golang.org/api v0.189.0
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -116,11 +116,11 @@ require (
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/goleak v1.3.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/crypto v0.26.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/net v0.28.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/genproto v0.0.0-20240725223205-93522f1f2a9f // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240725223205-93522f1f2a9f // indirect

go.sum

@@ -547,6 +547,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -614,6 +616,8 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
 golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
+golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -634,6 +638,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -678,9 +684,12 @@ golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
 golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
 golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
+golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -689,6 +698,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

lib/netutil/statdial.go

@@ -11,8 +11,17 @@ import (
 	"github.com/VictoriaMetrics/metrics"
 )
 
+// NewStatDialFuncWithDial returns dialer function that registers stats metrics for conns.
+func NewStatDialFuncWithDial(metricPrefix string, dialFunc func(ctx context.Context, network, addr string) (net.Conn, error)) func(ctx context.Context, network, addr string) (net.Conn, error) {
+	return newStatDialFunc(metricPrefix, dialFunc)
+}
+
 // NewStatDialFunc returns dialer function that supports DNS SRV records and registers stats metrics for conns.
 func NewStatDialFunc(metricPrefix string) func(ctx context.Context, network, addr string) (net.Conn, error) {
+	return newStatDialFunc(metricPrefix, DialMaybeSRV)
+}
+
+func newStatDialFunc(metricPrefix string, dialFunc func(ctx context.Context, network, addr string) (net.Conn, error)) func(ctx context.Context, network, addr string) (net.Conn, error) {
 	return func(ctx context.Context, _, addr string) (net.Conn, error) {
 		sc := &statDialConn{
 			dialsTotal: metrics.GetOrCreateCounter(fmt.Sprintf(`%s_dials_total`, metricPrefix)),
@@ -28,7 +37,7 @@ func NewStatDialFunc(metricPrefix string) func(ctx context.Context, network, add
 		}
 
 		network := GetTCPNetwork()
-		conn, err := DialMaybeSRV(ctx, network, addr)
+		conn, err := dialFunc(ctx, network, addr)
 		sc.dialsTotal.Inc()
 		if err != nil {
 			sc.dialErrors.Inc()

lib/promauth/config.go

@@ -360,6 +360,18 @@ func (ac *Config) GetAuthHeader() (string, error) {
 	return "", nil
 }
 
+// GetHTTPHeadersNoAuth returns http formatted headers without Authorization header
+func (ac *Config) GetHTTPHeadersNoAuth() http.Header {
+	if len(ac.headers) == 0 {
+		return nil
+	}
+	dst := make(http.Header, len(ac.headers))
+	for _, kv := range ac.headers {
+		dst.Add(kv.key, kv.value)
+	}
+	return dst
+}
+
 // String returns human-readable representation for ac.
 //
 // It is also used for comparing Config objects for equality. If two Config
@@ -438,6 +450,18 @@ func newGetTLSCertCached(getTLSCert getTLSCertFunc) getTLSCertFunc {
 	}
 }
 
+// GetTLSConfig returns cached tls configuration
+func (ac *Config) GetTLSConfig() (*tls.Config, error) {
+	if ac.getTLSConfigCached == nil {
+		return nil, fmt.Errorf("BUG: config must be properly initialized with Options.NewConfig() call")
+	}
+	tlsC, err := ac.getTLSConfigCached()
+	if err != nil {
+		return nil, err
+	}
+	return tlsC, nil
+}
+
 // NewRoundTripper returns new http.RoundTripper for the given ac, which uses the given trBase as base transport.
 //
 // The caller shouldn't change the trBase, since the returned RoundTripper owns it.

lib/promscrape/client.go

@@ -49,28 +49,42 @@ func newClient(ctx context.Context, sw *ScrapeWork) (*client, error) {
 	setProxyHeaders := func(_ *http.Request) error {
 		return nil
 	}
+	dialFunc := netutil.NewStatDialFunc("vm_promscrape")
 	proxyURL := sw.ProxyURL
-	if !strings.HasPrefix(sw.ScrapeURL, "https://") && proxyURL.IsHTTPOrHTTPS() {
-		pu := proxyURL.GetURL()
-		if pu.Scheme == "https" {
-			ac = sw.ProxyAuthConfig
-		}
-		setProxyHeaders = func(req *http.Request) error {
-			return proxyURL.SetHeaders(sw.ProxyAuthConfig, req)
-		}
-	}
 	var proxyURLFunc func(*http.Request) (*url.URL, error)
-	if pu := sw.ProxyURL.GetURL(); pu != nil {
-		proxyURLFunc = http.ProxyURL(pu)
+
+	if proxyURL != nil {
+		// case for direct http proxy connection.
+		// must be used for http based scrape targets
+		// since standard golang http.transport has special case for it
+		if strings.HasPrefix(sw.ScrapeURL, "http://") {
+			if proxyURL.URL.Scheme == "https" {
+				ac = sw.ProxyAuthConfig
+			}
+			proxyURLFunc = http.ProxyURL(proxyURL.URL)
+			setProxyHeaders = func(req *http.Request) error {
+				return proxyURL.SetHeaders(sw.ProxyAuthConfig, req)
+			}
+		} else {
+			// HTTP-Connect or socks5 proxy tunnel
+			// it makes possible to use separate tls configurations
+			// for proxy and backend connections
+			proxyDial, err := proxyURL.NewDialFunc(sw.ProxyAuthConfig)
+			if err != nil {
+				return nil, fmt.Errorf("cannot create dialer for proxy_url=%q connection: %w", proxyURL, err)
+			}
+			dialFunc = netutil.NewStatDialFuncWithDial("vm_promscrape", proxyDial)
+		}
 	}
+
 	hc := &http.Client{
 		Transport: ac.NewRoundTripper(&http.Transport{
 			Proxy:                  proxyURLFunc,
 			TLSHandshakeTimeout:    10 * time.Second,
 			IdleConnTimeout:        2 * sw.ScrapeInterval,
 			DisableCompression:     *disableCompression || sw.DisableCompression,
 			DisableKeepAlives:      *disableKeepAlive || sw.DisableKeepAlive,
-			DialContext:            netutil.NewStatDialFunc("vm_promscrape"),
+			DialContext:            dialFunc,
 			MaxIdleConnsPerHost:    100,
 			MaxResponseHeaderBytes: int64(maxResponseHeadersSize.N),
 		}),

lib/promscrape/client_test.go

@@ -0,0 +1,189 @@
+package promscrape
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/bytesutil"
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/promauth"
+	"github.com/VictoriaMetrics/VictoriaMetrics/lib/proxy"
+)
+
+func copyHeader(dst, src http.Header) {
+	for k, vv := range src {
+		for _, v := range vv {
+			dst.Add(k, v)
+		}
+	}
+}
+
+func proxyTunnel(w http.ResponseWriter, r *http.Request) {
+	transfer := func(src io.ReadCloser, dst io.WriteCloser) {
+		defer dst.Close()
+		defer src.Close()
+		io.Copy(dst, src) //nolint
+	}
+	destConn, err := net.DialTimeout("tcp", r.Host, 10*time.Second)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+		return
+	}
+	w.WriteHeader(http.StatusOK)
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "Hijacking not supported", http.StatusInternalServerError)
+		return
+	}
+	clientConn, _, err := hijacker.Hijack()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+	}
+	go transfer(clientConn, destConn)
+	transfer(destConn, clientConn)
+}
+
+type testProxyServer struct {
+	ba                   *promauth.BasicAuthConfig
+	receivedProxyRequest bool
+}
+
+func checkBasicAuthHeader(w http.ResponseWriter, headerValue string, ba *promauth.BasicAuthConfig) bool {
+	userPasswordEncoded := base64.StdEncoding.EncodeToString([]byte(ba.Username + ":" + ba.Password.String()))
+	expectedAuthValue := "Basic " + userPasswordEncoded
+	if headerValue != expectedAuthValue {
+		w.WriteHeader(403)
+		fmt.Fprintf(w, "Proxy Requires authorization got header value=%q, want=%q", headerValue, expectedAuthValue)
+		return false
+	}
+	return true
+}
+
+func (tps *testProxyServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	tps.receivedProxyRequest = true
+	if tps.ba != nil {
+		if !checkBasicAuthHeader(w, r.Header.Get("Proxy-Authorization"), tps.ba) {
+			return
+		}
+	}
+	if r.Method == http.MethodConnect {
+		proxyTunnel(w, r)
+		return
+	}
+
+	resp, err := http.DefaultTransport.RoundTrip(r)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusServiceUnavailable)
+		return
+	}
+	defer resp.Body.Close()
+	copyHeader(w.Header(), resp.Header)
+	w.WriteHeader(resp.StatusCode)
+	io.Copy(w, resp.Body) //nolint
+}
+
+func newClientTestServer(useTLS bool, rh http.Handler) *httptest.Server {
+	var s *httptest.Server
+	if useTLS {
+		s = httptest.NewTLSServer(rh)
+	} else {
+		s = httptest.NewServer(rh)
+	}
+	return s
+}
+
+func newTestAuthConfig(t *testing.T, isTLS bool, ba *promauth.BasicAuthConfig) *promauth.Config {
+	a := promauth.Options{
+		BasicAuth: ba,
+	}
+	if isTLS {
+		a.TLSConfig = &promauth.TLSConfig{InsecureSkipVerify: true}
+	}
+	ac, err := a.NewConfig()
+	if err != nil {
+		t.Fatalf("cannot setup promauth.Confg: %s", err)
+	}
+	return ac
+}
+
+func TestClientProxyReadOk(t *testing.T) {
+	ctx := context.Background()
+	f := func(isBackendTLS, isProxyTLS bool, backendAuth, proxyAuth *promauth.BasicAuthConfig) {
+		t.Helper()
+
+		proxyHandler := &testProxyServer{ba: proxyAuth}
+		ps := newClientTestServer(isProxyTLS, proxyHandler)
+
+		expectedBackendResponse := `metric_name{key="value"} 123\n`
+
+		backend := newClientTestServer(isBackendTLS, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if backendAuth != nil && !checkBasicAuthHeader(w, r.Header.Get("Authorization"), backendAuth) {
+				return
+			}
+			w.Write([]byte(expectedBackendResponse))
+		}))
+
+		defer backend.Close()
+		defer ps.Close()
+
+		c, err := newClient(ctx, &ScrapeWork{
+			ScrapeURL:       backend.URL,
+			ProxyURL:        proxy.MustNewURL(ps.URL),
+			ScrapeTimeout:   2 * time.Second,
+			AuthConfig:      newTestAuthConfig(t, isBackendTLS, backendAuth),
+			ProxyAuthConfig: newTestAuthConfig(t, isProxyTLS, proxyAuth),
+			MaxScrapeSize:   16000,
+		})
+		if err != nil {
+			t.Fatalf("failed to create client: %s", err)
+		}
+		var bb bytesutil.ByteBuffer
+		if err := c.ReadData(&bb); err != nil {
+			t.Fatalf("unexpected error at ReadData: %s", err)
+		}
+		got, err := io.ReadAll(bb.NewReader())
+		if err != nil {
+			t.Fatalf("err read: %s", err)
+		}
+
+		if !proxyHandler.receivedProxyRequest {
+			t.Fatalf("proxy server didn't recieved request")
+		}
+		if string(got) != expectedBackendResponse {
+			t.Fatalf("not expected response: ")
+		}
+	}
+
+	// no tls
+	f(false, false, nil, nil)
+	// both tls no auth
+	f(true, true, nil, nil)
+	// backend tls, proxy http no auth
+	f(true, false, nil, nil)
+	// backend http, proxy tls no auth
+	f(false, true, nil, nil)
+
+	// no tls with auth
+	f(false, false, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, &promauth.BasicAuthConfig{Username: "proxy-test"})
+	// proxy tls and auth
+	f(false, true, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, &promauth.BasicAuthConfig{Username: "proxy-test"})
+	// backend tls and auth
+	f(true, false, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, &promauth.BasicAuthConfig{Username: "proxy-test"})
+	// tls with auth
+	f(true, true, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, &promauth.BasicAuthConfig{Username: "proxy-test"})
+
+	// tls with backend auth
+	f(true, true, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, nil)
+	// tls with proxy auth
+	f(true, true, nil, &promauth.BasicAuthConfig{Username: "proxy-test", Password: promauth.NewSecret("1234")})
+	// proxy tls with backend auth
+	f(false, true, &promauth.BasicAuthConfig{Username: "test", Password: promauth.NewSecret("1234")}, nil)
+	// backend tls and proxy auth
+	f(true, false, nil, &promauth.BasicAuthConfig{Username: "proxy-test", Password: promauth.NewSecret("1234")})
+}