- support for downloading the CLI when proxy is configured

When running traffic through mitmproxy, you may encounter 502 Bad Gateway errors that mention HTTP/2 protocol error: *

*Received header value surrounded by whitespace**.

This happens because some upstream servers (including dev.coder.com) send back headers such as Content-Security-Policy

with leading or trailing spaces.

While browsers and many HTTP clients accept these headers, mitmproxy enforces the stricter HTTP/2 and HTTP/1.1 RFCs,

which forbid whitespace around header values.

As a result, mitmproxy rejects the response and surfaces a 502 to the client.

The workaround is to disable HTTP/2 in mitmproxy and force HTTP/1.1 on both the client and upstream sides. This avoids

the strict header validation path and allows

mitmproxy to pass responses through unchanged. You can do this by starting mitmproxy with:

mitmproxy --set http2=false --set upstream_http_version=HTTP/1.1

This ensures coder toolbox http client ↔ mitmproxy ↔ server connections all run over HTTP/1.1, preventing the whitespace

error.

import com.coder.toolbox.plugin.PluginManager

import com.coder.toolbox.sdk.CoderHttpClientBuilder

import com.coder.toolbox.sdk.interceptors.Interceptors

val interceptors = buildList {

add((Interceptors.userAgent(PluginManager.pluginInfo.version)))

add(Interceptors.logging(context))

}

val okHttpClient = CoderHttpClientBuilder.build(

context,

interceptors

)

package com.coder.toolbox.sdk

import com.coder.toolbox.CoderToolboxContext

import com.coder.toolbox.util.CoderHostnameVerifier

import com.coder.toolbox.util.coderSocketFactory

import com.coder.toolbox.util.coderTrustManagers

import com.jetbrains.toolbox.api.remoteDev.connection.ProxyAuth

import okhttp3.Credentials

import okhttp3.Interceptor

import okhttp3.OkHttpClient

import javax.net.ssl.X509TrustManager

object CoderHttpClientBuilder {

fun build(

context: CoderToolboxContext,

interceptors: List<Interceptor>

): OkHttpClient {

val settings = context.settingsStore.readOnly()

val socketFactory = coderSocketFactory(settings.tls)

val trustManagers = coderTrustManagers(settings.tls.caPath)

var builder = OkHttpClient.Builder()

if (context.proxySettings.getProxy() != null) {

context.logger.info("proxy: ${context.proxySettings.getProxy()}")

builder.proxy(context.proxySettings.getProxy())

} else if (context.proxySettings.getProxySelector() != null) {

context.logger.info("proxy selector: ${context.proxySettings.getProxySelector()}")

builder.proxySelector(context.proxySettings.getProxySelector()!!)

}

// Note: This handles only HTTP/HTTPS proxy authentication.

// SOCKS5 proxy authentication is currently not supported due to limitations described in:

// https://youtrack.jetbrains.com/issue/TBX-14532/Missing-proxy-authentication-settings#focus=Comments-27-12265861.0-0

builder.proxyAuthenticator { _, response ->

val proxyAuth = context.proxySettings.getProxyAuth()

if (proxyAuth == null || proxyAuth !is ProxyAuth.Basic) {

return@proxyAuthenticator null

}

val credentials = Credentials.basic(proxyAuth.username, proxyAuth.password)

response.request.newBuilder()

.header("Proxy-Authorization", credentials)

.build()

}

builder.sslSocketFactory(socketFactory, trustManagers[0] as X509TrustManager)

.hostnameVerifier(CoderHostnameVerifier(settings.tls.altHostname))

.retryOnConnectionFailure(true)

interceptors.forEach { interceptor ->

builder.addInterceptor(interceptor)

}

return builder.build()

}

}

import com.coder.toolbox.sdk.interceptors.Interceptors

val interceptors = buildList {

if (context.settingsStore.requireTokenAuth) {

if (token.isNullOrBlank()) {

throw IllegalStateException("Token is required for $url deployment")

}

add(Interceptors.tokenAuth(token))

add((Interceptors.userAgent(pluginVersion)))

add(Interceptors.externalHeaders(context, url))

add(Interceptors.logging(context))

httpClient = CoderHttpClientBuilder.build(

context,

interceptors

)

package com.coder.toolbox.sdk.interceptors

import com.coder.toolbox.CoderToolboxContext

import com.coder.toolbox.util.getArch

import com.coder.toolbox.util.getHeaders

import com.coder.toolbox.util.getOS

import okhttp3.Interceptor

import java.net.URL

object Interceptors {

/**

fun tokenAuth(token: String): Interceptor {

return Interceptor { chain ->

chain.proceed(

chain.request().newBuilder()

.addHeader("Coder-Session-Token", token)

.build()

)

}

}

/**

fun userAgent(pluginVersion: String): Interceptor {

return Interceptor { chain ->

chain.proceed(

chain.request().newBuilder()

.addHeader("User-Agent", "Coder Toolbox/$pluginVersion (${getOS()}; ${getArch()})")

.build()

)

}

}

/**

fun externalHeaders(context: CoderToolboxContext, url: URL): Interceptor {

val settings = context.settingsStore.readOnly()

return Interceptor { chain ->

var request = chain.request()

val headers = getHeaders(url, settings.headerCommand)

if (headers.isNotEmpty()) {

val reqBuilder = request.newBuilder()

headers.forEach { h -> reqBuilder.addHeader(h.key, h.value) }

request = reqBuilder.build()

}

chain.proceed(request)

}

}

/**

fun logging(context: CoderToolboxContext): Interceptor {

return LoggingInterceptor(context)

}

}

import com.jetbrains.toolbox.api.remoteDev.connection.ProxyAuth

import java.net.Proxy

import java.net.ProxySelector

object : ToolboxProxySettings {

override fun getProxy(): Proxy? = null

override fun getProxySelector(): ProxySelector? = null

override fun getProxyAuth(): ProxyAuth? = null

override fun addProxyChangeListener(listener: Runnable) {

}

override fun removeProxyChangeListener(listener: Runnable) {

}

})

val ccm = CoderCLIManager(

context.copy(settingsStore = settings),

it.url ?: URI.create("https://test.coder.invalid").toURL()

)