feat(fetch): add HTTP proxy support (#273)

- Support HTTP_PROXY, HTTPS_PROXY, ALL_PROXY environment variables
- Support NO_PROXY for bypassing specific hosts with port matching
- Support proxy authentication via URL credentials
- Default bypass for localhost, 127.0.0.1, ::1

Author: chessbyte

Cargo.lock

@@ -630,6 +630,40 @@ Initializes TLS connections in parallel during function init which significantly
 
 Set the TLS version to be used for network connections. By default only TLS 1.2 is enabled. TLS 1.3 can also be enabled by setting this variable to `1.3`
 
+### `HTTP_PROXY=url` / `HTTPS_PROXY=url`
+
+Configure HTTP/HTTPS proxy servers for outgoing `fetch` requests. The URL can include authentication credentials.
+
+- `HTTP_PROXY` - Proxy for HTTP requests
+- `HTTPS_PROXY` - Proxy for HTTPS requests
+- `ALL_PROXY` - Fallback proxy for both HTTP and HTTPS if specific proxy is not set
+
+Examples:
+
+```shell
+HTTP_PROXY=http://proxy.example.com:8080
+HTTPS_PROXY=http://user:[email protected]:8080
+ALL_PROXY=http://proxy.example.com:3128
+```
+
+### `NO_PROXY=hosts`
+
+Comma-separated list of hosts that should bypass the proxy. Supports:
+
+- `*` - Bypass all hosts
+- `.example.com` - Bypass subdomains only (e.g., `sub.example.com` but not `example.com`)
+- `example.com` - Bypass domain and all subdomains
+- `example.com:8080` - Bypass only when port matches (pattern without port matches any port)
+- `[::1]:8080` - IPv6 with port (use brackets)
+
+Default bypass hosts: `localhost`, `127.0.0.1`, `::1`
+
+Example:
+
+```shell
+NO_PROXY=localhost:3000,.internal.corp,api.example.com:443
+```
+
 ## Benchmark Methodology
 
 Although Init Duration [reported by Lambda](https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtime-environment.html) is commonly used to understand cold start impact on overall request latency, this metric does not include the time needed to copy code into the Lambda sandbox.

README.md

@@ -23,11 +23,15 @@ native-roots = ["llrt_tls/native-roots"]
 [dependencies]
 bytes = { version = "1", default-features = false }
 http-body-util = { version = "0.1", default-features = false }
+headers = { version = "0.4", default-features = false }
 hyper = { version = "1", features = ["client"], default-features = false }
 hyper-util = { version = "0.1", default-features = false }
 hyper-rustls = { version = "0.27", features = [
   "ring",
 ], default-features = false }
+hyper-http-proxy = { version = "1", default-features = false }
+percent-encoding = { version = "2", default-features = false, features = ["std"] }
+tracing = { version = "0.1", default-features = false }
 llrt_dns_cache = { version = "0.7.0-beta", path = "../../libs/llrt_dns_cache" }
 llrt_tls = { version = "0.7.0-beta", default-features = false, path = "../llrt_tls" }
 llrt_utils = { version = "0.7.0-beta", path = "../../libs/llrt_utils", default-features = false }

modules/llrt_http/Cargo.toml

@@ -1,27 +1,23 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
-use std::convert::Infallible;
-
-use bytes::Bytes;
-use http_body_util::combinators::BoxBody;
-use hyper_rustls::HttpsConnector;
-use hyper_util::client::legacy::{connect::HttpConnector, Client};
-use llrt_dns_cache::CachedDnsResolver;
 use llrt_utils::result::ResultExt;
 use llrt_utils::{any_of::AnyOf4, bytes::ObjectBytes, object::ObjectExt};
 use rquickjs::{prelude::Opt, Ctx, Error, FromJs, Result, Value};
 
+use crate::{
+    proxy::{ProxyConfig, PROXY_CONFIG},
+    HyperClient,
+};
+
 #[rquickjs::class]
 #[derive(rquickjs::JsLifetime, rquickjs::class::Trace)]
 pub struct Agent {
     #[qjs(skip_trace)]
-    client: Client<HttpsConnector<HttpConnector<CachedDnsResolver>>, BoxBody<Bytes, Infallible>>,
+    client: HyperClient,
 }
 
 impl Agent {
-    pub fn client(
-        &self,
-    ) -> Client<HttpsConnector<HttpConnector<CachedDnsResolver>>, BoxBody<Bytes, Infallible>> {
+    pub fn client(&self) -> HyperClient {
         self.client.clone()
     }
 }
@@ -47,8 +43,15 @@ impl Agent {
             ca,
         })
         .or_throw_msg(&ctx, "Failed to build TLS config")?;
-        let client =
-            crate::build_client(Some(config)).or_throw_msg(&ctx, "Failed to build HTTP client")?;
+
+        // Use global proxy config for the Agent's client
+        let proxy_config: Option<&ProxyConfig> = if PROXY_CONFIG.is_enabled() {
+            Some(&*PROXY_CONFIG)
+        } else {
+            None
+        };
+        let client = crate::build_client(Some(config), proxy_config)
+            .or_throw_msg(&ctx, "Failed to build HTTP client")?;
 
         Ok(Self { client })
     }