Fix WebSocket proxy to respect HTTP_PROXY and custom CA certificates

[shawnburke]

Summary

• Fixes WebSocket proxy connections bypassing HTTP_PROXY settings and custom CA certificates
• Customers behind corporate proxies with custom CAs were seeing "connection refused" errors
• The WebSocket dialing code added in Add WebSocket proxy traversal to reflector #79 was creating direct TCP connections instead of using the configured transport
• The relay_test.sh was designed to exercise this but did not strictly block access to the snyk-broker container, allowing it to pass when it should fail.

Root Cause

The dialWebSocketTarget function was using net.Dialer and tls.DialWithDialer directly, bypassing:

1. Proxy settings from http.ProxyFromEnvironment
2. Custom CA certificates loaded into the transport's TLSClientConfig

Changes

reflector.go:

• dialWebSocketTarget now checks for proxy settings via the transport
• Added dialThroughProxy() to establish HTTP CONNECT tunnels through proxies
• Added getTLSConfig() to reuse the transport's TLS config (including custom CAs)
• Added getProxyURL() to respect transport proxy function or environment variables
• Added Info-level logging for proxy vs direct connections

reflector_test.go:

• Added TestWebSocketProxyThroughHTTPProxy - verifies WebSocket works through HTTP CONNECT proxy
• Added TestGetTLSConfigFromTransport - verifies TLS config inheritance
• Added TestGetTLSConfigWithoutTransport - verifies fallback behavior

relay_test.sh:

• Now verifies WebSocket connections go through proxy when PROXY=1
• Checks for "Connecting to WebSocket target through proxy" log message
• Fails if direct connections are made when proxy is configured

Test plan

• All existing unit tests pass
• New proxy and TLS config tests pass
• Run PROXY=1 ./relay_test.sh to verify end-to-end proxy support
• Verify fix in Paychex environment

🤖 Generated with Claude Code