GcsSloop · GcsSloop · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
diff --git a/backend/internal/api/accounts_handler.go b/backend/internal/api/accounts_handler.go
@@ -50,6 +50,18 @@ type accountsSettingsReader interface {
 
 type AccountsHandlerOption func(*AccountsHandler)
 
+func WithAccountsHTTPClient(client *http.Client) AccountsHandlerOption {
+	return func(handler *AccountsHandler) {
+		if client == nil {
+			return
+		}
+		handler.client = client
+		if handler.luaRuntime != nil {
+			handler.luaRuntime = luadrv.NewRuntime(handler.client, "")
+		}
+	}
+}
+
 func WithAccountsStateEvents(bus *StateEventBus) AccountsHandlerOption {
 	return func(handler *AccountsHandler) {
 		handler.stateEvents = bus

diff --git a/backend/internal/api/gateway_handler.go b/backend/internal/api/gateway_handler.go
@@ -53,6 +53,14 @@ type GatewayHandler struct {
 
 type GatewayHandlerOption func(*GatewayHandler)
 
+func WithGatewayHTTPClient(client *http.Client) GatewayHandlerOption {
+	return func(handler *GatewayHandler) {
+		if client != nil {
+			handler.client = client
+		}
+	}
+}
+
 func WithGatewaySettings(repo GatewayRoutingSettings) GatewayHandlerOption {
 	return func(handler *GatewayHandler) {
 		handler.settings = repo

diff --git a/backend/internal/api/responses_handler.go b/backend/internal/api/responses_handler.go
@@ -68,6 +68,14 @@ type ResponsesHandler struct {
 
 type ResponsesHandlerOption func(*ResponsesHandler)
 
+func WithResponsesHTTPClient(client *http.Client) ResponsesHandlerOption {
+	return func(handler *ResponsesHandler) {
+		if client != nil {
+			handler.client = client
+		}
+	}
+}
+
 func WithResponsesSettings(repo settings.ReadRepository) ResponsesHandlerOption {
 	return func(handler *ResponsesHandler) {
 		handler.settings = repo

diff --git a/backend/internal/api/settings_handler.go b/backend/internal/api/settings_handler.go
@@ -600,6 +600,19 @@ func normalizeAppSettings(value settings.AppSettings) settings.AppSettings {
 	if value.ProxyPort <= 0 {
 		value.ProxyPort = defaults.ProxyPort
 	}
+	switch value.UpstreamProxyMode {
+	case settings.UpstreamProxyModeSystem, settings.UpstreamProxyModeDirect, settings.UpstreamProxyModeManual:
+	default:
+		value.UpstreamProxyMode = defaults.UpstreamProxyMode
+	}
+	value.UpstreamProxyURL = strings.TrimSpace(value.UpstreamProxyURL)
+	value.UpstreamProxyUsername = strings.TrimSpace(value.UpstreamProxyUsername)
+	value.UpstreamProxyPassword = strings.TrimSpace(value.UpstreamProxyPassword)
+	if value.UpstreamProxyMode != settings.UpstreamProxyModeManual {
+		value.UpstreamProxyURL = ""
+		value.UpstreamProxyUsername = ""
+		value.UpstreamProxyPassword = ""
+	}
 	if value.AutoBackupIntervalHours <= 0 {
 		value.AutoBackupIntervalHours = defaults.AutoBackupIntervalHours
 	}

diff --git a/backend/internal/bootstrap/bootstrap.go b/backend/internal/bootstrap/bootstrap.go
@@ -17,6 +17,7 @@ import (
 	"github.com/gcssloop/codex-router/backend/internal/api"
 	"github.com/gcssloop/codex-router/backend/internal/auth"
 	"github.com/gcssloop/codex-router/backend/internal/conversations"
+	"github.com/gcssloop/codex-router/backend/internal/netproxy"
 	"github.com/gcssloop/codex-router/backend/internal/policy"
 	"github.com/gcssloop/codex-router/backend/internal/scheduler"
 	"github.com/gcssloop/codex-router/backend/internal/secrets"
@@ -77,20 +78,21 @@ func NewApp(_ context.Context, cfg Config) (*App, error) {
 	accountRepo := accounts.NewSQLiteRepository(store.DB(), credentialCipher)
 	settingsRepo := settings.NewSQLiteRepository(store.DB())
 	usageRepo := usage.NewSQLiteRepository(store.DB())
+	upstreamHTTPClient := netproxy.NewHTTPClient(settingsRepo)
 	conversationRepo := conversations.NewSQLiteRepository(store.DB())
 	policyRepo := policy.NewMemoryRepository()
 	authConnector := auth.NewOAuthConnector(auth.Config{})
 	stateStore := auth.NewStateStore(5 * time.Minute)
 	stateEvents := api.NewStateEventBus()
 	driverRegistry, err := registry.New(
 		[]accountdrv.AccountDriver{
-			accountdrv.NewOfficialDriver(http.DefaultClient, accountRepo),
+			accountdrv.NewOfficialDriver(upstreamHTTPClient, accountRepo),
 			accountdrv.NewAPIKeyDriver(),
 		},
 		[]usagedrv.UsageDriver{
-			builtin.NewOpenAIOfficialDriver(http.DefaultClient),
-			builtin.NewPPChatDriver(http.DefaultClient),
-			luadrv.NewDriver(http.DefaultClient, "", luadrv.WithManagedScriptRoot(luaScriptRoot)),
+			builtin.NewOpenAIOfficialDriver(upstreamHTTPClient),
+			builtin.NewPPChatDriver(upstreamHTTPClient),
+			luadrv.NewDriver(upstreamHTTPClient, "", luadrv.WithManagedScriptRoot(luaScriptRoot)),
 		},
 	)
 	if err != nil {
@@ -106,6 +108,7 @@ func NewApp(_ context.Context, cfg Config) (*App, error) {
 		api.WithAccountsStateEvents(stateEvents),
 		api.WithAccountsUsageRefresher(refreshOrchestrator),
 		api.WithAccountsSettings(settingsRepo),
+		api.WithAccountsHTTPClient(upstreamHTTPClient),
 		api.WithAccountsDriverRegistry(driverRegistry),
 		api.WithAccountsLuaScriptRoot(luaScriptRoot),
 	)
@@ -148,8 +151,22 @@ func NewApp(_ context.Context, cfg Config) (*App, error) {
 	apiMux.Handle("/settings/proxy/status", settingsHandler)
 	apiMux.Handle("/settings/proxy/enable", settingsHandler)
 	apiMux.Handle("/settings/proxy/disable", settingsHandler)
-	gatewayHandler := api.NewGatewayHandler(accountRepo, usageRepo, conversationRepo, api.WithGatewaySettings(settingsRepo), api.WithGatewayStateEvents(stateEvents))
-	responsesHandler := api.NewResponsesHandler(accountRepo, usageRepo, conversationRepo, api.WithResponsesSettings(settingsRepo), api.WithResponsesStateEvents(stateEvents))
+	gatewayHandler := api.NewGatewayHandler(
+		accountRepo,
+		usageRepo,
+		conversationRepo,
+		api.WithGatewaySettings(settingsRepo),
+		api.WithGatewayHTTPClient(upstreamHTTPClient),
+		api.WithGatewayStateEvents(stateEvents),
+	)
+	responsesHandler := api.NewResponsesHandler(
+		accountRepo,
+		usageRepo,
+		conversationRepo,
+		api.WithResponsesSettings(settingsRepo),
+		api.WithResponsesHTTPClient(upstreamHTTPClient),
+		api.WithResponsesStateEvents(stateEvents),
+	)
 	apiMux.Handle("/chat/completions", api.RequireProxyEnabled(gatewayHandler))
 	apiMux.Handle("/v1/chat/completions", api.RequireProxyEnabled(gatewayHandler))
 	apiMux.Handle("/responses", api.RequireProxyEnabled(responsesHandler))

diff --git a/backend/internal/netproxy/doc.go b/backend/internal/netproxy/doc.go
@@ -0,0 +1 @@
+package netproxy
diff --git a/backend/internal/netproxy/transport.go b/backend/internal/netproxy/transport.go
@@ -0,0 +1,88 @@
+package netproxy
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/gcssloop/codex-router/backend/internal/settings"
+)
+
+type settingsReader interface {
+	GetAppSettings() (settings.AppSettings, error)
+}
+
+func NewHTTPClient(repo settingsReader) *http.Client {
+	transport := defaultTransportClone()
+	transport.Proxy = func(req *http.Request) (*url.URL, error) {
+		return ResolveProxy(req, repo)
+	}
+	return &http.Client{Transport: transport}
+}
+
+func ResolveProxy(req *http.Request, repo settingsReader) (*url.URL, error) {
+	if req == nil {
+		return nil, nil
+	}
+	if repo == nil {
+		return http.ProxyFromEnvironment(req)
+	}
+	appSettings, err := repo.GetAppSettings()
+	if err != nil {
+		return nil, fmt.Errorf("load app settings: %w", err)
+	}
+	switch appSettings.UpstreamProxyMode {
+	case settings.UpstreamProxyModeDirect:
+		return nil, nil
+	case settings.UpstreamProxyModeManual:
+		proxyURL, err := parseManualProxy(appSettings)
+		if err != nil {
+			return nil, err
+		}
+		return proxyURL, nil
+	case "", settings.UpstreamProxyModeSystem:
+		return http.ProxyFromEnvironment(req)
+	default:
+		return http.ProxyFromEnvironment(req)
+	}
+}
+
+func parseManualProxy(appSettings settings.AppSettings) (*url.URL, error) {
+	rawURL := strings.TrimSpace(appSettings.UpstreamProxyURL)
+	if rawURL == "" {
+		return nil, fmt.Errorf("manual upstream proxy url is empty")
+	}
+	proxyURL, err := url.Parse(rawURL)
+	if err != nil {
+		return nil, fmt.Errorf("parse upstream proxy url: %w", err)
+	}
+	if proxyURL.Scheme == "" || proxyURL.Host == "" {
+		return nil, fmt.Errorf("upstream proxy url must include scheme and host")
+	}
+	if proxyURL.User == nil && strings.TrimSpace(appSettings.UpstreamProxyUsername) != "" {
+		proxyURL.User = url.UserPassword(strings.TrimSpace(appSettings.UpstreamProxyUsername), strings.TrimSpace(appSettings.UpstreamProxyPassword))
+	}
+	return proxyURL, nil
+}
+
+func defaultTransportClone() *http.Transport {
+	base, ok := http.DefaultTransport.(*http.Transport)
+	if ok && base != nil {
+		return base.Clone()
+	}
+	return &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).DialContext,
+		ForceAttemptHTTP2:     true,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+}
diff --git a/backend/internal/netproxy/transport_test.go b/backend/internal/netproxy/transport_test.go
@@ -0,0 +1,63 @@
+package netproxy_test
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/gcssloop/codex-router/backend/internal/netproxy"
+	"github.com/gcssloop/codex-router/backend/internal/settings"
+)
+
+type stubSettingsReader struct {
+	value settings.AppSettings
+}
+
+func (s stubSettingsReader) GetAppSettings() (settings.AppSettings, error) {
+	return s.value, nil
+}
+
+func TestResolveProxyUsesDirectMode(t *testing.T) {
+	t.Parallel()
+
+	reader := stubSettingsReader{value: settings.AppSettings{
+		UpstreamProxyMode: "direct",
+	}}
+	req, err := http.NewRequest(http.MethodGet, "https://example.com", nil)
+	if err != nil {
+		t.Fatalf("NewRequest returned error: %v", err)
+	}
+
+	got, err := netproxy.ResolveProxy(req, reader)
+	if err != nil {
+		t.Fatalf("ResolveProxy returned error: %v", err)
+	}
+	if got != nil {
+		t.Fatalf("ResolveProxy = %v, want nil in direct mode", got)
+	}
+}
+
+func TestResolveProxyUsesManualMode(t *testing.T) {
+	t.Parallel()
+
+	reader := stubSettingsReader{value: settings.AppSettings{
+		UpstreamProxyMode:     "manual",
+		UpstreamProxyURL:      "http://127.0.0.1:7890",
+		UpstreamProxyUsername: "user",
+		UpstreamProxyPassword: "pass",
+	}}
+	req, err := http.NewRequest(http.MethodGet, "https://example.com", nil)
+	if err != nil {
+		t.Fatalf("NewRequest returned error: %v", err)
+	}
+
+	got, err := netproxy.ResolveProxy(req, reader)
+	if err != nil {
+		t.Fatalf("ResolveProxy returned error: %v", err)
+	}
+	if got == nil {
+		t.Fatal("ResolveProxy = nil, want manual proxy URL")
+	}
+	if got.String() != "http://user:pass@127.0.0.1:7890" {
+		t.Fatalf("ResolveProxy = %q, want %q", got.String(), "http://user:pass@127.0.0.1:7890")
+	}
+}