From 6b663ba53fcb79abdb18cc7cf3115c8b1cb82f6f Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Thu, 5 May 2022 00:32:36 +0000
Subject: [PATCH] httputil/reproxy: fix policy transport (#3322)

---
 config/http.go      | 2 ++
 config/http_test.go | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/config/http.go b/config/http.go
index aeceedd9a..170f38bbb 100644
--- a/config/http.go
+++ b/config/http.go
@@ -62,6 +62,7 @@ func NewPolicyHTTPTransport(options *Options, policy *Policy, disableHTTP2 bool)
 	//
 	if disableHTTP2 {
 		transport.TLSNextProto = map[string]func(authority string, c *tls.Conn) http.RoundTripper{}
+		transport.ForceAttemptHTTP2 = false
 	}
 
 	var tlsClientConfig tls.Config
@@ -111,6 +112,7 @@ func NewPolicyHTTPTransport(options *Options, policy *Policy, disableHTTP2 bool)
 	// We avoid setting a custom client config unless we have to as
 	// if TLSClientConfig is nil, the default configuration is used.
 	if isCustomClientConfig {
+		transport.DialTLSContext = nil
 		transport.TLSClientConfig = &tlsClientConfig
 	}
 	return c.Then(transport)
diff --git a/config/http_test.go b/config/http_test.go
index fdb1bb61f..58679cf90 100644
--- a/config/http_test.go
+++ b/config/http_test.go
@@ -37,6 +37,13 @@ func TestHTTPTransport(t *testing.T) {
 }
 
 func TestPolicyHTTPTransport(t *testing.T) {
+	originalTransport := http.DefaultTransport
+	defer func() {
+		http.DefaultTransport = originalTransport
+	}()
+	src := NewStaticSource(&Config{Options: &Options{}})
+	http.DefaultTransport = NewHTTPTransport(src)
+
 	s := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))