changeset 59184:dd61d60329f6

8244205: HTTP/2 tunnel connections through proxy may be reused regardless of which proxy is selected Summary: The key used in the HTTP/2 connection pool is updated to take into account the proxy address in case of tunnel connections Reviewed-by: chegar
author dfuchs
date Wed, 06 May 2020 19:19:38 +0100
parents 7223c6d61034
children 8fe1d93ddc6e
files src/java.net.http/share/classes/jdk/internal/net/http/AsyncSSLConnection.java src/java.net.http/share/classes/jdk/internal/net/http/AsyncSSLTunnelConnection.java src/java.net.http/share/classes/jdk/internal/net/http/Http2Connection.java src/java.net.http/share/classes/jdk/internal/net/http/HttpConnection.java src/java.net.http/share/classes/jdk/internal/net/http/PlainHttpConnection.java src/java.net.http/share/classes/jdk/internal/net/http/PlainProxyConnection.java src/java.net.http/share/classes/jdk/internal/net/http/PlainTunnelingConnection.java test/jdk/java/net/httpclient/ProxySelectorTest.java test/jdk/java/net/httpclient/whitebox/java.net.http/jdk/internal/net/http/ConnectionPoolTest.java
diffstat 9 files changed, 539 insertions(+), 31 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.net.http/share/classes/jdk/internal/net/http/AsyncSSLConnection.java	Wed May 06 12:42:28 2020 -0500
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/AsyncSSLConnection.java	Wed May 06 19:19:38 2020 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -92,6 +92,11 @@
     }
 
     @Override
+    InetSocketAddress proxy() {
+        return null;
+    }
+
+    @Override
     SocketChannel channel() {
         return plainConnection.channel();
     }
--- a/src/java.net.http/share/classes/jdk/internal/net/http/AsyncSSLTunnelConnection.java	Wed May 06 12:42:28 2020 -0500
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/AsyncSSLTunnelConnection.java	Wed May 06 19:19:38 2020 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -124,6 +124,11 @@
     }
 
     @Override
+    InetSocketAddress proxy() {
+        return plainConnection.proxyAddr;
+    }
+
+    @Override
     SSLTube getConnectionFlow() {
        return flow;
    }
--- a/src/java.net.http/share/classes/jdk/internal/net/http/Http2Connection.java	Wed May 06 12:42:28 2020 -0500
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/Http2Connection.java	Wed May 06 19:19:38 2020 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -514,45 +514,59 @@
         boolean isProxy = connection.isProxied(); // tunnel or plain clear connection through proxy
         boolean isSecure = connection.isSecure();
         InetSocketAddress addr = connection.address();
+        InetSocketAddress proxyAddr = connection.proxy();
+        assert isProxy == (proxyAddr != null);
 
-        return keyString(isSecure, isProxy, addr.getHostString(), addr.getPort());
+        return keyString(isSecure, proxyAddr, addr.getHostString(), addr.getPort());
     }
 
     static String keyFor(URI uri, InetSocketAddress proxy) {
         boolean isSecure = uri.getScheme().equalsIgnoreCase("https");
-        boolean isProxy = proxy != null;
 
-        String host;
-        int port;
-
-        if (proxy != null && !isSecure) {
-            // clear connection through proxy: use
-            // proxy host / proxy port
-            host = proxy.getHostString();
-            port = proxy.getPort();
-        } else {
-            // either secure tunnel connection through proxy
-            // or direct connection to host, but in either
-            // case only that host can be reached through
-            // the connection: use target host / target port
-            host = uri.getHost();
-            port = uri.getPort();
-        }
-        return keyString(isSecure, isProxy, host, port);
+        String host = uri.getHost();
+        int port = uri.getPort();
+        return keyString(isSecure, proxy, host, port);
     }
 
-    // {C,S}:{H:P}:host:port
+
+    // Compute the key for an HttpConnection in the Http2ClientImpl pool:
+    // The key string follows one of the three forms below:
+    //    {C,S}:H:host:port
+    //    C:P:proxy-host:proxy-port
+    //    S:T:H:host:port;P:proxy-host:proxy-port
     // C indicates clear text connection "http"
     // S indicates secure "https"
     // H indicates host (direct) connection
     // P indicates proxy
-    // Eg: "S:H:foo.com:80"
-    static String keyString(boolean secure, boolean proxy, String host, int port) {
+    // T indicates a tunnel connection through a proxy
+    //
+    // The first form indicates a direct connection to a server:
+    //   - direct clear connection to an HTTP host:
+    //     e.g.: "C:H:foo.com:80"
+    //   - direct secure connection to an HTTPS host:
+    //     e.g.: "S:H:foo.com:443"
+    // The second form indicates a clear connection to an HTTP/1.1 proxy:
+    //     e.g.: "C:P:myproxy:8080"
+    // The third form indicates a secure tunnel connection to an HTTPS
+    // host through an HTTP/1.1 proxy:
+    //     e.g: "S:T:H:foo.com:80;P:myproxy:8080"
+    static String keyString(boolean secure, InetSocketAddress proxy, String host, int port) {
         if (secure && port == -1)
             port = 443;
         else if (!secure && port == -1)
             port = 80;
-        return (secure ? "S:" : "C:") + (proxy ? "P:" : "H:") + host + ":" + port;
+        var key = (secure ? "S:" : "C:");
+        if (proxy != null && !secure) {
+            // clear connection through proxy
+            key = key + "P:" + proxy.getHostString() + ":" + proxy.getPort();
+        } else if (proxy == null) {
+            // direct connection to host
+            key = key + "H:" + host + ":" + port;
+        } else {
+            // tunnel connection through proxy
+            key = key + "T:H:" + host + ":" + port + ";P:" + proxy.getHostString() + ":" + proxy.getPort();
+        }
+        return  key;
     }
 
     String key() {
--- a/src/java.net.http/share/classes/jdk/internal/net/http/HttpConnection.java	Wed May 06 12:42:28 2020 -0500
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/HttpConnection.java	Wed May 06 19:19:38 2020 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -136,6 +136,14 @@
      */
     abstract boolean isProxied();
 
+    /**
+     * Returns the address of the proxy used by this connection.
+     * Returns the proxy address for tunnel connections, or
+     * clear connection to any host through proxy.
+     * Returns {@code null} otherwise.
+     */
+    abstract InetSocketAddress proxy();
+
     /** Tells whether, or not, this connection is open. */
     final boolean isOpen() {
         return channel().isOpen() &&
--- a/src/java.net.http/share/classes/jdk/internal/net/http/PlainHttpConnection.java	Wed May 06 12:42:28 2020 -0500
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/PlainHttpConnection.java	Wed May 06 19:19:38 2020 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -302,4 +302,8 @@
         return false;
     }
 
+    @Override
+    InetSocketAddress proxy() {
+        return null;
+    }
 }
--- a/src/java.net.http/share/classes/jdk/internal/net/http/PlainProxyConnection.java	Wed May 06 12:42:28 2020 -0500
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/PlainProxyConnection.java	Wed May 06 19:19:38 2020 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,4 +40,9 @@
 
     @Override
     public boolean isProxied() { return true; }
+
+    @Override
+    InetSocketAddress proxy() {
+        return address;
+    }
 }
--- a/src/java.net.http/share/classes/jdk/internal/net/http/PlainTunnelingConnection.java	Wed May 06 12:42:28 2020 -0500
+++ b/src/java.net.http/share/classes/jdk/internal/net/http/PlainTunnelingConnection.java	Wed May 06 19:19:38 2020 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -171,4 +171,8 @@
         return true;
     }
 
+    @Override
+    InetSocketAddress proxy() {
+        return proxyAddr;
+    }
 }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/java/net/httpclient/ProxySelectorTest.java	Wed May 06 19:19:38 2020 +0100
@@ -0,0 +1,462 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8244205
+ * @summary checks that a different proxy returned for
+ *          the same host:port is taken into account
+ * @modules java.base/sun.net.www.http
+ *          java.net.http/jdk.internal.net.http.common
+ *          java.net.http/jdk.internal.net.http.frame
+ *          java.net.http/jdk.internal.net.http.hpack
+ *          java.logging
+ *          jdk.httpserver
+ *          java.base/sun.net.www.http
+ *          java.base/sun.net.www
+ *          java.base/sun.net
+ * @library /test/lib http2/server
+ * @build HttpServerAdapters DigestEchoServer Http2TestServer ProxySelectorTest
+ * @build jdk.test.lib.net.SimpleSSLContext
+ * @run testng/othervm
+ *       -Djdk.http.auth.tunneling.disabledSchemes
+ *       -Djdk.httpclient.HttpClient.log=headers,requests
+ *       -Djdk.internal.httpclient.debug=true
+ *       ProxySelectorTest
+ */
+
+import com.sun.net.httpserver.HttpServer;
+import com.sun.net.httpserver.HttpsConfigurator;
+import com.sun.net.httpserver.HttpsServer;
+import jdk.test.lib.net.SimpleSSLContext;
+import org.testng.ITestContext;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.AfterTest;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.BeforeTest;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+import javax.net.ssl.SSLContext;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.Proxy;
+import java.net.ProxySelector;
+import java.net.SocketAddress;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.net.http.HttpResponse.BodyHandlers;
+import java.util.List;
+import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.Executor;
+import java.util.concurrent.Executors;
+import java.util.concurrent.atomic.AtomicLong;
+
+import static java.lang.System.err;
+import static java.lang.System.out;
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.testng.Assert.assertEquals;
+
+public class ProxySelectorTest implements HttpServerAdapters {
+
+    SSLContext sslContext;
+    HttpTestServer httpTestServer;            // HTTP/1.1
+    HttpTestServer proxyHttpTestServer;       // HTTP/1.1
+    HttpTestServer authProxyHttpTestServer;   // HTTP/1.1
+    HttpTestServer http2TestServer;           // HTTP/2 ( h2c )
+    HttpTestServer httpsTestServer;           // HTTPS/1.1
+    HttpTestServer https2TestServer;          // HTTP/2 ( h2  )
+    DigestEchoServer.TunnelingProxy proxy;
+    DigestEchoServer.TunnelingProxy authproxy;
+    String httpURI;
+    String httpsURI;
+    String proxyHttpURI;
+    String authProxyHttpURI;
+    String http2URI;
+    String https2URI;
+    HttpClient client;
+
+    final ReferenceTracker TRACKER = ReferenceTracker.INSTANCE;
+    static final long SLEEP_AFTER_TEST = 0; // milliseconds
+    static final int ITERATIONS = 3;
+    static final Executor executor = new TestExecutor(Executors.newCachedThreadPool());
+    static final ConcurrentMap<String, Throwable> FAILURES = new ConcurrentHashMap<>();
+    static volatile boolean tasksFailed;
+    static final AtomicLong serverCount = new AtomicLong();
+    static final AtomicLong clientCount = new AtomicLong();
+    static final long start = System.nanoTime();
+    public static String now() {
+        long now = System.nanoTime() - start;
+        long secs = now / 1000_000_000;
+        long mill = (now % 1000_000_000) / 1000_000;
+        long nan = now % 1000_000;
+        return String.format("[%d s, %d ms, %d ns] ", secs, mill, nan);
+    }
+
+    static class TestExecutor implements Executor {
+        final AtomicLong tasks = new AtomicLong();
+        Executor executor;
+        TestExecutor(Executor executor) {
+            this.executor = executor;
+        }
+
+        @Override
+        public void execute(Runnable command) {
+            long id = tasks.incrementAndGet();
+            executor.execute(() -> {
+                try {
+                    command.run();
+                } catch (Throwable t) {
+                    tasksFailed = true;
+                    out.printf(now() + "Task %s failed: %s%n", id, t);
+                    err.printf(now() + "Task %s failed: %s%n", id, t);
+                    FAILURES.putIfAbsent("Task " + id, t);
+                    throw t;
+                }
+            });
+        }
+    }
+
+    protected boolean stopAfterFirstFailure() {
+        return Boolean.getBoolean("jdk.internal.httpclient.debug");
+    }
+
+    @BeforeMethod
+    void beforeMethod(ITestContext context) {
+        if (stopAfterFirstFailure() && context.getFailedTests().size() > 0) {
+            throw new RuntimeException("some tests failed");
+        }
+    }
+
+    @AfterClass
+    static final void printFailedTests() {
+        out.println("\n=========================");
+        try {
+            out.printf("%n%sCreated %d servers and %d clients%n",
+                    now(), serverCount.get(), clientCount.get());
+            if (FAILURES.isEmpty()) return;
+            out.println("Failed tests: ");
+            FAILURES.entrySet().forEach((e) -> {
+                out.printf("\t%s: %s%n", e.getKey(), e.getValue());
+                e.getValue().printStackTrace(out);
+                e.getValue().printStackTrace();
+            });
+            if (tasksFailed) {
+                out.println("WARNING: Some tasks failed");
+            }
+        } finally {
+            out.println("\n=========================\n");
+        }
+    }
+
+    /*
+     * NOT_MODIFIED status code results from a conditional GET where
+     * the server does not (must not) return a response body because
+     * the condition specified in the request disallows it
+     */
+    static final int UNAUTHORIZED = 401;
+    static final int PROXY_UNAUTHORIZED = 407;
+    static final int HTTP_OK = 200;
+    static final String MESSAGE = "Unauthorized";
+    enum Schemes {
+        HTTP, HTTPS
+    }
+    @DataProvider(name = "all")
+    public Object[][] positive() {
+        return new Object[][] {
+                { Schemes.HTTP,  HttpClient.Version.HTTP_1_1, httpURI,   true},
+                { Schemes.HTTP,  HttpClient.Version.HTTP_2,   http2URI,  true},
+                { Schemes.HTTPS, HttpClient.Version.HTTP_1_1, httpsURI,  true},
+                { Schemes.HTTPS, HttpClient.Version.HTTP_2,   https2URI, true},
+                { Schemes.HTTP,  HttpClient.Version.HTTP_1_1, httpURI,   false},
+                { Schemes.HTTP,  HttpClient.Version.HTTP_2,   http2URI,  false},
+                { Schemes.HTTPS, HttpClient.Version.HTTP_1_1, httpsURI,  false},
+                { Schemes.HTTPS, HttpClient.Version.HTTP_2,   https2URI, false},
+        };
+    }
+
+    static final AtomicLong requestCounter = new AtomicLong();
+
+    static final AtomicLong sleepCount = new AtomicLong();
+
+    @Test(dataProvider = "all")
+    void test(Schemes scheme, HttpClient.Version version, String uri, boolean async)
+            throws Throwable
+    {
+        var name = String.format("test(%s, %s, %s)", scheme, version, async);
+        out.printf("%n---- starting %s ----%n", name);
+
+        for (int i=0; i<ITERATIONS; i++) {
+            if (ITERATIONS > 1) out.printf("---- ITERATION %d%n",i);
+            try {
+                doTest(scheme, version, uri, async);
+                long count = sleepCount.incrementAndGet();
+                System.err.println(now() + " Sleeping: " + count);
+                Thread.sleep(SLEEP_AFTER_TEST);
+                System.err.println(now() + " Waking up: " + count);
+            } catch (Throwable x) {
+                FAILURES.putIfAbsent(name, x);
+                throw x;
+            }
+        }
+    }
+
+    private <T> HttpResponse<T> send(HttpClient client,
+                                     URI uri,
+                                     HttpResponse.BodyHandler<T> handler,
+                                     boolean async) throws Throwable {
+        HttpRequest.Builder requestBuilder = HttpRequest
+                .newBuilder(uri)
+                .GET();
+
+        HttpRequest request = requestBuilder.build();
+        out.println("Sending request: " + request.uri());
+
+        HttpResponse<T> response = null;
+        if (async) {
+            response = client.send(request, handler);
+        } else {
+            try {
+                response = client.sendAsync(request, handler).get();
+            } catch (ExecutionException ex) {
+                throw ex.getCause();
+            }
+        }
+        return response;
+    }
+
+    private void doTest(Schemes scheme,
+                        HttpClient.Version version,
+                        String uriString,
+                        boolean async) throws Throwable {
+
+        URI uri1 = URI.create(uriString + "/server/ProxySelectorTest");
+        URI uri2 = URI.create(uriString + "/proxy/noauth/ProxySelectorTest");
+        URI uri3 = URI.create(uriString + "/proxy/auth/ProxySelectorTest");
+
+        HttpResponse<String> response;
+
+        // First request should go with a direct connection.
+        // A plain server or https server should serve it, and we should get 200 OK
+        response = send(client, uri1, BodyHandlers.ofString(), async);
+        out.println("Got response from plain server: " + response);
+        assertEquals(response.statusCode(), HTTP_OK);
+        assertEquals(response.headers().firstValue("X-value"),
+                scheme == Schemes.HTTPS ? Optional.of("https-server") : Optional.of("plain-server"));
+
+        // Second request should go through a non authenticating proxy.
+        // For a clear connection - a proxy-server should serve it, and we should get 200 OK
+        // For an https connection - a tunnel should be established through the non
+        // authenticating proxy - and we should receive 200 OK from an https-server
+        response = send(client, uri2, BodyHandlers.ofString(), async);
+        out.println("Got response through noauth proxy: " + response);
+        assertEquals(response.statusCode(), HTTP_OK);
+        assertEquals(response.headers().firstValue("X-value"),
+                scheme == Schemes.HTTPS ? Optional.of("https-server") : Optional.of("proxy-server"));
+
+        // Third request should go through an authenticating proxy.
+        // For a clear connection - an auth-proxy-server should serve it, and we
+        // should get 407
+        // For an https connection - a tunnel should be established through an
+        // authenticating proxy - and we should receive 407 directly from the
+        // proxy - so the X-value header will be absent
+        response = send(client, uri3, BodyHandlers.ofString(), async);
+        out.println("Got response through auth proxy: " + response);
+        assertEquals(response.statusCode(), PROXY_UNAUTHORIZED);
+        assertEquals(response.headers().firstValue("X-value"),
+                scheme == Schemes.HTTPS ? Optional.empty() : Optional.of("auth-proxy-server"));
+
+    }
+
+    // -- Infrastructure
+
+    @BeforeTest
+    public void setup() throws Exception {
+        sslContext = new SimpleSSLContext().get();
+        if (sslContext == null)
+            throw new AssertionError("Unexpected null sslContext");
+
+        InetSocketAddress sa = new InetSocketAddress(InetAddress.getLoopbackAddress(), 0);
+
+        httpTestServer = HttpTestServer.of(HttpServer.create(sa, 0));
+        httpTestServer.addHandler(new PlainServerHandler("plain-server"), "/http1/");
+        httpURI = "http://" + httpTestServer.serverAuthority() + "/http1";
+        proxyHttpTestServer = HttpTestServer.of(HttpServer.create(sa, 0));
+        proxyHttpTestServer.addHandler(new PlainServerHandler("proxy-server"), "/http1/proxy/");
+        proxyHttpTestServer.addHandler(new PlainServerHandler("proxy-server"), "/http2/proxy/");
+        proxyHttpURI = "http://" + httpTestServer.serverAuthority() + "/http1";
+        authProxyHttpTestServer = HttpTestServer.of(HttpServer.create(sa, 0));
+        authProxyHttpTestServer.addHandler(new UnauthorizedHandler("auth-proxy-server"), "/http1/proxy/");
+        authProxyHttpTestServer.addHandler(new UnauthorizedHandler("auth-proxy-server"), "/http2/proxy/");
+        proxyHttpURI = "http://" + httpTestServer.serverAuthority() + "/http1";
+
+        HttpsServer httpsServer = HttpsServer.create(sa, 0);
+        httpsServer.setHttpsConfigurator(new HttpsConfigurator(sslContext));
+        httpsTestServer = HttpTestServer.of(httpsServer);
+        httpsTestServer.addHandler(new PlainServerHandler("https-server"),"/https1/");
+        httpsURI = "https://" + httpsTestServer.serverAuthority() + "/https1";
+
+        http2TestServer = HttpTestServer.of(new Http2TestServer("localhost", false, 0));
+        http2TestServer.addHandler(new PlainServerHandler("plain-server"), "/http2/");
+        http2URI = "http://" + http2TestServer.serverAuthority() + "/http2";
+        https2TestServer = HttpTestServer.of(new Http2TestServer("localhost", true, sslContext));
+        https2TestServer.addHandler(new PlainServerHandler("https-server"), "/https2/");
+        https2URI = "https://" + https2TestServer.serverAuthority() + "/https2";
+
+        proxy = DigestEchoServer.createHttpsProxyTunnel(DigestEchoServer.HttpAuthSchemeType.NONE);
+        authproxy = DigestEchoServer.createHttpsProxyTunnel(DigestEchoServer.HttpAuthSchemeType.BASIC);
+
+        client = TRACKER.track(HttpClient.newBuilder()
+                .proxy(new TestProxySelector())
+                .sslContext(sslContext)
+                .executor(executor)
+                .build());
+        clientCount.incrementAndGet();
+
+
+        httpTestServer.start();
+        serverCount.incrementAndGet();
+        proxyHttpTestServer.start();
+        serverCount.incrementAndGet();
+        authProxyHttpTestServer.start();
+        serverCount.incrementAndGet();
+        httpsTestServer.start();
+        serverCount.incrementAndGet();
+        http2TestServer.start();
+        serverCount.incrementAndGet();
+        https2TestServer.start();
+        serverCount.incrementAndGet();
+    }
+
+    @AfterTest
+    public void teardown() throws Exception {
+        client = null;
+        Thread.sleep(100);
+        AssertionError fail = TRACKER.check(500);
+
+        proxy.stop();
+        authproxy.stop();
+        httpTestServer.stop();
+        proxyHttpTestServer.stop();
+        authProxyHttpTestServer.stop();
+        httpsTestServer.stop();
+        http2TestServer.stop();
+        https2TestServer.stop();
+    }
+
+    class TestProxySelector extends ProxySelector {
+        @Override
+        public List<Proxy> select(URI uri) {
+            String path = uri.getPath();
+            out.println("Selecting proxy for: " + uri);
+            if (path.contains("/proxy/")) {
+                if (path.contains("/http1/") || path.contains("/http2/")) {
+                    // Simple proxying
+                    var p = path.contains("/auth/") ? authProxyHttpTestServer : proxyHttpTestServer;
+                    return List.of(new Proxy(Proxy.Type.HTTP, p.getAddress()));
+                } else {
+                    // Both HTTPS or HTTPS/2 require tunnelling
+                    var p = path.contains("/auth/") ? authproxy : proxy;
+                    return List.of(new Proxy(Proxy.Type.HTTP, p.getProxyAddress()));
+                }
+            }
+            System.out.print("NO_PROXY for " + uri);
+            return List.of(Proxy.NO_PROXY);
+        }
+        @Override
+        public void connectFailed(URI uri, SocketAddress sa, IOException ioe) {
+            System.err.printf("Connect failed for: uri=\"%s\", sa=\"%s\", ioe=%s%n", uri, sa, ioe);
+        }
+    }
+
+    static class PlainServerHandler implements HttpTestHandler {
+
+        final String serverType;
+        PlainServerHandler(String serverType) {
+            this.serverType = serverType;
+        }
+
+        @Override
+        public void handle(HttpTestExchange t) throws IOException {
+            readAllRequestData(t); // shouldn't be any
+            String method = t.getRequestMethod();
+            String path = t.getRequestURI().getPath();
+            HttpTestRequestHeaders  reqh = t.getRequestHeaders();
+            HttpTestResponseHeaders rsph = t.getResponseHeaders();
+
+            String xValue = serverType;
+            rsph.addHeader("X-value", serverType);
+
+            t.getResponseHeaders().addHeader("X-value", xValue);
+            byte[] body = "RESPONSE".getBytes(UTF_8);
+            t.sendResponseHeaders(HTTP_OK, body.length);
+            try (var out = t.getResponseBody()) {
+                out.write(body);
+            }
+        }
+    }
+
+    static class UnauthorizedHandler implements HttpTestHandler {
+
+        final String serverType;
+        UnauthorizedHandler(String serverType) {
+            this.serverType = serverType;
+        }
+
+        @Override
+        public void handle(HttpTestExchange t) throws IOException {
+            readAllRequestData(t); // shouldn't be any
+            String method = t.getRequestMethod();
+            String path = t.getRequestURI().getPath();
+            HttpTestRequestHeaders  reqh = t.getRequestHeaders();
+            HttpTestResponseHeaders rsph = t.getResponseHeaders();
+
+            String xValue = serverType;
+            String srv = path.contains("/proxy/") ? "proxy" : "server";
+            String prefix = path.contains("/proxy/") ? "Proxy-" : "WWW-";
+            int code = path.contains("/proxy/") ? PROXY_UNAUTHORIZED : UNAUTHORIZED;
+            String resp = prefix + "Unauthorized";
+            rsph.addHeader(prefix + "Authenticate", "Basic realm=\"earth\", charset=\"UTF-8\"");
+
+            byte[] body = resp.getBytes(UTF_8);
+            t.getResponseHeaders().addHeader("X-value", xValue);
+            t.sendResponseHeaders(code, body.length);
+            try (var out = t.getResponseBody()) {
+                out.write(body);
+            }
+        }
+    }
+
+    static void readAllRequestData(HttpTestExchange t) throws IOException {
+        try (InputStream is = t.getRequestBody()) {
+            is.readAllBytes();
+        }
+    }
+}
--- a/test/jdk/java/net/httpclient/whitebox/java.net.http/jdk/internal/net/http/ConnectionPoolTest.java	Wed May 06 12:42:28 2020 -0500
+++ b/test/jdk/java/net/httpclient/whitebox/java.net.http/jdk/internal/net/http/ConnectionPoolTest.java	Wed May 06 19:19:38 2020 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -481,6 +481,7 @@
         @Override boolean connected() {return !closed;}
         @Override boolean isSecure() {return secured;}
         @Override boolean isProxied() {return proxy!=null;}
+        @Override InetSocketAddress proxy() { return proxy; }
         @Override ConnectionPool.CacheKey cacheKey() {return key;}
         @Override FlowTube getConnectionFlow() {return flow;}
         @Override SocketChannel channel() {return channel;}