From 5402620db804a8f88cc5eb249b3fc3802310012d Mon Sep 17 00:00:00 2001
From: Will Hannah <willh@tailscale.com>
Date: Thu, 14 Aug 2025 07:19:20 -0700
Subject: [PATCH] net/tshttpproxy: add macOS support for system proxy (#16826)

Adds a setter for proxyFunc to allow macOS to pull defined
system proxies. Disallows overriding if proxyFunc is set via config.

Updates tailscale/corp#30668

Signed-off-by: Will Hannah <willh@tailscale.com>
---
 net/tshttpproxy/tshttpproxy.go | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/net/tshttpproxy/tshttpproxy.go b/net/tshttpproxy/tshttpproxy.go
index 2ca440b57..ab2fd39e3 100644
--- a/net/tshttpproxy/tshttpproxy.go
+++ b/net/tshttpproxy/tshttpproxy.go
@@ -38,6 +38,23 @@ var (
 	proxyFunc    func(*url.URL) (*url.URL, error)
 )
 
+// SetProxyFunc can be used by clients to set a platform-specific function for proxy resolution.
+// If config is set when this function is called, an error will be returned.
+// The provided function should return a proxy URL for the given request URL,
+// nil if no proxy is enabled for the request URL, or an error if proxy settings cannot be resolved.
+func SetProxyFunc(fn func(*url.URL) (*url.URL, error)) error {
+	mu.Lock()
+	defer mu.Unlock()
+
+	// Allow override only if config is not set
+	if config != nil {
+		return fmt.Errorf("tshttpproxy: SetProxyFunc can only be called when config is not set")
+	}
+
+	proxyFunc = fn
+	return nil
+}
+
 func getProxyFunc() func(*url.URL) (*url.URL, error) {
 	// Create config/proxyFunc if it's not created
 	mu.Lock()