With ProxyInfo.from_environment() we use PROXY_TYPE_HTTP for all connection types

This proxy type uses CONNECT to tunnel a connection through the proxy

In the case of a plain HTTP connection, this isn't necessary and just issuing the requests against the proxy is sufficient

However, in the case of HTTPS, tunnelling is need

The use of CONNECT tunnelling is problematic for HTTP because many proxy servers are configured to reject tunnelling requests to ports other than 443 - e.g. on Fedora, squid has the following default configuration:

 acl SSL_ports port 443

 # Deny CONNECT to other than secure SSL ports
 http_access deny CONNECT !SSL_ports

So, it seems pretty clear that we should use PROXY_TYPE_HTTP_NO_TUNNEL for http_proxy and PROXY_TYPE_HTTP for https_proxy - i.e. in ProxyInfo.from_url() do:

    if method == 'http':
    proxy_type = 4 # socks.PROXY_TYPE_HTTP_NO_TUNNEL                    
    else:
        proxy_type = 3 # socks.PROXY_TYPE_HTTP                              

Oh, to clarify the particular problem this is causing ...

I'm using OpenStack's nova client (from python-novaclient) to access an OpenStack installation over a corporate squid proxy

It's a plain old HTTP connection, novaclient is using httplib2 and I'm getting a 403 Forbidden from the proxy because it's using the default config for rejecting CONNECT to ports other than 443