reverseproxy: Fix panic when TLS is not configured (#4848)

* reverseproxy: Fix panic when TLS is not configured

* Refactor and simplify setScheme

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>

modules/caddyhttp/reverseproxy/httptransport.go

@@ -281,7 +281,7 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	repl := req.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 	transport := h.replaceTLSServername(repl)
 
-	transport.SetScheme(req)
+	transport.setScheme(req)
 
 	// if H2C ("HTTP/2 over cleartext") is enabled and the upstream request is
 	// HTTP without TLS, use the alternate H2C-capable transport instead
@@ -292,27 +292,34 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	return transport.Transport.RoundTrip(req)
 }
 
-// SetScheme ensures that the outbound request req
+// setScheme ensures that the outbound request req
 // has the scheme set in its URL; the underlying
 // http.Transport requires a scheme to be set.
-func (h *HTTPTransport) SetScheme(req *http.Request) {
+func (h *HTTPTransport) setScheme(req *http.Request) {
-	skipTLSport := false
+	if req.URL.Scheme != "" {
-	if h.TLS.ExceptPorts != nil {
+		return
-		port := req.URL.Port()
+	}
-		for i := range h.TLS.ExceptPorts {
+	if h.shouldUseTLS(req) {
-			if h.TLS.ExceptPorts[i] == port {
+		req.URL.Scheme = "https"
-				skipTLSport = true
+	} else {
-				break
+		req.URL.Scheme = "http"
-			}
+	}
+}
+
+// shouldUseTLS returns true if TLS should be used for req.
+func (h *HTTPTransport) shouldUseTLS(req *http.Request) bool {
+	if h.TLS == nil {
+		return false
+	}
+
+	port := req.URL.Port()
+	for i := range h.TLS.ExceptPorts {
+		if h.TLS.ExceptPorts[i] == port {
+			return false
 		}
 	}
 
-	if req.URL.Scheme == "" {
+	return true
-		req.URL.Scheme = "http"
-		if h.TLS != nil && !skipTLSport {
-			req.URL.Scheme = "https"
-		}
-	}
 }
 
 // TLSEnabled returns true if TLS is enabled.