Major Description
The issue is that without a (global) configuration to force us to go through the DNS hook on cache hits, we can not use authproxy to protect on cache hits (the plugin is bypassed).
The setting is proxy.config.http.doc_in_cache_skip_dns, and it was added for a very valid reason: If the entry in HostDB is stale, we can not serve out of cache while it's doing the DNS lookup. This blocks all requests on that URL until DNS has finished, which in some cases can take a long time (we had a problem where some 3rd party DNS vendor could take up to 1s to resolve).
My idea / hope is to make authproxy support running in a different hook, such that it always can get called. However, the wrinkle is that this is also a remap plugin, so whatever hook we pick, it has to happen after remap.