Also, remove some headers from the default proxy header whitelist that are response headers rather than request headers, and remove proxy-connection, which is just a stupid mistake in the first place that should never be used. Add test to ensure that explicitly set proxy-auth header never makes it to the endpoint server, but is still used when using a non-tunneling proxy, since it is an essential way to send authorizations other than basic.
If we load request.js right at the top of index.js, this creates a circular dependency (index.js -> request.js -> lib/debug.js and back again). If index.js has not exported request and request.debug by the time request.js is loaded, then lib/debug.js will never see them. So, we need to ensure that request.debug is set before requiring lib/debug.js.