|
|
|
|
@@ -304,8 +304,10 @@ impl HttpProxyService {
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Auto-detect h1 vs h2 based on ALPN / connection preface.
|
|
|
|
|
// serve_connection_with_upgrades supports h1 Upgrade (WebSocket) and h2 CONNECT.
|
|
|
|
|
let builder = hyper_util::server::conn::auto::Builder::new(hyper_util::rt::TokioExecutor::new());
|
|
|
|
|
// serve_connection_with_upgrades supports h1 Upgrade (WebSocket) and h2 Extended CONNECT (RFC 8441).
|
|
|
|
|
let mut builder = hyper_util::server::conn::auto::Builder::new(hyper_util::rt::TokioExecutor::new());
|
|
|
|
|
// Advertise Extended CONNECT support so H2 clients can initiate WebSocket connections
|
|
|
|
|
builder.http2().enable_connect_protocol();
|
|
|
|
|
let conn = builder.serve_connection_with_upgrades(io, service);
|
|
|
|
|
// Pin on the heap — auto::UpgradeableConnection is !Unpin
|
|
|
|
|
let mut conn = Box::pin(conn);
|
|
|
|
|
@@ -482,16 +484,22 @@ impl HttpProxyService {
|
|
|
|
|
let domain_str = host.as_deref().unwrap_or("-");
|
|
|
|
|
self.upstream_selector.connection_started(&upstream_key);
|
|
|
|
|
|
|
|
|
|
// Check for WebSocket upgrade
|
|
|
|
|
let is_websocket = req.headers()
|
|
|
|
|
// Check for WebSocket upgrade: H1 (Upgrade header) or H2 Extended CONNECT (RFC 8441)
|
|
|
|
|
let is_h1_websocket = req.headers()
|
|
|
|
|
.get("upgrade")
|
|
|
|
|
.and_then(|v| v.to_str().ok())
|
|
|
|
|
.map(|v| v.eq_ignore_ascii_case("websocket"))
|
|
|
|
|
.unwrap_or(false);
|
|
|
|
|
|
|
|
|
|
if is_websocket {
|
|
|
|
|
let is_h2_websocket = req.method() == hyper::Method::CONNECT
|
|
|
|
|
&& req.extensions()
|
|
|
|
|
.get::<hyper::ext::Protocol>()
|
|
|
|
|
.map(|p| p.as_str().eq_ignore_ascii_case("websocket"))
|
|
|
|
|
.unwrap_or(false);
|
|
|
|
|
|
|
|
|
|
if is_h1_websocket || is_h2_websocket {
|
|
|
|
|
let result = self.handle_websocket_upgrade(
|
|
|
|
|
req, peer_addr, &upstream, route_match.route, route_id, &upstream_key, cancel, &ip_str,
|
|
|
|
|
req, peer_addr, &upstream, route_match.route, route_id, &upstream_key, cancel, &ip_str, is_h2_websocket,
|
|
|
|
|
).await;
|
|
|
|
|
// Note: for WebSocket, connection_ended is called inside
|
|
|
|
|
// the spawned tunnel task when the connection closes.
|
|
|
|
|
@@ -1084,13 +1092,17 @@ impl HttpProxyService {
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Build request with empty body using absolute URI for H2 pseudo-headers
|
|
|
|
|
let h2_uri = format!("{}://{}:{}{}",
|
|
|
|
|
if pool_key.use_tls { "https" } else { "http" },
|
|
|
|
|
pool_key.host, pool_key.port, upstream_path);
|
|
|
|
|
let scheme = if pool_key.use_tls { "https" } else { "http" };
|
|
|
|
|
let authority = if domain != "-" { domain } else { pool_key.host.as_str() };
|
|
|
|
|
let h2_uri = format!("{}://{}{}", scheme, authority, upstream_path);
|
|
|
|
|
let mut upstream_req = Request::builder()
|
|
|
|
|
.method(method)
|
|
|
|
|
.uri(&h2_uri);
|
|
|
|
|
|
|
|
|
|
// Remove Host header for H2 — :authority pseudo-header (from URI) is sufficient
|
|
|
|
|
let mut upstream_headers = upstream_headers;
|
|
|
|
|
upstream_headers.remove("host");
|
|
|
|
|
|
|
|
|
|
if let Some(headers) = upstream_req.headers_mut() {
|
|
|
|
|
*headers = upstream_headers;
|
|
|
|
|
}
|
|
|
|
|
@@ -1131,7 +1143,7 @@ impl HttpProxyService {
|
|
|
|
|
io: TokioIo<BackendStream>,
|
|
|
|
|
parts: hyper::http::request::Parts,
|
|
|
|
|
body: Incoming,
|
|
|
|
|
upstream_headers: hyper::HeaderMap,
|
|
|
|
|
mut upstream_headers: hyper::HeaderMap,
|
|
|
|
|
upstream_path: &str,
|
|
|
|
|
upstream: &crate::upstream_selector::UpstreamSelection,
|
|
|
|
|
route: &rustproxy_config::RouteConfig,
|
|
|
|
|
@@ -1202,18 +1214,22 @@ impl HttpProxyService {
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Save retry state before consuming parts/body (for bodyless requests like GET)
|
|
|
|
|
// Clone BEFORE removing Host — H1 fallback needs Host header
|
|
|
|
|
let retry_state = if body.is_end_stream() {
|
|
|
|
|
Some((parts.method.clone(), upstream_headers.clone()))
|
|
|
|
|
} else {
|
|
|
|
|
None
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Remove Host header for H2 — :authority pseudo-header (from URI) is sufficient
|
|
|
|
|
upstream_headers.remove("host");
|
|
|
|
|
|
|
|
|
|
// Build and send the h2 request inline (don't register in pool yet —
|
|
|
|
|
// we need to verify the request actually succeeds first, because some
|
|
|
|
|
// backends advertise h2 via ALPN but don't speak the h2 binary protocol).
|
|
|
|
|
let h2_uri = format!("{}://{}:{}{}",
|
|
|
|
|
if upstream.use_tls { "https" } else { "http" },
|
|
|
|
|
upstream.host, upstream.port, upstream_path);
|
|
|
|
|
let scheme = if upstream.use_tls { "https" } else { "http" };
|
|
|
|
|
let authority = if domain != "-" { domain } else { upstream.host.as_str() };
|
|
|
|
|
let h2_uri = format!("{}://{}{}", scheme, authority, upstream_path);
|
|
|
|
|
let mut upstream_req = Request::builder()
|
|
|
|
|
.method(parts.method)
|
|
|
|
|
.uri(&h2_uri);
|
|
|
|
|
@@ -1464,17 +1480,21 @@ impl HttpProxyService {
|
|
|
|
|
domain: &str,
|
|
|
|
|
) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
|
|
|
|
|
// Build absolute URI for H2 pseudo-headers (:scheme, :authority)
|
|
|
|
|
let h2_uri = if let Some(pk) = pool_key {
|
|
|
|
|
format!("{}://{}:{}{}",
|
|
|
|
|
if pk.use_tls { "https" } else { "http" },
|
|
|
|
|
pk.host, pk.port, upstream_path)
|
|
|
|
|
} else {
|
|
|
|
|
upstream_path.to_string()
|
|
|
|
|
// Use the requested domain as authority (not backend address) so :authority matches Host header
|
|
|
|
|
let scheme = if pool_key.map(|pk| pk.use_tls).unwrap_or(false) { "https" } else { "http" };
|
|
|
|
|
let authority = if domain != "-" { domain } else {
|
|
|
|
|
pool_key.map(|pk| pk.host.as_str()).unwrap_or("localhost")
|
|
|
|
|
};
|
|
|
|
|
let h2_uri = format!("{}://{}{}", scheme, authority, upstream_path);
|
|
|
|
|
let mut upstream_req = Request::builder()
|
|
|
|
|
.method(parts.method)
|
|
|
|
|
.uri(&h2_uri);
|
|
|
|
|
|
|
|
|
|
// Remove Host header for H2 — :authority pseudo-header (from URI) is sufficient
|
|
|
|
|
// Having both Host and :authority causes nginx to return 400
|
|
|
|
|
let mut upstream_headers = upstream_headers;
|
|
|
|
|
upstream_headers.remove("host");
|
|
|
|
|
|
|
|
|
|
if let Some(headers) = upstream_req.headers_mut() {
|
|
|
|
|
*headers = upstream_headers;
|
|
|
|
|
}
|
|
|
|
|
@@ -1547,7 +1567,7 @@ impl HttpProxyService {
|
|
|
|
|
Ok(response.body(body).unwrap())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Handle a WebSocket upgrade request.
|
|
|
|
|
/// Handle a WebSocket upgrade request (H1 Upgrade or H2 Extended CONNECT per RFC 8441).
|
|
|
|
|
async fn handle_websocket_upgrade(
|
|
|
|
|
&self,
|
|
|
|
|
req: Request<Incoming>,
|
|
|
|
|
@@ -1558,6 +1578,7 @@ impl HttpProxyService {
|
|
|
|
|
upstream_key: &str,
|
|
|
|
|
cancel: CancellationToken,
|
|
|
|
|
source_ip: &str,
|
|
|
|
|
is_h2: bool,
|
|
|
|
|
) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
|
|
|
|
|
use tokio::io::{AsyncReadExt, AsyncWriteExt};
|
|
|
|
|
|
|
|
|
|
@@ -1643,9 +1664,11 @@ impl HttpProxyService {
|
|
|
|
|
|
|
|
|
|
let (parts, _body) = req.into_parts();
|
|
|
|
|
|
|
|
|
|
// H2 Extended CONNECT uses method=CONNECT, but the H1.1 backend expects GET
|
|
|
|
|
let backend_method = if is_h2 { "GET" } else { parts.method.as_str() };
|
|
|
|
|
let mut raw_request = format!(
|
|
|
|
|
"{} {} HTTP/1.1\r\n",
|
|
|
|
|
parts.method, upstream_path
|
|
|
|
|
backend_method, upstream_path
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
// Copy all original headers (preserving the client's Host header).
|
|
|
|
|
@@ -1673,6 +1696,23 @@ impl HttpProxyService {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// H2 Extended CONNECT doesn't carry H1 WebSocket handshake headers;
|
|
|
|
|
// inject them so the H1.1 backend can complete the upgrade.
|
|
|
|
|
if is_h2 {
|
|
|
|
|
if !parts.headers.contains_key("upgrade") {
|
|
|
|
|
raw_request.push_str("upgrade: websocket\r\n");
|
|
|
|
|
}
|
|
|
|
|
if !parts.headers.contains_key("connection") {
|
|
|
|
|
raw_request.push_str("connection: Upgrade\r\n");
|
|
|
|
|
}
|
|
|
|
|
if !parts.headers.contains_key("sec-websocket-version") {
|
|
|
|
|
raw_request.push_str("sec-websocket-version: 13\r\n");
|
|
|
|
|
}
|
|
|
|
|
if !parts.headers.contains_key("sec-websocket-key") {
|
|
|
|
|
raw_request.push_str("sec-websocket-key: dGhlIHNhbXBsZSBub25jZQ==\r\n");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add standard reverse-proxy headers (X-Forwarded-*)
|
|
|
|
|
{
|
|
|
|
|
let original_host = parts.headers.get("host")
|
|
|
|
|
@@ -1775,8 +1815,12 @@ impl HttpProxyService {
|
|
|
|
|
));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
let mut client_resp = Response::builder()
|
|
|
|
|
.status(StatusCode::SWITCHING_PROTOCOLS);
|
|
|
|
|
// H1: 101 Switching Protocols; H2: 200 OK (RFC 8441 — hyper requires 2xx for Extended CONNECT upgrade)
|
|
|
|
|
let mut client_resp = if is_h2 {
|
|
|
|
|
Response::builder().status(StatusCode::OK)
|
|
|
|
|
} else {
|
|
|
|
|
Response::builder().status(StatusCode::SWITCHING_PROTOCOLS)
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if let Some(resp_headers) = client_resp.headers_mut() {
|
|
|
|
|
for line in response_str.lines().skip(1) {
|
|
|
|
|
@@ -1787,6 +1831,17 @@ impl HttpProxyService {
|
|
|
|
|
if let Some((name, value)) = line.split_once(':') {
|
|
|
|
|
let name = name.trim();
|
|
|
|
|
let value = value.trim();
|
|
|
|
|
// Skip hop-by-hop headers for H2 (forbidden by RFC 9113 §8.2.2)
|
|
|
|
|
if is_h2 {
|
|
|
|
|
let name_lower = name.to_lowercase();
|
|
|
|
|
if name_lower == "upgrade" || name_lower == "connection"
|
|
|
|
|
|| name_lower == "sec-websocket-accept"
|
|
|
|
|
|| name_lower == "transfer-encoding"
|
|
|
|
|
|| name_lower == "keep-alive"
|
|
|
|
|
{
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if let Ok(header_name) = hyper::header::HeaderName::from_bytes(name.as_bytes()) {
|
|
|
|
|
if let Ok(header_value) = hyper::header::HeaderValue::from_str(value) {
|
|
|
|
|
resp_headers.insert(header_name, header_value);
|
|
|
|
|
|
