mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-26 08:12:43 -04:00 
			
		
		
		
	reverseproxy: Rewrite requests and responses for websocket over http2 (#6567)
	
		
			
	
		
	
	
		
	
		
			Some checks failed
		
		
	
	
		
			
				
	
				Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Waiting to run
				
			
		
			
				
	
				Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Waiting to run
				
			
		
			
				
	
				Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
				
			
		
			
				
	
				Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
				
			
		
			
				
	
				Lint / lint (macos-14, mac) (push) Waiting to run
				
			
		
			
				
	
				Lint / lint (windows-latest, windows) (push) Waiting to run
				
			
		
			
				
	
				Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Failing after 1m49s
				
			
		
			
				
	
				Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Failing after 2m56s
				
			
		
			
				
	
				Tests / test (s390x on IBM Z) (push) Has been skipped
				
			
		
			
				
	
				Tests / goreleaser-check (push) Has been skipped
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, aix) (push) Successful in 1m35s
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, darwin) (push) Successful in 1m27s
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Successful in 1m25s
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Successful in 1m27s
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, illumos) (push) Successful in 1m29s
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, linux) (push) Successful in 1m26s
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Successful in 1m26s
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Successful in 1m26s
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, solaris) (push) Successful in 1m23s
				
			
		
			
				
	
				Cross-Build / build (~1.22.3, 1.22, windows) (push) Successful in 1m25s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, aix) (push) Successful in 2m30s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, darwin) (push) Successful in 2m45s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Successful in 2m2s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Successful in 2m42s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, illumos) (push) Successful in 2m12s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, linux) (push) Successful in 1m19s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Successful in 1m51s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Successful in 1m21s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, solaris) (push) Successful in 1m17s
				
			
		
			
				
	
				Cross-Build / build (~1.23.0, 1.23, windows) (push) Successful in 1m17s
				
			
		
			
				
	
				Lint / lint (ubuntu-latest, linux) (push) Successful in 3m18s
				
			
		
			
				
	
				Lint / govulncheck (push) Successful in 1m33s
				
			
		
		
	
	
				
					
				
			
		
			Some checks failed
		
		
	
	Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Waiting to run
				
			Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Waiting to run
				
			Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
				
			Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
				
			Lint / lint (macos-14, mac) (push) Waiting to run
				
			Lint / lint (windows-latest, windows) (push) Waiting to run
				
			Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Failing after 1m49s
				
			Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Failing after 2m56s
				
			Tests / test (s390x on IBM Z) (push) Has been skipped
				
			Tests / goreleaser-check (push) Has been skipped
				
			Cross-Build / build (~1.22.3, 1.22, aix) (push) Successful in 1m35s
				
			Cross-Build / build (~1.22.3, 1.22, darwin) (push) Successful in 1m27s
				
			Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Successful in 1m25s
				
			Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Successful in 1m27s
				
			Cross-Build / build (~1.22.3, 1.22, illumos) (push) Successful in 1m29s
				
			Cross-Build / build (~1.22.3, 1.22, linux) (push) Successful in 1m26s
				
			Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Successful in 1m26s
				
			Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Successful in 1m26s
				
			Cross-Build / build (~1.22.3, 1.22, solaris) (push) Successful in 1m23s
				
			Cross-Build / build (~1.22.3, 1.22, windows) (push) Successful in 1m25s
				
			Cross-Build / build (~1.23.0, 1.23, aix) (push) Successful in 2m30s
				
			Cross-Build / build (~1.23.0, 1.23, darwin) (push) Successful in 2m45s
				
			Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Successful in 2m2s
				
			Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Successful in 2m42s
				
			Cross-Build / build (~1.23.0, 1.23, illumos) (push) Successful in 2m12s
				
			Cross-Build / build (~1.23.0, 1.23, linux) (push) Successful in 1m19s
				
			Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Successful in 1m51s
				
			Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Successful in 1m21s
				
			Cross-Build / build (~1.23.0, 1.23, solaris) (push) Successful in 1m17s
				
			Cross-Build / build (~1.23.0, 1.23, windows) (push) Successful in 1m17s
				
			Lint / lint (ubuntu-latest, linux) (push) Successful in 3m18s
				
			Lint / govulncheck (push) Successful in 1m33s
				
			* reverse proxy: rewrite requests and responses for websocket over http2 * delete protocol pseudo-header * modify cloned requests * set request variable to track if it's a h2 websocket * use request bodu * rewrite request body * use WebSocket instead of Websocket in the headers * use logger check for zap loggers * fix lint
This commit is contained in:
		
							parent
							
								
									a1751adb40
								
							
						
					
					
						commit
						9c0c71e577
					
				| @ -17,6 +17,8 @@ package reverseproxy | ||||
| import ( | ||||
| 	"bytes" | ||||
| 	"context" | ||||
| 	"crypto/rand" | ||||
| 	"encoding/base64" | ||||
| 	"encoding/json" | ||||
| 	"errors" | ||||
| 	"fmt" | ||||
| @ -394,6 +396,23 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyht | ||||
| 		return caddyhttp.Error(http.StatusInternalServerError, | ||||
| 			fmt.Errorf("preparing request for upstream round-trip: %v", err)) | ||||
| 	} | ||||
| 	// websocket over http2, assuming backend doesn't support this, the request will be modified to http1.1 upgrade | ||||
| 	// TODO: once we can reliably detect backend support this, it can be removed for those backends | ||||
| 	if r.ProtoMajor == 2 && r.Method == http.MethodConnect && r.Header.Get(":protocol") != "" { | ||||
| 		clonedReq.Header.Del(":protocol") | ||||
| 		// keep the body for later use. http1.1 upgrade uses http.NoBody | ||||
| 		caddyhttp.SetVar(clonedReq.Context(), "h2_websocket_body", clonedReq.Body) | ||||
| 		clonedReq.Body = http.NoBody | ||||
| 		clonedReq.Method = http.MethodGet | ||||
| 		clonedReq.Header.Set("Upgrade", r.Header.Get(":protocol")) | ||||
| 		clonedReq.Header.Set("Connection", "Upgrade") | ||||
| 		key := make([]byte, 16) | ||||
| 		_, randErr := rand.Read(key) | ||||
| 		if randErr != nil { | ||||
| 			return randErr | ||||
| 		} | ||||
| 		clonedReq.Header["Sec-WebSocket-Key"] = []string{base64.StdEncoding.EncodeToString(key)} | ||||
| 	} | ||||
| 
 | ||||
| 	// we will need the original headers and Host value if | ||||
| 	// header operations are configured; this is so that each | ||||
|  | ||||
| @ -19,6 +19,7 @@ | ||||
| package reverseproxy | ||||
| 
 | ||||
| import ( | ||||
| 	"bufio" | ||||
| 	"context" | ||||
| 	"errors" | ||||
| 	"fmt" | ||||
| @ -33,8 +34,29 @@ import ( | ||||
| 	"go.uber.org/zap" | ||||
| 	"go.uber.org/zap/zapcore" | ||||
| 	"golang.org/x/net/http/httpguts" | ||||
| 
 | ||||
| 	"github.com/caddyserver/caddy/v2/modules/caddyhttp" | ||||
| ) | ||||
| 
 | ||||
| type h2ReadWriteCloser struct { | ||||
| 	io.ReadCloser | ||||
| 	http.ResponseWriter | ||||
| } | ||||
| 
 | ||||
| func (rwc h2ReadWriteCloser) Write(p []byte) (n int, err error) { | ||||
| 	n, err = rwc.ResponseWriter.Write(p) | ||||
| 	if err != nil { | ||||
| 		return 0, err | ||||
| 	} | ||||
| 
 | ||||
| 	//nolint:bodyclose | ||||
| 	err = http.NewResponseController(rwc.ResponseWriter).Flush() | ||||
| 	if err != nil { | ||||
| 		return 0, err | ||||
| 	} | ||||
| 	return n, nil | ||||
| } | ||||
| 
 | ||||
| func (h *Handler) handleUpgradeResponse(logger *zap.Logger, wg *sync.WaitGroup, rw http.ResponseWriter, req *http.Request, res *http.Response) { | ||||
| 	reqUpType := upgradeType(req.Header) | ||||
| 	resUpType := upgradeType(res.Header) | ||||
| @ -67,24 +89,58 @@ func (h *Handler) handleUpgradeResponse(logger *zap.Logger, wg *sync.WaitGroup, | ||||
| 	// like the rest of handler chain. | ||||
| 	copyHeader(rw.Header(), res.Header) | ||||
| 	normalizeWebsocketHeaders(rw.Header()) | ||||
| 	rw.WriteHeader(res.StatusCode) | ||||
| 
 | ||||
| 	logger.Debug("upgrading connection") | ||||
| 	var ( | ||||
| 		conn io.ReadWriteCloser | ||||
| 		brw  *bufio.ReadWriter | ||||
| 	) | ||||
| 	// websocket over http2, assuming backend doesn't support this, the request will be modified to http1.1 upgrade | ||||
| 	// TODO: once we can reliably detect backend support this, it can be removed for those backends | ||||
| 	if body, ok := caddyhttp.GetVar(req.Context(), "h2_websocket_body").(io.ReadCloser); ok { | ||||
| 		req.Body = body | ||||
| 		rw.Header().Del("Upgrade") | ||||
| 		rw.Header().Del("Connection") | ||||
| 		delete(rw.Header(), "Sec-WebSocket-Accept") | ||||
| 		rw.WriteHeader(http.StatusOK) | ||||
| 
 | ||||
| 	//nolint:bodyclose | ||||
| 	conn, brw, hijackErr := http.NewResponseController(rw).Hijack() | ||||
| 	if errors.Is(hijackErr, http.ErrNotSupported) { | ||||
| 		if c := logger.Check(zapcore.ErrorLevel, "can't switch protocols using non-Hijacker ResponseWriter"); c != nil { | ||||
| 			c.Write(zap.String("type", fmt.Sprintf("%T", rw))) | ||||
| 		if c := logger.Check(zap.DebugLevel, "upgrading connection"); c != nil { | ||||
| 			c.Write(zap.Int("http_version", 2)) | ||||
| 		} | ||||
| 		return | ||||
| 	} | ||||
| 
 | ||||
| 	if hijackErr != nil { | ||||
| 		if c := logger.Check(zapcore.ErrorLevel, "hijack failed on protocol switch"); c != nil { | ||||
| 			c.Write(zap.Error(hijackErr)) | ||||
| 		//nolint:bodyclose | ||||
| 		flushErr := http.NewResponseController(rw).Flush() | ||||
| 		if flushErr != nil { | ||||
| 			if c := h.logger.Check(zap.ErrorLevel, "failed to flush http2 websocket response"); c != nil { | ||||
| 				c.Write(zap.Error(flushErr)) | ||||
| 			} | ||||
| 			return | ||||
| 		} | ||||
| 		conn = h2ReadWriteCloser{req.Body, rw} | ||||
| 		// bufio is not needed, use minimal buffer | ||||
| 		brw = bufio.NewReadWriter(bufio.NewReaderSize(conn, 1), bufio.NewWriterSize(conn, 1)) | ||||
| 	} else { | ||||
| 		rw.WriteHeader(res.StatusCode) | ||||
| 
 | ||||
| 		if c := logger.Check(zap.DebugLevel, "upgrading connection"); c != nil { | ||||
| 			c.Write(zap.Int("http_version", req.ProtoMajor)) | ||||
| 		} | ||||
| 
 | ||||
| 		var hijackErr error | ||||
| 		//nolint:bodyclose | ||||
| 		conn, brw, hijackErr = http.NewResponseController(rw).Hijack() | ||||
| 		if errors.Is(hijackErr, http.ErrNotSupported) { | ||||
| 			if c := h.logger.Check(zap.ErrorLevel, "can't switch protocols using non-Hijacker ResponseWriter"); c != nil { | ||||
| 				c.Write(zap.String("type", fmt.Sprintf("%T", rw))) | ||||
| 			} | ||||
| 			return | ||||
| 		} | ||||
| 
 | ||||
| 		if hijackErr != nil { | ||||
| 			if c := h.logger.Check(zap.ErrorLevel, "hijack failed on protocol switch"); c != nil { | ||||
| 				c.Write(zap.Error(hijackErr)) | ||||
| 			} | ||||
| 			return | ||||
| 		} | ||||
| 		return | ||||
| 	} | ||||
| 
 | ||||
| 	// adopted from https://github.com/golang/go/commit/8bcf2834afdf6a1f7937390903a41518715ef6f5 | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user