Use std http.Protocols for http config (#4011)

Author: emcfarlane

go.mod

@@ -42,7 +42,6 @@ require (
 	go.uber.org/zap v1.27.0
 	golang.org/x/crypto v0.42.0
 	golang.org/x/mod v0.28.0
-	golang.org/x/net v0.44.0
 	golang.org/x/sync v0.17.0
 	golang.org/x/term v0.35.0
 	golang.org/x/tools v0.37.0
@@ -101,7 +100,8 @@ require (
 	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
 	go.uber.org/mock v0.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect
+	golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b // indirect
+	golang.org/x/net v0.44.0 // indirect
 	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/text v0.29.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250908214217-97024824d090 // indirect

go.sum

@@ -206,8 +206,8 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
 golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
-golang.org/x/exp v0.0.0-20250911091902-df9299821621 h1:2id6c1/gto0kaHYyrixvknJ8tUK/Qs5IsmBtrc+FtgU=
-golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk=
+golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b h1:DXr+pvt3nC887026GRP39Ej11UATqWDmWuS99x26cD0=
+golang.org/x/exp v0.0.0-20250819193227-8b4c13bb791b/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4=
 golang.org/x/mod v0.28.0 h1:gQBtGhjxykdjY9YhZpSlZIsbnaE2+PgjfLWUQTnoZ1U=
 golang.org/x/mod v0.28.0/go.mod h1:yfB/L0NOf/kmEbXjzCPOx1iK1fRutOydrCMsqRhEBxI=
 golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=

private/buf/bufstudioagent/bufstudioagent_test.go

@@ -35,8 +35,6 @@ import (
 	"github.com/bufbuild/buf/private/pkg/slogtestext"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
 	"google.golang.org/protobuf/proto"
 )
 
@@ -275,16 +273,25 @@ func newTestConnectServer(t *testing.T, tls bool) *httptest.Server {
 		},
 		connect.WithCodec(&bufferCodec{name: "proto"}),
 	))
+	protocols := new(http.Protocols)
+	protocols.SetHTTP1(true)
+	server := httptest.NewUnstartedServer(mux)
+	server.Config.Protocols = protocols
 	if tls {
-		upstreamServerTLS := httptest.NewUnstartedServer(mux)
-		upstreamServerTLS.EnableHTTP2 = true
-		upstreamServerTLS.StartTLS()
+		protocols.SetHTTP2(true)
+		// Enable HTTP/2 for TLS configuration.
+		server.EnableHTTP2 = true
+		server.StartTLS()
+		// Add the server's certificate to its own trusted CA pool.
+		// This is needed because the server TSL config is used to configure clients.
 		certpool := x509.NewCertPool()
-		certpool.AddCert(upstreamServerTLS.Certificate())
-		upstreamServerTLS.TLS.RootCAs = certpool
-		return upstreamServerTLS
+		certpool.AddCert(server.Certificate())
+		server.TLS.RootCAs = certpool
+	} else {
+		protocols.SetUnencryptedHTTP2(true)
+		server.Start()
 	}
-	return httptest.NewServer(h2c.NewHandler(mux, &http2.Server{}))
+	return server
 }
 
 func protoMarshalBase64(t *testing.T, message proto.Message) []byte {

private/buf/bufstudioagent/plain_post_handler.go

@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"io"
 	"log/slog"
-	"net"
 	"net/http"
 	"net/textproto"
 	"net/url"
@@ -31,7 +30,6 @@ import (
 	"connectrpc.com/connect"
 	studiov1alpha1 "github.com/bufbuild/buf/private/gen/proto/go/buf/alpha/studio/v1alpha1"
 	"github.com/bufbuild/buf/private/pkg/protoencoding"
-	"golang.org/x/net/http2"
 	"google.golang.org/protobuf/proto"
 )
 
@@ -54,8 +52,7 @@ type plainPostHandler struct {
 	Logger              *slog.Logger
 	MaxMessageSizeBytes int64
 	B64Encoding         *base64.Encoding
-	TLSClient           *http.Client
-	H2CClient           *http.Client
+	Client              *http.Client
 	DisallowedHeaders   map[string]struct{}
 	ForwardHeaders      map[string]string
 }
@@ -74,25 +71,23 @@ func newPlainPostHandler(
 	for k, v := range forwardHeaders {
 		canonicalForwardHeaders[textproto.CanonicalMIMEHeaderKey(k)] = v
 	}
+	protocols := new(http.Protocols)
+	protocols.SetHTTP1(true)
+	protocols.SetHTTP2(true)
+	protocols.SetUnencryptedHTTP2(true)
+	transport := &http.Transport{
+		TLSClientConfig: tlsClientConfig,
+		Protocols:       protocols,
+	}
 	return &plainPostHandler{
 		B64Encoding:       base64.StdEncoding,
 		DisallowedHeaders: canonicalDisallowedHeaders,
 		ForwardHeaders:    canonicalForwardHeaders,
-		H2CClient: &http.Client{
-			Transport: &http2.Transport{
-				AllowHTTP: true,
-				DialTLS: func(netw, addr string, config *tls.Config) (net.Conn, error) {
-					return net.Dial(netw, addr)
-				},
-			},
+		Client: &http.Client{
+			Transport: transport,
 		},
 		Logger:              logger,
 		MaxMessageSizeBytes: MaxMessageSizeBytesDefault,
-		TLSClient: &http.Client{
-			Transport: &http2.Transport{
-				TLSClientConfig: tlsClientConfig,
-			},
-		},
 	}
 }
 
@@ -150,10 +145,8 @@ func (i *plainPostHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 	var httpClient *http.Client
 	switch targetURL.Scheme {
-	case "http":
-		httpClient = i.H2CClient
-	case "https":
-		httpClient = i.TLSClient
+	case "http", "https":
+		httpClient = i.Client
 	default:
 		http.Error(w, fmt.Sprintf("must specify http or https url scheme, got %q", targetURL.Scheme), http.StatusBadRequest)
 		return

private/buf/cmd/buf/command/curl/curl.go

@@ -44,7 +44,6 @@ import (
 	"github.com/quic-go/quic-go"
 	"github.com/quic-go/quic-go/http3"
 	"github.com/spf13/pflag"
-	"golang.org/x/net/http2"
 	"google.golang.org/protobuf/reflect/protoreflect"
 )
 
@@ -1131,32 +1130,18 @@ func makeHTTPRoundTripper(f *flags, isSecure bool, authority string, printer ver
 			return tlsConn, nil
 		}
 	}
-
-	var transport http.RoundTripper
-	switch {
-	case f.HTTP2PriorKnowledge && isSecure:
-		transport = &http2.Transport{
-			DialTLSContext: func(ctx context.Context, network, addr string, _ *tls.Config) (net.Conn, error) {
-				return dialTLSFunc(ctx, network, addr)
-			},
-		}
-	case f.HTTP2PriorKnowledge:
-		transport = &http2.Transport{
-			AllowHTTP: true,
-			DialTLSContext: func(ctx context.Context, network, addr string, _ *tls.Config) (net.Conn, error) {
-				return dialFunc(ctx, network, addr)
-			},
-		}
-	default:
-		transport = &http.Transport{
-			Proxy:             http.ProxyFromEnvironment,
-			DialContext:       dialFunc,
-			DialTLSContext:    dialTLSFunc,
-			ForceAttemptHTTP2: true,
-			MaxIdleConns:      1,
-		}
-	}
-	return transport, nil
+	protocols := new(http.Protocols)
+	protocols.SetHTTP1(true)
+	protocols.SetHTTP2(f.HTTP2PriorKnowledge)
+	protocols.SetUnencryptedHTTP2(f.HTTP2PriorKnowledge && !isSecure)
+	return &http.Transport{
+		Proxy:             http.ProxyFromEnvironment,
+		DialContext:       dialFunc,
+		DialTLSContext:    dialTLSFunc,
+		ForceAttemptHTTP2: true,
+		MaxIdleConns:      1,
+		Protocols:         protocols,
+	}, nil
 }
 
 func makeHTTP3RoundTripper(f *flags, authority string, printer verbose.Printer) (http.RoundTripper, error) {

private/bufpkg/bufremoteplugin/bufremoteplugindocker/docker_test.go

@@ -43,8 +43,6 @@ import (
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
 )
 
 const (
@@ -181,8 +179,6 @@ func buildDockerPlugin(t testing.TB, dockerfilePath string, pluginIdentity strin
 // dockerServer allows testing some failure flows by simulating the responses to Docker CLI commands.
 type dockerServer struct {
 	httpServer    *httptest.Server
-	h2Server      *http2.Server
-	h2Handler     http.Handler
 	t             testing.TB
 	versionPrefix string
 	pushErr       error
@@ -211,11 +207,14 @@ func newDockerServer(t testing.TB, version string) *dockerServer {
 			t.Fatalf("failed to encode response: %v", err)
 		}
 	})
-	dockerServer.h2Server = &http2.Server{}
-	dockerServer.h2Handler = h2c.NewHandler(mux, dockerServer.h2Server)
-	dockerServer.httpServer = httptest.NewUnstartedServer(dockerServer.h2Handler)
-	dockerServer.httpServer.Start()
-	t.Cleanup(dockerServer.httpServer.Close)
+	protocols := new(http.Protocols)
+	protocols.SetHTTP1(true)
+	protocols.SetUnencryptedHTTP2(true)
+	server := httptest.NewUnstartedServer(mux)
+	server.Config.Protocols = protocols
+	server.Start()
+	dockerServer.httpServer = server
+	t.Cleanup(server.Close)
 	return dockerServer
 }
 

private/pkg/transport/http/httpserver/httpserver.go

@@ -23,8 +23,6 @@ import (
 	"time"
 
 	"github.com/go-chi/chi/v5"
-	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -33,7 +31,7 @@ const (
 	DefaultShutdownTimeout = 10 * time.Second
 	// DefaultReadHeaderTimeout is the default read header timeout.
 	DefaultReadHeaderTimeout = 30 * time.Second
-	// DefaultIdleTimeout is the amount of time an HTTP/2 connection can be idle.
+	// DefaultIdleTimeout is the amount of time a connection can be idle.
 	DefaultIdleTimeout = 3 * time.Minute
 )
 
@@ -115,16 +113,17 @@ func Run(
 	for _, option := range options {
 		option(s)
 	}
+	protocols := new(http.Protocols)
+	protocols.SetHTTP1(true)
+	protocols.SetHTTP2(true)
+	protocols.SetUnencryptedHTTP2(!s.disableH2C)
 	httpServer := &http.Server{
 		Handler:           handler,
 		ReadHeaderTimeout: s.readHeaderTimeout,
 		ErrorLog:          slog.NewLogLogger(logger.Handler(), slog.LevelError),
 		TLSConfig:         s.tlsConfig,
-	}
-	if s.tlsConfig == nil && !s.disableH2C {
-		httpServer.Handler = h2c.NewHandler(handler, &http2.Server{
-			IdleTimeout: DefaultIdleTimeout,
-		})
+		Protocols:         protocols,
+		IdleTimeout:       DefaultIdleTimeout,
 	}
 	if s.walkFunc != nil {
 		routes, ok := handler.(chi.Routes)