Fix HTTP connection handling with buffered reader approach

blink-so[bot] · f0ssel · blink-so[bot] · commit 1c089580068e · 2025-09-13T17:32:32.000Z
- Replace byte-consumption approach with bufio.Reader.Peek()
- Avoid issues with already-read bytes in HTTP parsing
- Add buffered connection wrappers for both HTTP and TLS handling
- Should resolve 'connection reset by peer' in privileged mode
- Maintains protocol detection while preserving complete request data

Co-authored-by: f0ssel &lt;19379394+f0ssel@users.noreply.github.com&gt;
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -480,23 +480,21 @@ func (p *Server) handleDecryptedHTTPS(w http.ResponseWriter, r *http.Request) {
 func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) {
 	defer conn.Close()
 
-	// Peek at the first byte to detect TLS handshake
-	conn.SetReadDeadline(time.Now().Add(5 * time.Second))
-	firstByte := make([]byte, 1)
-	n, err := conn.Read(firstByte)
-	if err != nil || n == 0 {
-		p.logger.Debug("Failed to read first byte from connection", "error", err)
+	// Use a buffered reader to peek at the first byte without consuming it
+	bufReader := bufio.NewReader(conn)
+	firstByte, err := bufReader.Peek(1)
+	if err != nil {
+		p.logger.Debug("Failed to peek at connection data", "error", err)
 		return
 	}
-	conn.SetReadDeadline(time.Time{}) // Clear deadline
 
 	// TLS handshake starts with 0x16 (TLS Content Type: Handshake)
-	if firstByte[0] == 0x16 {
+	if len(firstByte) > 0 && firstByte[0] == 0x16 {
 		p.logger.Debug("Detected TLS handshake, performing TLS termination")
-		p.handleTLSTermination(conn, firstByte)
+		p.handleTLSTerminationBuffered(bufReader, conn)
 	} else {
 		p.logger.Debug("Detected HTTP request, handling normally")
-		p.handleHTTPConnection(conn, firstByte)
+		p.handleHTTPConnectionBuffered(bufReader, conn)
 	}
 }
 
@@ -569,14 +567,20 @@ type connectionWithPrefix struct {
 	net.Conn
 	prefix []byte
 	prefixRead bool
+	mu sync.Mutex
 }
 
 func (c *connectionWithPrefix) Read(b []byte) (n int, err error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	
 	if !c.prefixRead && len(c.prefix) > 0 {
+		// Return the prefix data first
 		n = copy(b, c.prefix)
 		c.prefixRead = true
 		return n, nil
 	}
+	// After prefix is read, delegate to underlying connection
 	return c.Conn.Read(b)
 }
 
@@ -615,4 +619,67 @@ func (l *singleConnListener) Close() error {
 
 func (l *singleConnListener) Addr() net.Addr {
 	return l.conn.LocalAddr()
+}
+
+// handleHTTPConnectionBuffered handles regular HTTP connections using buffered reader
+func (p *Server) handleHTTPConnectionBuffered(bufReader *bufio.Reader, conn net.Conn) {
+	p.logger.Debug("Starting buffered HTTP connection handling")
+	
+	// Create a connection that uses the buffered reader
+	bufferedConn := &bufferedConnection{
+		Conn: conn,
+		reader: bufReader,
+	}
+
+	p.logger.Debug("Created buffered connection, starting HTTP server")
+	
+	// Create HTTP server to handle this connection
+	server := &http.Server{
+		Handler: http.HandlerFunc(p.handleHTTP),
+	}
+
+	p.logger.Debug("About to serve buffered HTTP connection")
+	
+	// Serve the HTTP request
+	err := server.Serve(&singleConnListener{conn: bufferedConn})
+	if err != nil && err != io.EOF && !isConnectionClosed(err) {
+		p.logger.Debug("Buffered HTTP connection error", "error", err)
+	} else {
+		p.logger.Debug("Buffered HTTP connection completed successfully")
+	}
+}
+
+// handleTLSTerminationBuffered performs TLS termination using buffered reader
+func (p *Server) handleTLSTerminationBuffered(bufReader *bufio.Reader, conn net.Conn) {
+	// Create a connection that uses the buffered reader
+	bufferedConn := &bufferedConnection{
+		Conn: conn,
+		reader: bufReader,
+	}
+
+	// Extract hostname from TLS SNI (TODO: implement SNI parsing)
+	hostname := "unknown-host"
+	
+	// Perform TLS handshake with our certificate
+	tlsConn := tls.Server(bufferedConn, p.tlsConfig)
+	err := tlsConn.Handshake()
+	if err != nil {
+		p.logger.Debug("Buffered TLS handshake failed", "error", err)
+		return
+	}
+	
+	p.logger.Debug("Buffered TLS handshake successful, processing decrypted HTTPS traffic")
+	
+	// Handle the decrypted HTTPS requests
+	p.handleTLSConnection(tlsConn, hostname)
+}
+
+// bufferedConnection wraps a connection with a buffered reader
+type bufferedConnection struct {
+	net.Conn
+	reader *bufio.Reader
+}
+
+func (bc *bufferedConnection) Read(b []byte) (n int, err error) {
+	return bc.reader.Read(b)
 }
