Refactor to simpler single-port TLS detection pattern

blink-so[bot] · f0ssel · blink-so[bot] · commit 22f42a36264c · 2025-09-13T17:51:03.000Z
- Use simple byte peek and connection wrapper approach
- Eliminate complex buffered reader logic
- Use standard http.Serve with single connection listener
- Much cleaner and more maintainable implementation
- Based on suggested simpler pattern
- Should eliminate all the race conditions and complexity

Co-authored-by: f0ssel &lt;19379394+f0ssel@users.noreply.github.com&gt;
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -514,21 +514,34 @@ func (p *Server) handleDecryptedHTTPS(w http.ResponseWriter, r *http.Request) {
 func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) {
 	defer conn.Close()
 
-	// Use a buffered reader to peek at the first byte without consuming it
-	bufReader := bufio.NewReader(conn)
-	firstByte, err := bufReader.Peek(1)
+	// Peek at first byte to detect protocol
+	buf := make([]byte, 1)
+	_, err := conn.Read(buf)
 	if err != nil {
-		p.logger.Debug("Failed to peek at connection data", "error", err)
+		p.logger.Debug("Failed to read first byte from connection", "error", err)
 		return
 	}
 
+	// Create connection wrapper that can "unread" the peeked byte
+	connWrapper := &connectionWrapper{conn, buf, false}
+
 	// TLS handshake starts with 0x16 (TLS Content Type: Handshake)
-	if len(firstByte) > 0 && firstByte[0] == 0x16 {
+	if buf[0] == 0x16 {
 		p.logger.Debug("Detected TLS handshake, performing TLS termination")
-		p.handleTLSTerminationDirect(bufReader, conn)
+		// Perform TLS handshake
+		tlsConn := tls.Server(connWrapper, p.tlsConfig)
+		err := tlsConn.Handshake()
+		if err != nil {
+			p.logger.Debug("TLS handshake failed", "error", err)
+			return
+		}
+		p.logger.Debug("TLS handshake successful")
+		// Use HTTP server with TLS connection
+		http.Serve(&singleConnectionListener{conn: tlsConn}, http.HandlerFunc(p.handleHTTPS))
 	} else {
 		p.logger.Debug("Detected HTTP request, handling normally")
-		p.handleHTTPConnectionDirect(bufReader, conn)
+		// Use HTTP server with regular connection
+		http.Serve(&singleConnectionListener{conn: connWrapper}, http.HandlerFunc(p.handleHTTP))
 	}
 }
 
@@ -806,6 +819,44 @@ func (p *Server) handleTLSTerminationDirect(bufReader *bufio.Reader, conn net.Co
 	p.handleTLSConnection(tlsConn, hostname)
 }
 
+// connectionWrapper lets us "unread" the peeked byte
+type connectionWrapper struct {
+	net.Conn
+	buf []byte
+	bufUsed bool
+}
+
+func (c *connectionWrapper) Read(p []byte) (int, error) {
+	if !c.bufUsed && len(c.buf) > 0 {
+		n := copy(p, c.buf)
+		c.bufUsed = true
+		return n, nil
+	}
+	return c.Conn.Read(p)
+}
+
+// singleConnectionListener wraps a single connection into a net.Listener
+type singleConnectionListener struct {
+	conn net.Conn
+	used bool
+}
+
+func (sl *singleConnectionListener) Accept() (net.Conn, error) {
+	if sl.used || sl.conn == nil {
+		return nil, io.EOF
+	}
+	sl.used = true
+	return sl.conn, nil
+}
+
+func (sl *singleConnectionListener) Close() error {
+	return nil
+}
+
+func (sl *singleConnectionListener) Addr() net.Addr {
+	return sl.conn.LocalAddr()
+}
+
 // bufferedConnection wraps a connection with a buffered reader
 type bufferedConnection struct {
 	net.Conn
