Implement direct connection handling to fix premature completion

blink-so[bot] · f0ssel · blink-so[bot] · commit a352df8ab552 · 2025-09-13T17:49:02.000Z
- Replace HTTP server framework with direct connection handling
- Parse HTTP requests manually using http.ReadRequest
- Write HTTP responses directly to connection
- Eliminates race condition where HTTP server completed before handler finished
- Should fix 'Empty reply from server' issue completely
- Maintains all logging and error handling

Co-authored-by: f0ssel &lt;19379394+f0ssel@users.noreply.github.com&gt;
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -525,10 +525,10 @@ func (p *Server) handleConnectionWithTLSDetection(conn net.Conn) {
 	// TLS handshake starts with 0x16 (TLS Content Type: Handshake)
 	if len(firstByte) > 0 && firstByte[0] == 0x16 {
 		p.logger.Debug("Detected TLS handshake, performing TLS termination")
-		p.handleTLSTerminationBuffered(bufReader, conn)
+		p.handleTLSTerminationDirect(bufReader, conn)
 	} else {
 		p.logger.Debug("Detected HTTP request, handling normally")
-		p.handleHTTPConnectionBuffered(bufReader, conn)
+		p.handleHTTPConnectionDirect(bufReader, conn)
 	}
 }
 
@@ -655,36 +655,134 @@ func (l *singleConnListener) Addr() net.Addr {
 	return l.conn.LocalAddr()
 }
 
-// handleHTTPConnectionBuffered handles regular HTTP connections using buffered reader
-func (p *Server) handleHTTPConnectionBuffered(bufReader *bufio.Reader, conn net.Conn) {
-	p.logger.Debug("Starting buffered HTTP connection handling")
+// handleHTTPConnectionDirect handles HTTP connections directly without HTTP server framework
+func (p *Server) handleHTTPConnectionDirect(bufReader *bufio.Reader, conn net.Conn) {
+	p.logger.Debug("Starting direct HTTP connection handling")
 	
-	// Create a connection that uses the buffered reader
-	bufferedConn := &bufferedConnection{
-		Conn: conn,
-		reader: bufReader,
+	// Parse the HTTP request manually
+	req, err := http.ReadRequest(bufReader)
+	if err != nil {
+		p.logger.Debug("Failed to parse HTTP request", "error", err)
+		return
+	}
+
+	p.logger.Debug("Parsed HTTP request", "method", req.Method, "url", req.URL.String(), "host", req.Host)
+
+	// Check if request should be allowed
+	result := p.ruleEngine.Evaluate(req.Method, req.URL.String())
+
+	// Audit the request
+	p.auditor.AuditRequest(audit.Request{
+		Method:  req.Method,
+		URL:     req.URL.String(),
+		Allowed: result.Allowed,
+		Rule:    result.Rule,
+	})
+
+	if !result.Allowed {
+		// Send blocked response directly
+		blockedResponse := "HTTP/1.1 403 Forbidden\r\n" +
+			"Content-Type: text/html\r\n" +
+			"Connection: close\r\n" +
+			"\r\n" +
+			"<html><body><h1>403 Forbidden</h1><p>Request blocked by jail</p></body></html>"
+		conn.Write([]byte(blockedResponse))
+		return
 	}
 
-	p.logger.Debug("Created buffered connection, starting HTTP server")
+	// Forward the request directly
+	p.forwardHTTPRequestDirect(req, conn)
+}
+
+// forwardHTTPRequestDirect forwards HTTP request and writes response directly to connection
+func (p *Server) forwardHTTPRequestDirect(req *http.Request, conn net.Conn) {
+	p.logger.Debug("forwardHTTPRequestDirect called", "method", req.Method, "url", req.URL.String(), "host", req.Host)
 	
-	// Create HTTP server to handle this connection
-	server := &http.Server{
-		Handler: http.HandlerFunc(p.handleHTTP),
+	// Create target URL
+	targetURL := &url.URL{
+		Scheme: "http",
+		Host:   req.Host,
+		Path:   req.URL.Path,
+		RawQuery: req.URL.RawQuery,
+	}
+
+	p.logger.Debug("Target URL constructed", "target", targetURL.String())
+
+	// Create HTTP client
+	client := &http.Client{
+		Timeout: 5 * time.Second,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
+	// Create new request
+	outReq, err := http.NewRequest(req.Method, targetURL.String(), req.Body)
+	if err != nil {
+		p.logger.Error("Failed to create forward request", "error", err)
+		errorResponse := "HTTP/1.1 500 Internal Server Error\r\n\r\n"
+		conn.Write([]byte(errorResponse))
+		return
+	}
+
+	// Copy headers
+	for name, values := range req.Header {
+		if strings.ToLower(name) == "connection" || strings.ToLower(name) == "proxy-connection" {
+			continue
+		}
+		for _, value := range values {
+			outReq.Header.Add(name, value)
+		}
+	}
+
+	p.logger.Debug("About to make HTTP request", "target", targetURL.String())
+	p.logger.Debug("Calling client.Do() now...")
+	start := time.Now()
+	resp, err := client.Do(outReq)
+	duration := time.Since(start)
+	p.logger.Debug("client.Do() completed", "duration", duration, "error", err)
+
+	if err != nil {
+		p.logger.Error("Failed to make forward request", "error", err, "target", targetURL.String())
+		errorResponse := "HTTP/1.1 502 Bad Gateway\r\n\r\n"
+		conn.Write([]byte(errorResponse))
+		return
 	}
+	defer resp.Body.Close()
 
-	p.logger.Debug("About to serve buffered HTTP connection")
+	p.logger.Debug("Received response", "status", resp.StatusCode, "target", targetURL.String())
+
+	// Write status line
+	statusLine := fmt.Sprintf("HTTP/1.1 %d %s\r\n", resp.StatusCode, resp.Status)
+	conn.Write([]byte(statusLine))
+
+	// Write headers
+	for name, values := range resp.Header {
+		if strings.ToLower(name) == "connection" || strings.ToLower(name) == "transfer-encoding" {
+			continue
+		}
+		for _, value := range values {
+			headerLine := fmt.Sprintf("%s: %s\r\n", name, value)
+			conn.Write([]byte(headerLine))
+		}
+	}
 	
-	// Serve the HTTP request
-	err := server.Serve(&singleConnListener{conn: bufferedConn})
-	if err != nil && err != io.EOF && !isConnectionClosed(err) {
-		p.logger.Debug("Buffered HTTP connection error", "error", err)
+	// End headers
+	conn.Write([]byte("\r\n"))
+
+	// Copy response body
+	bytesWritten, copyErr := io.Copy(conn, resp.Body)
+	if copyErr != nil {
+		p.logger.Error("Error copying response body", "error", copyErr, "bytes_written", bytesWritten)
 	} else {
-		p.logger.Debug("Buffered HTTP connection completed successfully")
+		p.logger.Debug("Successfully forwarded HTTP response", "bytes_written", bytesWritten, "status", resp.StatusCode)
 	}
+
+	p.logger.Debug("forwardHTTPRequestDirect completed")
 }
 
-// handleTLSTerminationBuffered performs TLS termination using buffered reader
-func (p *Server) handleTLSTerminationBuffered(bufReader *bufio.Reader, conn net.Conn) {
+// handleTLSTerminationDirect handles TLS termination directly
+func (p *Server) handleTLSTerminationDirect(bufReader *bufio.Reader, conn net.Conn) {
 	// Create a connection that uses the buffered reader
 	bufferedConn := &bufferedConnection{
 		Conn: conn,
@@ -698,11 +796,11 @@ func (p *Server) handleTLSTerminationBuffered(bufReader *bufio.Reader, conn net.
 	tlsConn := tls.Server(bufferedConn, p.tlsConfig)
 	err := tlsConn.Handshake()
 	if err != nil {
-		p.logger.Debug("Buffered TLS handshake failed", "error", err)
+		p.logger.Debug("TLS handshake failed", "error", err)
 		return
 	}
 	
-	p.logger.Debug("Buffered TLS handshake successful, processing decrypted HTTPS traffic")
+	p.logger.Debug("TLS handshake successful, processing decrypted HTTPS traffic")
 	
 	// Handle the decrypted HTTPS requests
 	p.handleTLSConnection(tlsConn, hostname)
