In its current state in http-connect mode, proxy-server sends OK 200 after sucessfully hijacking the connection from the client [link to code](https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/3737fb2ee2a985e8efd5829891cf838b474a1c85/pkg/server/tunnel.go#L57-#L69) This forces the connection to be in tunnel mode as per the HTTP CONNECT [protocol](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/CONNECT) ``` The request target is unique to this method in that it consists of only the host and port number of the tunnel destination, separated by a colon (see [Syntax](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Methods/CONNECT#syntax) for details). Any [2XX successful response status code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status#successful_responses) means that the proxy will switch to 'tunnel mode' and any data in the success response body is from the server identified by the request target. ``` This behaviour is incorrect and it can be reproduced by dialing to a blackhole ip address of any other address that we know the agent will fail in dialing to. Reproducing setup Start server ``` ./bin/proxy-server --mode=http-connect --server-ca-cert=certs/frontend/issued/ca.crt --server-cert=certs/frontend/issued/proxy-frontend.crt --server-key=certs/frontend/private/proxy-frontend.key --cluster-ca-cert=certs/agent/issued/ca.crt --cluster-cert=certs/agent/issued/proxy-frontend.crt --cluster-key=certs/agent/private/proxy-frontend.key ``` Start agent ``` ./bin/proxy-agent --ca-cert=certs/agent/issued/ca.crt --agent-cert=certs/agent/issued/proxy-agent.crt --agent-key=certs/agent/private/proxy-agent.key ``` Test-client ``` ./bin/proxy-test-client --mode=http-connect --proxy-host=127.0.0.1 --ca-cert=certs/frontend/issued/ca.crt --client-cert=certs/frontend/issued/proxy-client.crt --client-key=certs/frontend/private/proxy-client.key --request-host=192.18.0.254 --request-path="" --request-port=1234 --request-proto=https ``` Response sent to the client: ``` ❯ ./bin/proxy-test-client --mode=http-connect --proxy-host=127.0.0.1 --ca-cert=certs/frontend/issued/ca.crt --client-cert=certs/frontend/issued/proxy-client.crt --client-key=certs/frontend/private/proxy-client.key --request-host=192.18.0.254 --request-path="" --request-port=1234 --request-proto=https I0809 01:58:00.335502 1375650 main.go:115] ClientCert set to "certs/frontend/issued/proxy-client.crt". I0809 01:58:00.335540 1375650 main.go:116] ClientKey set to "certs/frontend/private/proxy-client.key". I0809 01:58:00.335549 1375650 main.go:117] CACert set to "certs/frontend/issued/ca.crt". I0809 01:58:00.335556 1375650 main.go:118] RequestProto set to "https". I0809 01:58:00.335563 1375650 main.go:119] RequestPath set to "". I0809 01:58:00.335570 1375650 main.go:120] RequestHost set to "192.18.0.254". I0809 01:58:00.335578 1375650 main.go:121] RequestPort set to 1234. I0809 01:58:00.335585 1375650 main.go:122] ProxyHost set to "127.0.0.1". I0809 01:58:00.335590 1375650 main.go:123] ProxyPort set to 8090. I0809 01:58:00.335597 1375650 main.go:124] ProxyUdsName set to "". I0809 01:58:00.335603 1375650 main.go:125] TestRequests set to '\x01'. I0809 01:58:00.335611 1375650 main.go:126] TestDelaySec set to 0. I0809 01:58:00.335618 1375650 main.go:127] AfterDelaySec set to 0. I0809 01:58:00.335626 1375650 main.go:128] CloseIdleConn set to true. E0809 01:58:05.342972 1375650 main.go:317] Failed request failed to send request to client, got Get "https://192.18.0.254:1234": http: server gave HTTP response to HTTPS client Error: failed to send request to client, got Get "https://192.18.0.254:1234": http: server gave HTTP response to HTTPS client E0809 01:58:05.342995 1375650 main.go:64] error: failed to send request to client, got Get "https://192.18.0.254:1234": http: server gave HTTP response to HTTPS client ``` Which is incorrect, we should first of all not be sending 200/OK before establishing the outbound connection. Even after delaying the response, the client should not be getting that error response. The blanket error response of 503 thats sent [here](https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/3737fb2ee2a985e8efd5829891cf838b474a1c85/pkg/server/server.go#L125-#L134) is incorrect. Appropriate error mapping is required.