Merge pull request #8311 from bcxpro/8276-http2-settings-frame-issue

Nino-K · web-flow · commit e199e155bdb6 · 2025-03-03T19:02:22.000-08:00
fix: ensure reverse proxy buffered data is forwarded during HTTP/2 protocol upgrades
diff --git a/src/go/wsl-helper/pkg/dockerproxy/util/reverse_proxy.go b/src/go/wsl-helper/pkg/dockerproxy/util/reverse_proxy.go
@@ -107,13 +107,13 @@ func (proxy *ReverseProxy) forwardRequest(w http.ResponseWriter, r *http.Request
 	}
 
 	// Read the response from the backend
-	backendResponse, err := http.ReadResponse(bufio.NewReader(backendConn), newReq)
+	bufferedReader := bufio.NewReader(backendConn)
+	backendResponse, err := http.ReadResponse(bufferedReader, newReq)
 	if err != nil {
 		proxy.sendError(w, "failed to read the response from the backend: "+err.Error(), http.StatusBadGateway)
 		return
 	}
 	defer backendResponse.Body.Close()
-
 	// ModifyResponse function
 	// Allows post-processing of the backend response
 	if proxy.ModifyResponse != nil {
@@ -137,7 +137,16 @@ func (proxy *ReverseProxy) forwardRequest(w http.ResponseWriter, r *http.Request
 
 	// Check if the response has a status code of 101 (Switching Protocols)
 	if backendResponse.StatusCode == http.StatusSwitchingProtocols {
-		proxy.handleUpgradedConnection(w, backendConn)
+		// When reading the response, the buffered reader may have consumed part of the body
+		// beyond the headers. We need to recover these overread bytes and ensure they are
+		// sent to the client immediately after hijacking the connection.
+		bufferedBytesLen := bufferedReader.Buffered()
+		pendingResponseBytes, err := bufferedReader.Peek(bufferedBytesLen)
+		if err != nil {
+			proxy.logf("failed to peek for buffered bytes: %v", err)
+			return
+		}
+		proxy.handleUpgradedConnection(w, backendConn, pendingResponseBytes)
 		return
 	}
 
@@ -156,9 +165,9 @@ func (proxy *ReverseProxy) forwardRequest(w http.ResponseWriter, r *http.Request
 //
 // This method:
 // - Hijacks the existing connection
-// - Manages buffered data
+// - Handling any buffered data that was overread during the initial response parsing
 // - Enables bidirectional communication after protocol upgrade
-func (proxy *ReverseProxy) handleUpgradedConnection(w http.ResponseWriter, backendConn net.Conn) {
+func (proxy *ReverseProxy) handleUpgradedConnection(w http.ResponseWriter, backendConn net.Conn, pendingResponseBytes []byte) {
 	// Cast writer to safely hijack the connection
 	hijacker, ok := w.(http.Hijacker)
 	if !ok {
@@ -201,6 +210,14 @@ func (proxy *ReverseProxy) handleUpgradedConnection(w http.ResponseWriter, backe
 		}
 	}
 
+	// After hijacking the connection, send any pending bytes that were overread by the buffered reader
+	// during the initial response parsing. This ensures no data is lost during the protocol upgrade.
+	_, err = clientConn.Write(pendingResponseBytes)
+	if err != nil {
+		proxy.logf("failed to write pending response data the client: %v", err)
+		return
+	}
+
 	// Cast backend and client connections to HalfReadWriteCloser
 	var halfCloserBackendConn HalfReadWriteCloser
 	var halfCloserClientConn HalfReadWriteCloser
