fix(handler/http2): apply traffic limiter + stats to forward proxy path, decouple auth I/O, add idle timeout

- Wrap non-CONNECT upstream with traffic_wrapper and stats_wrapper (was only on CONNECT path)
- Write 503 error response on forwardRequest failure instead of silent connection close
- Decouple resp.Header from w.Header() to prevent metadata header leakage/doubling in 407 responses
- Return pipeTo signal from authenticate instead of dialing inline (matches http handler pattern)
- Add idleTimeout metadata field and pass to xnet.Pipe for CONNECT tunnels
- Add 4 tests for probe resistance host forwarding and knock bypass
This commit is contained in:
ginuerzh
2026-05-30 20:06:56 +08:00
parent 6ccaae0573
commit e543c0b0fd
6 changed files with 144 additions and 30 deletions
+3 -2
View File
@@ -17,9 +17,10 @@
// ├─ decodeServerName (GOST 2.x compatibility headers)
// ├─ authenticate (basic proxy auth + probe resistance)
// ├─ bypass check
// ├─ set metadata response headers
// ├─ Router.Dial (connect to upstream)
// ├─ forwardRequest (non-CONNECT: proxy a single request)
// └─ CONNECT tunnel (bi-directional pipe)
// ├─ forwardRequest (non-CONNECT: wrap with traffic limiter + stats, proxy request + error response on failure)
// └─ CONNECT tunnel (bi-directional pipe with idle timeout)
package http2
import (