fix(handler/http2): apply traffic limiter + stats to forward proxy path, decouple auth I/O, add idle timeout

- Wrap non-CONNECT upstream with traffic_wrapper and stats_wrapper (was only on CONNECT path)
- Write 503 error response on forwardRequest failure instead of silent connection close
- Decouple resp.Header from w.Header() to prevent metadata header leakage/doubling in 407 responses
- Return pipeTo signal from authenticate instead of dialing inline (matches http handler pattern)
- Add idleTimeout metadata field and pass to xnet.Pipe for CONNECT tunnels
- Add 4 tests for probe resistance host forwarding and knock bypass
This commit is contained in:
ginuerzh
2026-05-30 20:06:56 +08:00
parent 6ccaae0573
commit e543c0b0fd
6 changed files with 144 additions and 30 deletions
+3
View File
@@ -20,6 +20,7 @@ type metadata struct {
authBasicRealm string
observerPeriod time.Duration
observerResetTraffic bool
idleTimeout time.Duration
limiterRefreshInterval time.Duration
limiterCleanupInterval time.Duration
@@ -55,6 +56,8 @@ func (h *http2Handler) parseMetadata(md mdata.Metadata) {
}
h.md.observerResetTraffic = mdutil.GetBool(md, "observer.resetTraffic")
h.md.idleTimeout = mdutil.GetDuration(md, "readTimeout", "read.timeout")
h.md.limiterRefreshInterval = mdutil.GetDuration(md, "limiter.refreshInterval")
h.md.limiterCleanupInterval = mdutil.GetDuration(md, "limiter.cleanupInterval")
}