Merge pull request #14 from bbrowning/http-403-for-blocked-connect

bbrowning · web-flow · commit 850c235d8a04 · 2026-04-02T16:14:08.000-04:00
Return HTTP 403 for blocked CONNECT requests to stop client retry storms
diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
@@ -174,6 +174,10 @@ func (cf *ClientFilter) String() string {
 	return strings.Join(parts, ", ")
 }
 
+// rejectMsg is the generic response body for all rejected requests (CONNECT and plain HTTP).
+// Intentionally vague to avoid revealing why the request was blocked.
+const rejectMsg = "Request blocked by proxy policy"
+
 // Config holds proxy configuration.
 type Config struct {
 	ListenAddr    string
@@ -219,6 +223,7 @@ func New(cfg Config) *http.Server {
 				srcIP := parseClientIP(ctx)
 				if srcIP == nil || !cfg.ClientFilter.IsAllowed(srcIP) {
 					log.Printf("CLIENT_REJECTED CONNECT %s from %s (not in allowed clients)", host, clientIP(ctx))
+					ctx.Resp = goproxy.NewResponse(ctx.Req, goproxy.ContentTypeText, http.StatusForbidden, rejectMsg)
 					return rejectConnect, host
 				}
 			}
@@ -232,6 +237,7 @@ func New(cfg Config) *http.Server {
 				if cfg.BlockedLogger != nil {
 					cfg.BlockedLogger.Log(clientIP(ctx), "CONNECT", host)
 				}
+				ctx.Resp = goproxy.NewResponse(ctx.Req, goproxy.ContentTypeText, http.StatusForbidden, rejectMsg)
 				return rejectConnect, host
 			}
 
@@ -240,6 +246,7 @@ func New(cfg Config) *http.Server {
 				if cfg.BlockedLogger != nil {
 					cfg.BlockedLogger.Log(clientIP(ctx), "CONNECT", host)
 				}
+				ctx.Resp = goproxy.NewResponse(ctx.Req, goproxy.ContentTypeText, http.StatusForbidden, rejectMsg)
 				return rejectConnect, host
 			}
 
@@ -264,7 +271,7 @@ func New(cfg Config) *http.Server {
 					return req, goproxy.NewResponse(req,
 						goproxy.ContentTypeText,
 						http.StatusForbidden,
-						"Client IP not allowed by proxy policy",
+						rejectMsg,
 					)
 				}
 			}
@@ -284,7 +291,7 @@ func New(cfg Config) *http.Server {
 					return req, goproxy.NewResponse(req,
 						goproxy.ContentTypeText,
 						http.StatusForbidden,
-						"Port not allowed by proxy policy",
+						rejectMsg,
 					)
 				}
 			}
@@ -298,7 +305,7 @@ func New(cfg Config) *http.Server {
 				return req, goproxy.NewResponse(req,
 					goproxy.ContentTypeText,
 					http.StatusForbidden,
-					"Domain not allowed by proxy policy",
+					rejectMsg,
 				)
 			}
 

Original file line number	Diff line number	Diff line change
`@@ -174,6 +174,10 @@ func (cf *ClientFilter) String() string {`
`174`	`174`	`return strings.Join(parts, ", ")`
`175`	`175`	`}`
`176`	`176`
	`177`	`+// rejectMsg is the generic response body for all rejected requests (CONNECT and plain HTTP).`
	`178`	`+// Intentionally vague to avoid revealing why the request was blocked.`
	`179`	`+const rejectMsg = "Request blocked by proxy policy"`
	`180`	`+`
`177`	`181`	`// Config holds proxy configuration.`
`178`	`182`	`type Config struct {`
`179`	`183`	`ListenAddr string`
`@@ -219,6 +223,7 @@ func New(cfg Config) *http.Server {`
`219`	`223`	`srcIP := parseClientIP(ctx)`
`220`	`224`	`if srcIP == nil \|\| !cfg.ClientFilter.IsAllowed(srcIP) {`
`221`	`225`	`log.Printf("CLIENT_REJECTED CONNECT %s from %s (not in allowed clients)", host, clientIP(ctx))`
	`226`	`+ ctx.Resp = goproxy.NewResponse(ctx.Req, goproxy.ContentTypeText, http.StatusForbidden, rejectMsg)`
`222`	`227`	`return rejectConnect, host`
`223`	`228`	`}`
`224`	`229`	`}`
`@@ -232,6 +237,7 @@ func New(cfg Config) *http.Server {`
`232`	`237`	`if cfg.BlockedLogger != nil {`
`233`	`238`	`cfg.BlockedLogger.Log(clientIP(ctx), "CONNECT", host)`
`234`	`239`	`}`
	`240`	`+ ctx.Resp = goproxy.NewResponse(ctx.Req, goproxy.ContentTypeText, http.StatusForbidden, rejectMsg)`
`235`	`241`	`return rejectConnect, host`
`236`	`242`	`}`
`237`	`243`
`@@ -240,6 +246,7 @@ func New(cfg Config) *http.Server {`
`240`	`246`	`if cfg.BlockedLogger != nil {`
`241`	`247`	`cfg.BlockedLogger.Log(clientIP(ctx), "CONNECT", host)`
`242`	`248`	`}`
	`249`	`+ ctx.Resp = goproxy.NewResponse(ctx.Req, goproxy.ContentTypeText, http.StatusForbidden, rejectMsg)`
`243`	`250`	`return rejectConnect, host`
`244`	`251`	`}`
`245`	`252`
`@@ -264,7 +271,7 @@ func New(cfg Config) *http.Server {`
`264`	`271`	`return req, goproxy.NewResponse(req,`
`265`	`272`	`goproxy.ContentTypeText,`
`266`	`273`	`http.StatusForbidden,`
`267`		`- "Client IP not allowed by proxy policy",`
	`274`	`+ rejectMsg,`
`268`	`275`	`)`
`269`	`276`	`}`
`270`	`277`	`}`
`@@ -284,7 +291,7 @@ func New(cfg Config) *http.Server {`
`284`	`291`	`return req, goproxy.NewResponse(req,`
`285`	`292`	`goproxy.ContentTypeText,`
`286`	`293`	`http.StatusForbidden,`
`287`		`- "Port not allowed by proxy policy",`
	`294`	`+ rejectMsg,`
`288`	`295`	`)`
`289`	`296`	`}`
`290`	`297`	`}`
`@@ -298,7 +305,7 @@ func New(cfg Config) *http.Server {`
`298`	`305`	`return req, goproxy.NewResponse(req,`
`299`	`306`	`goproxy.ContentTypeText,`
`300`	`307`	`http.StatusForbidden,`
`301`		`- "Domain not allowed by proxy policy",`
	`308`	`+ rejectMsg,`
`302`	`309`	`)`
`303`	`310`	`}`
`304`	`311`