Skip to content

fix(proxy): downgrade forwarded requests to HTTP/1.1#455

Open
iain wants to merge 1 commit into
endevco:mainfrom
iain:fix/proxy-h2-downgrade
Open

fix(proxy): downgrade forwarded requests to HTTP/1.1#455
iain wants to merge 1 commit into
endevco:mainfrom
iain:fix/proxy-h2-downgrade

Conversation

@iain
Copy link
Copy Markdown

@iain iain commented May 30, 2026

Over TLS the proxy advertises h2 via ALPN (added in v2.10.0), so browsers connect with HTTP/2. proxy_handler strips the HTTP/2 pseudo-headers but forwards the request still tagged HTTP/2 to the upstream forward client, which connects to daemons over cleartext and is not HTTP/2-capable. The client rejects it with UserUnsupportedVersion, so every HTTP/1.1 backend (e.g. a Vite dev server) returns 502 through the HTTPS proxy.

Normalize the forwarded request to HTTP/1.1 before sending it upstream.

Repro with proxy.https = true:

  • curl https://<slug>.localhost/ → 502
  • curl --http1.1 https://<slug>.localhost/ → 200

This PR was created with Claude Code.

@iain
fix(proxy): downgrade forwarded requests to HTTP/1.1
9472b19 
Over TLS the proxy negotiates HTTP/2 inbound via ALPN, but the upstream
forward client connects to daemons over cleartext and the dev servers it
targets speak HTTP/1.1. The request was forwarded still tagged HTTP/2, so
the client attempted h2 to the backend and failed with
UserUnsupportedVersion, surfacing as a 502 — every HTTP/1.1 backend (e.g.
a Vite dev server) was unreachable through the HTTPS proxy. Normalize the
request version to HTTP/1.1 before forwarding.
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 30, 2026

Greptile Summary

Sets the forwarded request's HTTP version to HTTP_11 before passing it to the upstream cleartext client, fixing a 502 regression introduced when ALPN h2 negotiation was added and browsers started sending HTTP/2 requests that the backend client couldn't handle.

  • The one-line fix (*req.version_mut() = axum::http::Version::HTTP_11) is placed after pseudo-header stripping and before the upgrade handle is extracted — both orderings are correct.
  • No CONNECT tunnelling or WebSocket upgrade path is affected; those flows already rely on HTTP/1.1 semantics and the existing SWITCHING_PROTOCOLS branch handles them downstream.

Confidence Score: 5/5

Safe to merge — the change is a single targeted line that corrects a version mismatch between inbound HTTP/2 connections and the cleartext HTTP/1.1 upstream client.

The fix is minimal and precisely scoped: one assignment corrects the protocol version before the request is forwarded. The forward URI already uses the http scheme (cleartext), confirming the upstream client was never capable of HTTP/2. WebSocket upgrade and pseudo-header stripping paths are unaffected. No logic is rearranged and no new code paths are introduced.

No files require special attention.

Important Files Changed

Filename Overview
src/proxy/server.rs Adds a single line to downgrade forwarded request version to HTTP/1.1 before passing it to the cleartext upstream client; fix is placed correctly after pseudo-header stripping and before the upgrade handle is extracted.

Reviews (1): Last reviewed commit: "fix(proxy): downgrade forwarded requests..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iain