Fix unintended redirection on H2 requests

pimterry · pimterry · commit f20635ccd005 · 2026-03-17T16:31:58.000+01:00
diff --git a/src/http-handler.ts b/src/http-handler.ts
@@ -1,4 +1,3 @@
-import { TLSSocket } from 'tls';
 import * as http from 'http';
 import * as http2 from 'http2';
 import { MaybePromise, StatusError } from '@httptoolkit/util';
@@ -53,7 +52,9 @@ function createHttpRequestHandler(options: {
     rootDomain: string
 }): RequestHandler {
     return async function handleRequest(req, res) {
-        const protocol = `http${req.socket instanceof TLSSocket ? 's' : ''}`;
+        const socket = req.socket as any;
+        const isHttps = socket.encrypted || socket.stream?.encrypted;
+        const protocol = isHttps ? 'https' : 'http';
 
         if (!req.url!.startsWith('/')) {
             // Absolute URL. Block requests unless they're for us personally. We
diff --git a/src/process-connection.ts b/src/process-connection.ts
@@ -44,6 +44,7 @@ class DataCapturingStream extends stream.Duplex {
     readonly remotePort: number | undefined;
     readonly localAddress: string | undefined;
     readonly localPort: number | undefined;
+    readonly encrypted: boolean;
 
     constructor(private wrapped: stream.Duplex, initialData?: Buffer) {
         super();
@@ -52,6 +53,7 @@ class DataCapturingStream extends stream.Duplex {
         this.remotePort = (wrapped as any).remotePort;
         this.localAddress = (wrapped as any).localAddress;
         this.localPort = (wrapped as any).localPort;
+        this.encrypted = (wrapped as any).encrypted ?? false;
         this[PROXY_PROTOCOL] = wrapped[PROXY_PROTOCOL];
 
         wrapped.on('error', (err) => this.emit('error', err));
diff --git a/test/tls-required.spec.ts b/test/tls-required.spec.ts
@@ -1,4 +1,5 @@
 import * as net from 'net';
+import * as http2 from 'http2';
 import { expect } from 'chai';
 import { DestroyableServer, makeDestroyable } from 'destroyable-server';
 
@@ -104,4 +105,25 @@ describe("TLS-required endpoints over plain HTTP", () => {
         expect(response.status).to.equal(200);
     });
 
+    it("does not redirect HTTP/2+TLS requests for TLS subdomains", async () => {
+        const client = http2.connect(`https://localhost:${serverPort}`, {
+            rejectUnauthorized: false
+        });
+
+        const response = await new Promise<{ status: number | undefined }>((resolve, reject) => {
+            const req = client.request({
+                ':authority': 'http2.localhost',
+                ':path': '/json'
+            });
+            req.on('response', (headers) => {
+                resolve({ status: headers[':status'] });
+            });
+            req.on('error', reject);
+            req.end();
+        });
+        client.close();
+
+        expect(response.status).to.equal(200);
+    });
+
 });
