fix(miniflare): monkey-patch TwistedGateway to disable HTTP/2 via ALPN

When the `h2` Python package is installed, Twisted's Site.acceptableProtocols()
advertises h2 first. ALPN then negotiates HTTP/2 for HTTPS connections, but
LocalStack's WSGI-based gateway pipeline is incompatible with HTTP/2 frames,
causing requests to fall through to the S3 legacy catch-all (NoSuchBucket).

Override TwistedGateway.acceptableProtocols() to return only [b"http/1.1"]
until HTTP/2 is properly supported upstream in rolo/localstack-core.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: whummer

miniflare/miniflare/extension.py

@@ -31,9 +31,74 @@
 WRANGLER_VERSION = "3.1.0"
 
 
+def _patch_tls_disable_http2():
+    """
+    Monkey-patch LocalStack's Twisted gateway to stop advertising HTTP/2 (h2) via ALPN,
+    so that all HTTPS connections always negotiate HTTP/1.1.
+
+    ROOT CAUSE
+    ----------
+    twisted.web.server.Site.acceptableProtocols() returns [b"h2", b"http/1.1"] whenever the
+    `h2` Python package is installed (H2_ENABLED = True in twisted.web.http). LocalStack's
+    TwistedGateway inherits from Site, so it also advertises h2.
+
+    During TLS connection setup, TLSMemoryBIOFactory._createConnection() calls
+    _applyProtocolNegotiation(), which reads wrappedFactory.acceptableProtocols() and
+    installs an ALPN select callback that prefers the first listed protocol. Because h2 is
+    first, any TLS client that sends h2 in its ALPN extension (modern browsers, Node.js
+    fetch/undici, httpx with http2=True, etc.) will have h2 selected.
+
+    After ALPN selects h2, Twisted's _GenericHTTPChannelProtocol.dataReceived() detects
+    `negotiatedProtocol == b"h2"` and swaps the underlying channel for an H2Connection
+    (twisted.web.http2.H2Connection). H2Connection handles raw HTTP/2 frames and produces
+    Request objects via Site.requestFactory, but LocalStack's gateway pipeline is built
+    around rolo's WsgiGateway → WSGI environ → LocalstackAwsGateway. The H2Connection
+    request/response lifecycle (streams, flow control, DATA frames) is incompatible with
+    WSGI, so HTTP/2 requests are processed incorrectly.
+
+    The symptom is that HTTPS requests to extension paths (e.g. /miniflare/user) appear
+    to return NoSuchBucket from S3 or are silently dropped, because the garbled HTTP/2
+    frames fail to match any registered route and fall through to the legacy_s3_rules
+    catch-all in localstack-core/localstack/aws/protocol/service_router.py:
+        if method in ["GET", "HEAD"] and stripped:
+            return ServiceModelIdentifier("s3")  # incredibly greedy fallback
+
+    HOW THIS PATCH FIXES IT
+    -----------------------
+    We override TwistedGateway.acceptableProtocols() to return only [b"http/1.1"].
+    This propagates through _applyProtocolNegotiation() so the ALPN select callback
+    never picks h2. Clients then use HTTP/1.1 over TLS, which works correctly end-to-end
+    with LocalStack's WSGI-based gateway.
+
+    TODO: remove this patch once HTTP/2 is properly supported in LocalStack's Twisted
+    serving stack. The fix belongs upstream in rolo (TwistedGateway) or localstack-core
+    (TLSMultiplexer / TwistedRuntimeServer). Proper HTTP/2 support would require
+    integrating H2Connection's stream-based request lifecycle with rolo's gateway model,
+    likely via an ASGI-style adapter rather than WSGI.
+    See: https://github.com/localstack/localstack-extensions/issues (track upstream fix here)
+    """
+    try:
+        from rolo.serving.twisted import TwistedGateway
+
+        if getattr(TwistedGateway, "_http2_disabled_by_patch", False):
+            return
+
+        def _http11_only_protocols(self):
+            return [b"http/1.1"]
+
+        TwistedGateway.acceptableProtocols = _http11_only_protocols
+        TwistedGateway._http2_disabled_by_patch = True
+        LOG.debug("Applied TLS ALPN patch: disabled h2 advertisement for HTTPS connections")
+    except Exception as e:
+        LOG.warning("Could not apply TLS ALPN patch for HTTPS routing fix: %s", e)
+
+
 class MiniflareExtension(Extension):
     name = "miniflare"
 
+    def on_extension_load(self):
+        _patch_tls_disable_http2()
+
     def update_gateway_routes(self, router: http.Router[http.RouteHandler]):
         from miniflare.config import HANDLER_PATH_MINIFLARE