From 77ae17d23b43f143db6d3e1447f5eb5b0311c872 Mon Sep 17 00:00:00 2001
From: Caleb Doxsey <cdoxsey@pomerium.com>
Date: Mon, 13 Sep 2021 13:53:19 -0600
Subject: [PATCH] tcptunnel: force the use of HTTP/1.1 during ALPN (#2593)

* tcptunnel: force the use of HTTP/1.1 during ALPN

* remove unused code
---
 go.mod                               |  2 +-
 internal/tcptunnel/config.go         |  4 ++++
 internal/tcptunnel/tcptunnel_test.go | 21 +++++++++++++++++++++
 3 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 6647ca5c2..0f8e6171b 100644
--- a/go.mod
+++ b/go.mod
@@ -47,7 +47,6 @@ require (
 	github.com/prometheus/client_model v0.2.0
 	github.com/prometheus/common v0.30.0
 	github.com/prometheus/procfs v0.7.3
-	github.com/prometheus/statsd_exporter v0.21.0 // indirect
 	github.com/rjeczalik/notify v0.9.3-0.20201210012515-e2a77dcc14cf
 	github.com/rs/cors v1.8.0
 	github.com/rs/zerolog v1.24.0
@@ -198,6 +197,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/polyfloyd/go-errorlint v0.0.0-20210722154253-910bb7978349 // indirect
+	github.com/prometheus/statsd_exporter v0.21.0 // indirect
 	github.com/quasilyte/go-ruleguard v0.3.4 // indirect
 	github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
diff --git a/internal/tcptunnel/config.go b/internal/tcptunnel/config.go
index a445efe6c..aead3e3df 100644
--- a/internal/tcptunnel/config.go
+++ b/internal/tcptunnel/config.go
@@ -56,6 +56,10 @@ func WithProxyHost(proxyHost string) Option {
 // WithTLSConfig returns an option to configure the tls config.
 func WithTLSConfig(tlsConfig *tls.Config) Option {
 	return func(cfg *config) {
+		if tlsConfig != nil {
+			tlsConfig = tlsConfig.Clone()
+			tlsConfig.NextProtos = []string{"http/1.1"} // disable http/2 in ALPN
+		}
 		cfg.tlsConfig = tlsConfig
 	}
 }
diff --git a/internal/tcptunnel/tcptunnel_test.go b/internal/tcptunnel/tcptunnel_test.go
index 54b7855f4..0170ba42c 100644
--- a/internal/tcptunnel/tcptunnel_test.go
+++ b/internal/tcptunnel/tcptunnel_test.go
@@ -4,6 +4,7 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"crypto/tls"
 	"io"
 	"net"
 	"net/http"
@@ -89,3 +90,23 @@ type readWriter struct {
 	io.Reader
 	io.Writer
 }
+
+func TestForceHTTP1(t *testing.T) {
+	tunnel := New(WithTLSConfig(&tls.Config{
+		InsecureSkipVerify: true,
+	}))
+
+	var protocol string
+	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		protocol = r.Proto
+	}))
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tunnel.cfg.tlsConfig,
+		},
+	}
+	_, _ = client.Get(srv.URL)
+
+	assert.Equal(t, "HTTP/1.1", protocol)
+}