Skip to content

http(proxy): preserve TLS record ordering in proxy tunnel writes #22417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 17 commits into from
Sep 11, 2025
+46 −0
Merged

http(proxy): preserve TLS record ordering in proxy tunnel writes #22417

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
bc3bf94
http(proxy): preserve TLS record ordering in proxy tunnel writes to a…
avarayr Sep 5, 2025
9adfe6a
Merge branch 'main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 5, 2025
b6bb9c5
Merge branch 'main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 5, 2025
82641ca
Update src/http/ProxyTunnel.zig
avarayr Sep 6, 2025
890d79e
Merge branch 'main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 6, 2025
14d387a
[autofix.ci] apply automated fixes
autofix-ci[bot] Sep 6, 2025
eb763fd
Merge branch 'main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 6, 2025
50b12b9
Merge branch 'oven-sh:main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 6, 2025
ece5fd4
Merge branch 'main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 7, 2025
eaf329f
chore: Add test for HTTPS over HTTP proxy preserving TLS record order…
avarayr Sep 7, 2025
30bd722
Update test/js/bun/http/proxy.test.ts
avarayr Sep 7, 2025
f177417
refactor: Update test for HTTPS over HTTP proxy to use smaller body s…
avarayr Sep 7, 2025
7183156
refactor: Update body allocation in HTTPS over HTTP proxy test to use…
avarayr Sep 7, 2025
3bc74cf
Merge branch 'main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 8, 2025
c5a413a
Merge branch 'main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 9, 2025
ea42e59
Merge branch 'main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 9, 2025
5d7ea1b
Merge branch 'main' into claude/proxy-tunnel-tls-ordering
avarayr Sep 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions src/http/ProxyTunnel.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,12 @@ fn onHandshake(this: *HTTPClient, handshake_success: bool, ssl_error: uws.us_bun

pub fn write(this: *HTTPClient, encoded_data: []const u8) void {
if (this.proxy_tunnel) |proxy| {
// Preserve TLS record ordering: if any encrypted bytes are buffered,
// enqueue new bytes and flush them in FIFO via onWritable.
if (proxy.write_buffer.isNotEmpty()) {
bun.handleOom(proxy.write_buffer.write(encoded_data));
return;
}
const written = switch (proxy.socket) {
.ssl => |socket| socket.write(encoded_data),
.tcp => |socket| socket.write(encoded_data),
Expand Down
40 changes: 40 additions & 0 deletions test/js/bun/http/proxy.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,3 +261,43 @@ test("axios with https-proxy-agent", async () => {
// did we got proxied?
expect(httpProxyServer.log).toEqual([`CONNECT localhost:${httpsServer.port}`]);
});

test("HTTPS over HTTP proxy preserves TLS record order with large bodies", async () => {
// Create a custom HTTPS server that returns body size for this test
using customServer = Bun.serve({
port: 0,
tls: tlsCert,
async fetch(req) {
// return the body size
const buf = await req.arrayBuffer();
return new Response(String(buf.byteLength), { status: 200 });
},
});

// Test with multiple body sizes to ensure TLS record ordering is preserved
// also testing several times because it's flaky otherwise
const testCases = [
16 * 1024 * 1024, // 16MB
32 * 1024 * 1024, // 32MB
];

for (const size of testCases) {
const body = new Uint8Array(size).fill(0x61); // 'a'

const response = await fetch(customServer.url, {
method: "POST",
proxy: httpProxyServer.url,
headers: { "Content-Type": "application/octet-stream" },
body,
keepalive: false,
tls: { ca: tlsCert.cert, rejectUnauthorized: false },
});

expect(response.ok).toBe(true);
expect(response.status).toBe(200);
const result = await response.text();

// recvd body size should exactly match the sent body size
expect(result).toBe(String(size));
}
});