fix(sandbox): relay WebSocket frames after HTTP 101 Switching Protocols#1
Open
davidpeden3 wants to merge 1 commit intomainfrom
Open
fix(sandbox): relay WebSocket frames after HTTP 101 Switching Protocols#1davidpeden3 wants to merge 1 commit intomainfrom
davidpeden3 wants to merge 1 commit intomainfrom
Conversation
The L7 REST proxy treats 101 Switching Protocols as a generic 1xx informational response via is_bodiless_response(), forwarding the headers and returning to the HTTP parsing loop. After a 101, the connection has been upgraded (e.g. to WebSocket) and subsequent bytes are protocol frames, not HTTP requests. The relay loop either blocks or silently drops them. This patch: - Adds RelayOutcome::Upgraded variant to signal protocol upgrades - Detects 101 responses before the generic 1xx handler in relay_response(), capturing any overflow bytes read past the headers - Switches relay_rest() and relay_passthrough_with_credentials() to raw bidirectional TCP copy (tokio::io::copy_bidirectional) after receiving an Upgraded outcome - Adds a test verifying 101 response handling and overflow capture This enables WebSocket connections (OpenClaw node meshes, Discord/Slack bots) to work from inside fully sandboxed environments. Fixes: NVIDIA#652 Related: NVIDIA/NemoClaw#409 Signed-off-by: David Peden <davidpeden3@gmail.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the egress proxy dropping WebSocket frames after a successful HTTP CONNECT + 101 Switching Protocols response. The L7 REST relay treated 101 as a generic 1xx informational response, forwarding headers then returning to the HTTP parsing loop — which blocks or drops the subsequent WebSocket/upgraded protocol frames.
Related Issue
Changes
provider.rs: AddedRelayOutcomeenum withReusable,Consumed, andUpgraded { overflow }variants to replace theboolreturn from relay methodsrest.rs: Detect 101 before the generic 1xx handler inrelay_response(), forward headers to client, capture overflow bytes, returnUpgradedoutcome. Updatedrelay_http_request_with_resolverto returnRelayOutcome. Updated all tests for new return type.relay.rs:relay_rest()andrelay_passthrough_with_credentials()switch totokio::io::copy_bidirectionalonUpgradedoutcome, forwarding any overflow bytes firstTesting
relay_response_101_switching_protocols_returns_overflowvalidates 101 detection, header forwarding, and overflow captureChecklist
cargo test --package openshell-sandbox)