fix(ws): preserve wss:// protocol and fix error handling in proxyUpgrade

- Preserve TLS protocol from addr string in `_buildTargetURL` so wss:// and https:// targets use HTTPS upstream instead of silently falling back to plain HTTP
- Consume upstream response body (`res.resume()`) when client socket is already destroyed to prevent unhandled stream errors (both proxyUpgrade and server ws-incoming)
- Remove pre-upgrade error listener after successful upgrade in server ws-incoming stream pass to avoid spurious error events and pointless proxyReq.destroy()

Author: pi0

src/middleware/ws-incoming.ts

@@ -98,15 +98,20 @@ export const stream = defineProxyMiddleware<Socket>(
       // if upgrade event isn't going to happen, close the socket
       // guard against writing to an already-destroyed socket
       // (https://github.com/http-party/node-http-proxy/pull/1433)
-      if (!(res as any).upgrade && !socket.destroyed && socket.writable) {
-        socket.write(
-          createHttpHeader(
-            "HTTP/" + res.httpVersion + " " + res.statusCode + " " + res.statusMessage,
-            res.headers,
-          ),
-        );
-        res.on("error", onOutgoingError);
-        res.pipe(socket);
+      if (!(res as any).upgrade) {
+        if (!socket.destroyed && socket.writable) {
+          socket.write(
+            createHttpHeader(
+              "HTTP/" + res.httpVersion + " " + res.statusCode + " " + res.statusMessage,
+              res.headers,
+            ),
+          );
+          res.on("error", onOutgoingError);
+          res.pipe(socket);
+        } else {
+          // Socket already gone — consume response to avoid unhandled stream errors
+          res.resume();
+        }
       }
     });
 
@@ -118,6 +123,10 @@ export const stream = defineProxyMiddleware<Socket>(
         server.emit("close", proxyRes, proxySocket, proxyHead);
       });
 
+      // Remove the pre-upgrade error handler — it calls proxyReq.destroy()
+      // which is pointless after upgrade and emits a spurious error event.
+      socket.removeListener("error", onSocketError);
+
       // The pipe below will end proxySocket if socket closes cleanly, but not
       // if it errors (eg, vanishes from the net and starts returning
       // EHOSTUNREACH). We need to do that explicitly.

src/ws.ts

@@ -96,6 +96,12 @@ export function proxyUpgrade(
 ): Promise<Socket> {
   const resolvedAddr = parseAddr(addr);
 
+  // Detect SSL from addr string protocol (wss:// or https://)
+  let useSSL = false;
+  if (typeof addr === "string" && !addr.startsWith("unix:")) {
+    useSSL = isSSL.test(new URL(addr).protocol);
+  }
+
   // Validate WS upgrade request
   if (req.method !== "GET" || req.headers.upgrade?.toLowerCase() !== "websocket") {
     socket.destroy();
@@ -114,7 +120,7 @@ export function proxyUpgrade(
   }
 
   // Build target URL for setupOutgoing
-  const target = _buildTargetURL(resolvedAddr);
+  const target = _buildTargetURL(resolvedAddr, useSSL);
   const requestOptions: ProxyUpgradeOptions & { target: URL } = {
     ...opts,
     target,
@@ -159,6 +165,9 @@ export function proxyUpgrade(
           );
           res.on("error", onOutgoingError);
           res.pipe(sock);
+        } else {
+          // Socket already gone — consume response to avoid unhandled stream errors
+          res.resume();
         }
         if (!settled) {
           settled = true;
@@ -210,13 +219,14 @@ export function proxyUpgrade(
 
 // --- Internal ---
 
-function _buildTargetURL(addr: ProxyAddr): URL {
+function _buildTargetURL(addr: ProxyAddr, useSSL = false): URL {
+  const protocol = useSSL ? "https" : "http";
   if (addr.socketPath) {
-    const url = new URL("http://unix");
+    const url = new URL(`${protocol}://unix`);
     (url as any).socketPath = addr.socketPath;
     return url;
   }
-  return new URL(`http://${addr.host || "localhost"}${addr.port ? `:${addr.port}` : ""}`);
+  return new URL(`${protocol}://${addr.host || "localhost"}${addr.port ? `:${addr.port}` : ""}`);
 }
 
 function _createHttpHeader(

test/ws.test.ts

@@ -1,4 +1,7 @@
 import { createServer, type Server, type IncomingMessage } from "node:http";
+import { createServer as createHTTPSServer } from "node:https";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
 import { Duplex } from "node:stream";
 import { connect, type AddressInfo } from "node:net";
 import { afterAll, beforeAll, describe, expect, it } from "vitest";
@@ -683,4 +686,170 @@ describe("proxyUpgrade", () => {
       proxy.close();
     });
   });
+
+  describe("wss:// (TLS upstream)", () => {
+    const __dirname = new URL(".", import.meta.url).pathname;
+    const sslOpts = {
+      key: readFileSync(join(__dirname, "fixtures", "agent2-key.pem")),
+      cert: readFileSync(join(__dirname, "fixtures", "agent2-cert.pem")),
+    };
+
+    it("should use HTTPS request for wss:// addr", async () => {
+      // Create an HTTPS server with WebSocket support
+      const httpsServer = createHTTPSServer(sslOpts);
+      const targetWs = new ws.WebSocketServer({ server: httpsServer });
+
+      targetWs.on("connection", (socket) => {
+        socket.on("message", (msg) => {
+          socket.send("secure-echo:" + msg.toString("utf8"));
+        });
+      });
+
+      await new Promise<void>((resolve) => {
+        httpsServer.listen(0, "127.0.0.1", resolve);
+      });
+      const targetPort = (httpsServer.address() as AddressInfo).port;
+
+      const proxy = createProxyServer(`wss://127.0.0.1:${targetPort}`, {
+        secure: false,
+      });
+      const proxyPort = await listenServer(proxy);
+
+      const { promise, resolve } = Promise.withResolvers<void>();
+      const client = new ws.WebSocket("ws://127.0.0.1:" + proxyPort);
+
+      client.on("open", () => {
+        client.send("tls-test");
+      });
+
+      client.on("message", (msg) => {
+        expect(msg.toString("utf8")).toBe("secure-echo:tls-test");
+        client.close();
+        targetWs.close();
+        httpsServer.close();
+        proxy.close(() => resolve());
+      });
+
+      client.on("error", (err) => {
+        targetWs.close();
+        httpsServer.close();
+        proxy.close();
+        throw err;
+      });
+
+      await promise;
+    });
+
+    it("should use HTTPS request for https:// addr", async () => {
+      const httpsServer = createHTTPSServer(sslOpts);
+      const targetWs = new ws.WebSocketServer({ server: httpsServer });
+
+      targetWs.on("connection", (socket) => {
+        socket.on("message", (msg) => {
+          socket.send("https-echo:" + msg.toString("utf8"));
+        });
+      });
+
+      await new Promise<void>((resolve) => {
+        httpsServer.listen(0, "127.0.0.1", resolve);
+      });
+      const targetPort = (httpsServer.address() as AddressInfo).port;
+
+      const proxy = createProxyServer(`https://127.0.0.1:${targetPort}`, {
+        secure: false,
+      });
+      const proxyPort = await listenServer(proxy);
+
+      const { promise, resolve } = Promise.withResolvers<void>();
+      const client = new ws.WebSocket("ws://127.0.0.1:" + proxyPort);
+
+      client.on("open", () => {
+        client.send("https-test");
+      });
+
+      client.on("message", (msg) => {
+        expect(msg.toString("utf8")).toBe("https-echo:https-test");
+        client.close();
+        targetWs.close();
+        httpsServer.close();
+        proxy.close(() => resolve());
+      });
+
+      client.on("error", (err) => {
+        targetWs.close();
+        httpsServer.close();
+        proxy.close();
+        throw err;
+      });
+
+      await promise;
+    });
+
+    it("should use plain HTTP request for ws:// addr (no TLS)", async () => {
+      // Verify ws:// still uses plain HTTP (not HTTPS)
+      const proxy = createProxyServer({ host: "127.0.0.1", port: wsPort });
+      const proxyPort = await listenServer(proxy);
+
+      const { promise, resolve } = Promise.withResolvers<void>();
+      const client = new ws.WebSocket("ws://127.0.0.1:" + proxyPort);
+
+      client.on("open", () => {
+        client.send("plain-test");
+      });
+
+      client.on("message", (msg) => {
+        expect(msg.toString("utf8")).toBe("echo:plain-test");
+        client.close();
+        proxy.close(() => resolve());
+      });
+
+      await promise;
+    });
+  });
+
+  describe("non-upgrade response with destroyed socket", () => {
+    it("should consume response body when socket is already destroyed", async () => {
+      // Regression: when the client socket is destroyed before the upstream
+      // non-upgrade response arrives, the response stream must be consumed
+      // (res.resume()) to avoid unhandled stream errors.
+      const { promise: targetReqReceived, resolve: onTargetReq } = Promise.withResolvers<void>();
+      const { promise: canRespond, resolve: allowResponse } = Promise.withResolvers<void>();
+
+      const targetServer = createServer(async (_req, res) => {
+        onTargetReq();
+        await canRespond;
+        // Send a larger response body to make unconsumed stream errors more likely
+        res.writeHead(503);
+        res.end("Service Unavailable — " + "x".repeat(1024));
+      });
+      const targetPort = await listenServer(targetServer);
+
+      const server = createServer();
+      const { promise, resolve } = Promise.withResolvers<void>();
+
+      server.on("upgrade", (req, socket, head) => {
+        // Destroy socket before upstream responds
+        targetReqReceived.then(() => {
+          socket.destroy();
+          setTimeout(allowResponse, 10);
+        });
+
+        proxyUpgrade({ host: "127.0.0.1", port: targetPort }, req, socket, head).catch(() => {
+          // Give time for any potential unhandled stream errors to surface
+          setTimeout(resolve, 50);
+        });
+      });
+
+      const port = await listenServer(server);
+
+      const sock = connect(port, "127.0.0.1", () => {
+        sock.write(wsUpgradeRequest(port));
+      });
+      sock.on("error", () => {});
+
+      await promise;
+      targetServer.close();
+      server.close();
+    });
+  });
 });