From 2b19805ef7a61b6e94be5f662f126632451902b5 Mon Sep 17 00:00:00 2001
From: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
Date: Mon, 25 Nov 2024 19:08:05 +0100
Subject: [PATCH] Fix TLS close initiated by Sozu, solution is not ideal

Signed-off-by: Eloi DEMOLIS <eloi.demolis@clever-cloud.com>
---
 lib/src/http.rs                 |  4 ++--
 lib/src/https.rs                |  5 +++--
 lib/src/protocol/kawa_h1/mod.rs | 18 ++++++++----------
 lib/src/socket.rs               |  5 +++++
 4 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/lib/src/http.rs b/lib/src/http.rs
index 75032c1d7..2f6e69e39 100644
--- a/lib/src/http.rs
+++ b/lib/src/http.rs
@@ -305,6 +305,8 @@ impl ProxySession for HttpSession {
         }
 
         self.state.cancel_timeouts();
+        // defer backend closing to the state
+        self.state.close(self.proxy.clone(), &mut self.metrics);
 
         let front_socket = self.state.front_socket();
         if let Err(e) = front_socket.shutdown(Shutdown::Both) {
@@ -328,8 +330,6 @@ impl ProxySession for HttpSession {
         }
         proxy.remove_session(self.frontend_token);
 
-        // defer backend closing to the state
-        self.state.close(self.proxy.clone(), &mut self.metrics);
         self.has_been_closed = true;
     }
 
diff --git a/lib/src/https.rs b/lib/src/https.rs
index 709809d38..ce03d33bd 100644
--- a/lib/src/https.rs
+++ b/lib/src/https.rs
@@ -435,6 +435,9 @@ impl ProxySession for HttpsSession {
         }
 
         self.state.cancel_timeouts();
+        // defer backend closing to the state
+        // in case of https it should also send a close notify on the client before the socket is closed below
+        self.state.close(self.proxy.clone(), &mut self.metrics);
 
         let front_socket = self.state.front_socket();
         if let Err(e) = front_socket.shutdown(Shutdown::Both) {
@@ -458,8 +461,6 @@ impl ProxySession for HttpsSession {
         }
         proxy.remove_session(self.frontend_token);
 
-        // defer backend closing to the state
-        self.state.close(self.proxy.clone(), &mut self.metrics);
         self.has_been_closed = true;
     }
 
diff --git a/lib/src/protocol/kawa_h1/mod.rs b/lib/src/protocol/kawa_h1/mod.rs
index 1e2c86532..270ca7e7e 100644
--- a/lib/src/protocol/kawa_h1/mod.rs
+++ b/lib/src/protocol/kawa_h1/mod.rs
@@ -492,7 +492,7 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         let bufs = response_stream.as_io_slice();
         if bufs.is_empty() && !self.frontend_socket.socket_wants_write() {
             self.frontend_readiness.interest.remove(Ready::WRITABLE);
-            return StateResult::Continue;
+            // do not shortcut, response might have been terminated without anything more to send
         }
 
         let (size, socket_state) = self.frontend_socket.socket_write_vectored(&bufs);
@@ -532,6 +532,7 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
         if response_stream.is_terminated() && response_stream.is_completed() {
             if self.context.closing {
                 debug!("{} closing proxy, no keep alive", log_context!(self));
+                self.log_request_success(metrics);
                 return StateResult::CloseSession;
             }
 
@@ -1623,15 +1624,10 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> Http<Front, L
 
                 response_stream.parsing_phase = kawa::ParsingPhase::Terminated;
 
-                // check if there is anything left to write
-                if response_stream.is_completed() {
-                    // we have to close the session now, because writable would short-cut
-                    self.log_request_success(metrics);
-                    StateResult::CloseSession
-                } else {
-                    // writable() will be called again and finish the session properly
-                    StateResult::CloseBackend
-                }
+                // writable() will be called again and finish the session properly
+                // for this reason, writable must not short cut
+                self.frontend_readiness.interest.insert(Ready::WRITABLE);
+                StateResult::Continue
             }
             // probably backend hup between keep alive request, change backend
             (true, true) => {
@@ -1912,6 +1908,8 @@ impl<Front: SocketHandler, L: ListenerHandler + L7ListenerHandler> SessionState
 
     fn close(&mut self, proxy: Rc<RefCell<dyn L7Proxy>>, metrics: &mut SessionMetrics) {
         self.close_backend(proxy, metrics);
+        self.frontend_socket.socket_close();
+        let _ = self.frontend_socket.socket_write_vectored(&[]);
 
         //if the state was initial, the connection was already reset
         if !self.request_stream.is_initial() {
diff --git a/lib/src/socket.rs b/lib/src/socket.rs
index a3227a19d..c3014726f 100644
--- a/lib/src/socket.rs
+++ b/lib/src/socket.rs
@@ -52,6 +52,7 @@ pub trait SocketHandler {
     fn socket_wants_write(&self) -> bool {
         false
     }
+    fn socket_close(&mut self) {}
     fn socket_ref(&self) -> &TcpStream;
     fn socket_mut(&mut self) -> &mut TcpStream;
     fn protocol(&self) -> TransportProtocol;
@@ -430,6 +431,10 @@ impl SocketHandler for FrontRustls {
         }
     }
 
+    fn socket_close(&mut self) {
+        self.session.send_close_notify();
+    }
+
     fn socket_wants_write(&self) -> bool {
         self.session.wants_write()
     }