From 8ccfcbc5718e73f0284362ec068903ca480b6e2f Mon Sep 17 00:00:00 2001 From: SapirBaruch Date: Mon, 1 Jun 2026 21:33:30 +0300 Subject: [PATCH] reverseproxy: re-apply WebSocket header normalization after header ops MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When transport or user header ops are configured, proxyLoopIteration rebuilds r.Header from scratch using copyHeader. copyHeader calls http.Header.Add internally which canonicalizes header names via CanonicalHeaderKey — this lowercases the 'S' in WebSocket, turning "Sec-WebSocket-Key" into "Sec-Websocket-Key". normalizeWebsocketHeaders was already called in prepareRequest to fix this, but the subsequent header rebuild in proxyLoopIteration undoes it. Calling normalizeWebsocketHeaders again after the rebuild restores the RFC 6455-compliant casing for all Sec-WebSocket-* headers. Fixes #7784 --- modules/caddyhttp/reverseproxy/reverseproxy.go | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/caddyhttp/reverseproxy/reverseproxy.go b/modules/caddyhttp/reverseproxy/reverseproxy.go index f062ef598..91c651bd1 100644 --- a/modules/caddyhttp/reverseproxy/reverseproxy.go +++ b/modules/caddyhttp/reverseproxy/reverseproxy.go @@ -695,6 +695,7 @@ func (h *Handler) proxyLoopIteration(r *http.Request, origReq *http.Request, w h if userOps != nil { userOps.ApplyToRequest(r) } + normalizeWebsocketHeaders(r.Header) } // proxy the request to that upstream