From 1c32df37bbe39f11ebaf0a0714e185203747ebd7 Mon Sep 17 00:00:00 2001
From: Meng Zhuo <mzh@golangcn.org>
Date: Wed, 28 Oct 2020 16:46:31 +0800
Subject: [PATCH] Close connection if authentication failed

libcurl and some proxy application will keep sending authentication in
same connection if auth failed which is not supported.

fixes #583
---
 http.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/http.go b/http.go
index 2027dc8..1b17e6f 100644
--- a/http.go
+++ b/http.go
@@ -363,6 +363,12 @@ func (h *httpHandler) authenticate(conn net.Conn, req *http.Request, resp *http.
 			conn.RemoteAddr(), conn.LocalAddr())
 		resp.StatusCode = http.StatusProxyAuthRequired
 		resp.Header.Add("Proxy-Authenticate", "Basic realm=\"gost\"")
+		if strings.ToLower(req.Header.Get("Proxy-Connection")) == "keep-alive" {
+			// XXX libcurl will keep sending auth request in same conn
+			// which we don't supported yet.
+			resp.Header.Add("Connection", "close")
+			resp.Header.Add("Proxy-Connection", "close")
+		}
 	} else {
 		resp.Header = http.Header{}
 		resp.Header.Set("Server", "nginx/1.14.1")