Avoid rejecting unknown ALPN in Node v20.4+

pimterry · pimterry · commit 256a139db596 · 2023-10-04T17:28:55.000+02:00
Unfortunately there's no possible fix for Node 20.0 - 20.3, which will
instead reject all unknown ALPN connections. This can cause issues, e.g.
for some Android apps that I've seen use GRPC ALPN as the only option
(HTTP compatible, but not officially named as such) and other cases such
as ALPN bugs (e.g. the incorrect https-proxy-agent ALPN string for H1).
diff --git a/src/server/http-combo-server.ts b/src/server/http-combo-server.ts
@@ -1,10 +1,12 @@
 import _ = require('lodash');
-import now = require("performance-now");
+import now = require('performance-now');
 import net = require('net');
 import tls = require('tls');
 import http = require('http');
 import http2 = require('http2');
 import * as streams from 'stream';
+
+import * as semver from 'semver';
 import { makeDestroyable, DestroyableServer } from 'destroyable-server';
 import httpolyglot = require('@httptoolkit/httpolyglot');
 import {
@@ -148,17 +150,37 @@ export async function createComboServer(
         const ca = await getCA(options.https);
         const defaultCert = ca.generateCertificate(options.https.defaultDomain ?? 'localhost');
 
+        const serverProtocolPreferences = options.http2 === true
+            ? ['h2', 'http/1.1', 'http 1.1'] // 'http 1.1' is non-standard, but used by https-proxy-agent
+                : options.http2 === 'fallback'
+            ? ['http/1.1', 'http 1.1', 'h2']
+                // options.http2 === false:
+            : ['http/1.1', 'http 1.1'];
+
+        const ALPNOption: tls.TlsOptions = semver.satisfies(process.version, '>=20.4.0')
+            ? {
+                // In modern Node (20+), ALPNProtocols will reject unknown protocols. To allow those (so we can
+                // at least read the request, and hopefully handle HTTP-like cases - not uncommon) we use the new
+                // ALPNCallback feature instead, which lets us dynamically accept unrecognized protocols:
+                ALPNCallback: ({ protocols: clientProtocols }) => {
+                    const preferredProtocol = serverProtocolPreferences.find(p => clientProtocols.includes(p));
+
+                    // Wherever possible, we tell the client to use our preferred protocol
+                    if (preferredProtocol) return preferredProtocol;
+
+                    // If the client only offers protocols that we don't understand, shrug and accept:
+                    else return clientProtocols[1];
+                }
+            } : {
+                // In Node versions without ALPNCallback, we just set preferences directly:
+                ALPNProtocols: serverProtocolPreferences
+            }
+
         const tlsServer = tls.createServer({
             key: defaultCert.key,
             cert: defaultCert.cert,
             ca: [defaultCert.ca],
-            ALPNProtocols: options.http2 === true
-                ? ['h2', 'http/1.1', 'http 1.1'] // 'http 1.1' is non-standard, but used by https-proxy-agent
-                    : options.http2 === 'fallback'
-                ? ['http/1.1', 'http 1.1', 'h2']
-                    // false
-                : ['http/1.1', 'http 1.1'],
-
+            ...ALPNOption,
             SNICallback: (domain: string, cb: Function) => {
                 if (options.debug) console.log(`Generating certificate for ${domain}`);
 
