set Connection: close

goproxy doesn't hang up the upstream connection when the downstream
connection closes. So, it'll read in the next request and then fail
to send it downstream. In this case it 502's. It would be nicer if
it could close the upstream connection preemtively so the cient
could re-dial. Elixir's HTTPoison tries pooling requests over the
CONNECT tunnel and this results in 502's bubbling up to the calling
app. Setting `Connection: close` prevents this pooling.

cmd/tokenizer/main.go

@@ -80,6 +80,11 @@ func runServe() {
 
 	tkz := tokenizer.NewTokenizer(key)
 
+	if len(os.Getenv("DEBUG")) != 0 {
+		tkz.ProxyHttpServer.Verbose = true
+		tkz.ProxyHttpServer.Logger = logrus.StandardLogger()
+	}
+
 	server := &http.Server{Handler: tkz}
 
 	go func() {

tokenizer.go

@@ -197,18 +197,16 @@ func (t *tokenizer) HandleResponse(resp *http.Response, ctx *goproxy.ProxyCtx) *
 
 	// reset pud for next request in tunnel
 	pud.requestStart = time.Time{}
-	if pud.connLog != nil {
-		pud.reqLog = pud.connLog
-	} else {
-		pud.reqLog = logrus.StandardLogger()
-	}
+	pud.reqLog = nil
 
 	if ctx.Error != nil {
 		log.WithError(ctx.Error).Warn()
 		return errorResponse(ctx.Error)
 	}
 
 	log.Info()
+
+	resp.Header.Set("Connection", "close")
 	return resp
 }
 
@@ -303,9 +301,12 @@ func errorResponse(err error) *http.Response {
 }
 
 func forceTLSDialer(network, addr string) (net.Conn, error) {
-	if network != "tcp" {
+	switch network {
+	case "tcp", "tcp4", "tcp6":
+	default:
 		return nil, fmt.Errorf("%w: dialing network %s not supported", ErrBadRequest, network)
 	}
+
 	hostname, port, _ := strings.Cut(addr, ":")
 	if hostname == "" {
 		return nil, fmt.Errorf("%w: attempt to dial without host: %q", ErrBadRequest, addr)
@@ -317,5 +318,6 @@ func forceTLSDialer(network, addr string) (net.Conn, error) {
 		port = "443"
 	}
 	addr = fmt.Sprintf("%s:%s", hostname, port)
+
 	return tls.Dial("tcp", addr, &tls.Config{RootCAs: upstreamTrust})
 }