appsec not working with websockets

[alisentas]

Hello,

I'm getting the following error when I try to use ntft websockets when appsec is enabled:

http2: panic serving <my-ip>:42000: runtime error: invalid memory address or nil pointer dereference
goroutine 209 [running]:golang.org/x/net/http2.(*serverConn).runHandler.func1()
    golang.org/x/[email protected]/http2/server.go:2468 +0x145
panic({0x1850d80?, 0x2ccbd30?})
    runtime/panic.go:785 +0x132
github.com/caddyserver/caddy/v2/modules/caddyhttp.(*Server).ServeHTTP(0xc000561508, {0x1fa01f0, 0xc00238e378}, 0xc001019040)
    github.com/caddyserver/caddy/[email protected]/modules/caddyhttp/server.go:445 +0x136c
net/http.serverHandler.ServeHTTP({0xc000560008?}, {0x1fa01f0?, 0xc00238e378?}, 0xc000a9dd50?)
    net/http/server.go:3210 +0x8e
net/http.initALPNRequest.ServeHTTP({{0x1fa2ea8?, 0xc00086e0c0?}, 0xc000560008?, {0xc0008c21e0?}}, {0x1fa01f0, 0xc00238e378}, 0xc001019040)
	net/http/server.go:3819 +0x231
golang.org/x/net/http2.(*serverConn).runHandler(0xc000a9de88?, 0xc000a9dfd0?, 0x7f3285?, 0xc0009b5320?)
	golang.org/x/[email protected]/http2/server.go:2475 +0xf5
created by golang.org/x/net/http2.(*serverConn).scheduleHandler in goroutine 28
    golang.org/x/[email protected]/http2/server.go:2409 +0x21d

caddy version: 2.9.1
Bouncer version: Commit #a681cdc

My Caddyfile configuration:

*.website {
    @subdomain host subdomain.website
    handle @subdomain {
        route {
            crowdsec
            appsec
            reverse_proxy service:80
            encode gzip
        }
    }
}

I can confirm websockets work when crowdsec is enabled or both of them are disabled. But for some reason when I enable appsec browser cannot establish a connection with the websocket connection.

[hslatman]

Thanks for your report, @alisentas. I suspect it may have something to do with copying the request body to be sent to CrowdSec. I'll take a look soon.