Merge branch v2.11 into v3.3

pkg/proxy/httputil/proxy.go

@@ -2,6 +2,7 @@ package httputil
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"io"
 	stdlog "log"
@@ -112,7 +113,13 @@ func ErrorHandlerWithContext(ctx context.Context, w http.ResponseWriter, err err
 	statusCode := ComputeStatusCode(err)
 
 	logger := log.Ctx(ctx)
-	logger.Debug().Err(err).Msgf("%d %s", statusCode, statusText(statusCode))
+
+	// Log the error with error level if it is a TLS error related to configuration.
+	if isTLSConfigError(err) {
+		logger.Error().Err(err).Msgf("%d %s", statusCode, statusText(statusCode))
+	} else {
+		logger.Debug().Err(err).Msgf("%d %s", statusCode, statusText(statusCode))
+	}
 
 	w.WriteHeader(statusCode)
 	if _, werr := w.Write([]byte(statusText(statusCode))); werr != nil {
@@ -127,6 +134,22 @@ func statusText(statusCode int) string {
 	return http.StatusText(statusCode)
 }
 
+// isTLSConfigError returns true if the error is a TLS error which is related to configuration.
+// We assume that if the error is a tls.RecordHeaderError or a tls.CertificateVerificationError,
+// it is related to configuration, because the client should not send a TLS request to a non-TLS server,
+// and the client configuration should allow to verify the server certificate.
+func isTLSConfigError(err error) bool {
+	// tls.RecordHeaderError is returned when the client sends a TLS request to a non-TLS server.
+	var recordHeaderErr tls.RecordHeaderError
+	if errors.As(err, &recordHeaderErr) {
+		return true
+	}
+
+	// tls.CertificateVerificationError is returned when the server certificate cannot be verified.
+	var certVerificationErr *tls.CertificateVerificationError
+	return errors.As(err, &certVerificationErr)
+}
+
 // ComputeStatusCode computes the HTTP status code according to the given error.
 func ComputeStatusCode(err error) int {
 	switch {