CONNECT-UDP, CONNECT-IP, and plain CONNECT

rstream now supports plain HTTP CONNECT for upstream forward proxy services, plus MASQUE CONNECT-UDP and CONNECT-IP sessions on published HTTP/3 datagram tunnels.

This extends the HTTP tunnel model beyond WebSocket and WebTransport. A published HTTP tunnel can carry TCP proxying with plain CONNECT, and a published HTTP/3 tunnel can carry UDP proxying with CONNECT-UDP or IP packet proxying with CONNECT-IP, while keeping the usual HTTP entrypoint behavior: edge authentication, access policy checks, project routing, observability, and tunnel lifecycle remain in the same path.

For plain CONNECT, the engine forwards CONNECT host:port to the upstream proxy and relays opaque TCP bytes only after the upstream returns 2xx. The CONNECT target is never used for tunnel routing; it remains an upstream proxy policy decision.

For MASQUE, the engine acts as an HTTP/3 Extended CONNECT relay. It validates HTTP/3 and datagram support on both sides, opens a matching upstream session to the service attached by the rstream client, and relays request-stream capsules plus HTTP datagrams end-to-end. UDP target handling, DNS resolution, IP route assignment, and packet policy remain owned by the upstream MASQUE service.

The Go SDK repository includes runtime tests for plain CONNECT over H1, H2, and H3, plus MASQUE samples built with quic-go/masque-go and quic-go/connect-ip-go. The MASQUE examples can run privately through the SDK datagram dialer, or through a published HTTP/3 endpoint with --publish.

See Connection Upgrades, Tunnel Protocols, Go SDK, and Build a Private Residential Egress Gateway with MASQUE and rstream for setup details and an end-to-end egress gateway walkthrough.

References:

Plain CONNECT RFC 9110 §9.3.6, CONNECT-UDP RFC 9298, CONNECT-IP RFC 9484, HTTP Datagrams and capsules RFC 9297.