diff --git a/pkg/portal/ssh/proxy.go b/pkg/portal/ssh/proxy.go
index a25e21b49..efcc1d151 100644
--- a/pkg/portal/ssh/proxy.go
+++ b/pkg/portal/ssh/proxy.go
@@ -329,16 +329,20 @@ func (s *ssh) proxyChannel(ch1, ch2 cryptossh.Channel, rs1, rs2 <-chan *cryptoss
 		defer recover.Panic(s.log)
 
 		defer wg.Done()
+		defer func() {
+			_ = ch1.CloseWrite()
+		}()
 		_, _ = io.Copy(ch1, ch2)
-		_ = ch1.CloseWrite()
 	}()
 
 	go func() {
 		defer recover.Panic(s.log)
 
 		defer wg.Done()
+		defer func() {
+			_ = ch2.CloseWrite()
+		}()
 		_, _ = io.Copy(ch2, ch1)
-		_ = ch2.CloseWrite()
 	}()
 
 	go func() {
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
index 121f5c032..37bfa3472 100644
--- a/pkg/proxy/proxy.go
+++ b/pkg/proxy/proxy.go
@@ -115,6 +115,7 @@ func proxy(w http.ResponseWriter, r *http.Request) {
 	hijacker, ok := w.(http.Hijacker)
 	if !ok {
 		http.Error(w, "hijacking not supported", http.StatusInternalServerError)
+		c2.Close()
 		return
 	}
 
@@ -123,14 +124,20 @@ func proxy(w http.ResponseWriter, r *http.Request) {
 	c1, buf, err := hijacker.Hijack()
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
+		c1.Close()
+		c2.Close()
 		return
 	}
 
 	go func() {
+		defer func() {
+			_ = c2.(*net.TCPConn).CloseWrite()
+		}()
 		_, _ = io.Copy(c2, buf)
-		_ = c2.(*net.TCPConn).CloseWrite()
 	}()
 
+	defer func() {
+		_ = c1.(*tls.Conn).CloseWrite()
+	}()
 	_, _ = io.Copy(c1, c2)
-	_ = c1.(*tls.Conn).CloseWrite()
 }