search

chobits / ngx_http_proxy_connect_module

A forward proxy module for CONNECT request handling
BSD 2-Clause "Simplified" License
1.8k stars 493 forks source link

[TODO] support HTTP2: make CONNECT tunnel work under H2 protocol #25

Open chobits opened 6 years ago

chobits commented 6 years ago
  1. for how to handle CONNECT tunnel in HTTP protocol, see http://httpwg.org/specs/rfc7540.html#CONNECT
  2. some implemention discussion in https://github.com/chobits/ngx_http_proxy_connect_module/issues/22#issuecomment-346944228

At least three points we should pay attention to:

  1. This module only patches HTTP status line parsing function for parsing CONNECT method. HTTP2 module has its own parsing function, which is not patched by this module.
  2. How to notify client that this module has established tunnel (maybe return 200 establish, not sure)?
  3. How to upgrade client HTTP2 connection to TCP stream tunnel (maybe upgrade one HTTP stream not the whole connection, not sure)?
intika commented 4 years ago

This would be great :)

jamiepmullan commented 3 years ago

Hey @chobits - any updates on this?

chobits commented 3 years ago

@jamiepmullan Currently not in plan. Hope that I can have free time to complete it or Someone can pull a reqeust for this issue. Details are in first comment.

chobits commented 1 year ago

The preparatory work for development is logged here:

document/rfc (how connect method works in h2/h3)

CONNECT method in h3 protocol:

See section " 4.4. The CONNECT Method" in https://datatracker.ietf.org/doc/rfc9114/

client testing

for curl, we can use following command to test wheter connect method work under ssl/h2 protocol:(--proxy-insecure makes curl ignore CA check with our proxy server(localhost:8888))

curl https://github.com/ -sv -o/dev/null --proxy-insecure -x https://localhost:8888 --http2

with nginx proxy_connect configuration as follwong:

    server {
        listen 8888 ssl http2;
        ssl_certificate_key /opt/nginx/server.key;   # self-signed cert created by openssl command
        ssl_certificate     /opt/nginx/server.crt;
        ssl_session_cache shared:SSL:1m;

        error_log logs/err_8888.log debug;

        resolver 223.5.5.5 ipv6=off;

        proxy_connect;
        proxy_connect_allow 443 563;
        proxy_connect_connect_timeout 10s;
        proxy_connect_data_timeout 120s;

        location / {
            proxy_pass http://$host;
            proxy_set_header Host $host;
        }
}