Open gehhilfe opened 2 years ago
derekcollison
commented
2 years ago Could you give us an example of one of the proxies you would want supported?
Does it terminate TLS? Does it have other intrusive monitoring that could break the NATS protocol?
gehhilfe
commented
2 years ago For example our it department allows only external access, from premises systems, via HTTP Connect without authentication and sometimes only via HTTP Connect + Proxy-Authorization with basic auth.
The systems, mostly windows, are using PAC Proxy Auto-Config to configure forward proxies. IT Security decides on dns basis if they do TLS interception or not. Without tls interception they cant modify / read any payload.
As my knowledge they only use this to enforce allow listing on dns basis.
Currently as workaround we are using https://github.com/mwitkow/go-http-dialer as replacement net.Dialer for leaf connection. I can open a PR for this, but I cant tell what performance and our reliability impacts this has.
I hope this clarifies the issue a bit more.
derekcollison
commented
2 years ago Thanks for the additional info..
Anton-Frank
commented
11 months ago Any update on this issue? I am highly interested in a solution, since not being able to establish leaf node connections to public endpoints from networks behind forwarding proxies is a real show stopper.
gehhilfe
commented
8 months ago @Anton-Frank I own a fork that supports it, but I don't have the time advocate to get this merged. I could provide this fork if there is interest?
avivace
commented
2 months ago @Anton-Frank I own a fork that supports it, but I don't have the time advocate to get this merged. I could provide this fork if there is interest?
Hi @gehhilfe ! I would be interested in looking at the fork. Are you using https://github.com/mwitkow/go-http-dialer to make it work ?
gehhilfe
commented
2 months ago @avivace You can check out https://github.com/gehhilfe/nats-server/commit/7065e077fafcd92de0abce52be1895eae3136d41
Feature Request
Use Case:
Many enterprise deployments enforce forward proxies to limit access. Therefore, it would be nice when forward proxies are useable with websocket based leaf connections. This will allow leaf nodes to be executed inside enterprise networks without any special exemptions in network configuration.
Proposed Change:
Using a net.Dialer which supports forward proxy for websocket leaf connections and provide possible configuration or use http_proxy/https_proxy env vars.
Who Benefits From The Change(s)?
Enterprise deployments in networks that have restricted access to internet, because of enforced forward proxies. A central leaf node inside a restricted network is enough to bridge all local clients to a cluster.
Alternative Approaches