search

nats-io / nats-server

High-Performance server for NATS.io, the cloud and edge native messaging system.
https://nats.io
Apache License 2.0
15.12k stars 1.37k forks source link

Support for forwards proxy on websocket leaf connection #3208

Open gehhilfe opened 2 years ago

gehhilfe commented 2 years ago

Feature Request

Use Case:

Many enterprise deployments enforce forward proxies to limit access. Therefore, it would be nice when forward proxies are useable with websocket based leaf connections. This will allow leaf nodes to be executed inside enterprise networks without any special exemptions in network configuration.

Proposed Change:

Using a net.Dialer which supports forward proxy for websocket leaf connections and provide possible configuration or use http_proxy/https_proxy env vars.

Who Benefits From The Change(s)?

Enterprise deployments in networks that have restricted access to internet, because of enforced forward proxies. A central leaf node inside a restricted network is enough to bridge all local clients to a cluster.

Alternative Approaches

derekcollison commented 2 years ago

Could you give us an example of one of the proxies you would want supported?

Does it terminate TLS? Does it have other intrusive monitoring that could break the NATS protocol?

gehhilfe commented 2 years ago

For example our it department allows only external access, from premises systems, via HTTP Connect without authentication and sometimes only via HTTP Connect + Proxy-Authorization with basic auth.

The systems, mostly windows, are using PAC Proxy Auto-Config to configure forward proxies. IT Security decides on dns basis if they do TLS interception or not. Without tls interception they cant modify / read any payload.

As my knowledge they only use this to enforce allow listing on dns basis.

Currently as workaround we are using https://github.com/mwitkow/go-http-dialer as replacement net.Dialer for leaf connection. I can open a PR for this, but I cant tell what performance and our reliability impacts this has.

I hope this clarifies the issue a bit more.

derekcollison commented 2 years ago

Thanks for the additional info..

Anton-Frank commented 6 months ago

Any update on this issue? I am highly interested in a solution, since not being able to establish leaf node connections to public endpoints from networks behind forwarding proxies is a real show stopper.

gehhilfe commented 3 months ago

@Anton-Frank I own a fork that supports it, but I don't have the time advocate to get this merged. I could provide this fork if there is interest?