search

reactor / reactor-netty

TCP/HTTP/UDP/QUIC client/server with Reactor over Netty
https://projectreactor.io
Apache License 2.0
2.57k stars 640 forks source link

Support for Proxy-over-SSL #2348

Open micw opened 2 years ago

micw commented 2 years ago

Motivation

I have a network which is reachable by a proxy only. The proxy itself is an apache2 configured as proxy. The proxy is exposed via https. The ressources within the network are reachable by http.

This setting works easily with curl:

curl --proxy https://proxy:secret@my-rpoxy-server:443 http://10.200.6.245/

Desired solution

This should also be possible with netty. I have seen some potentially related issues which are closed without obvious reason (https://github.com/reactor/reactor-netty/pull/2178, https://github.com/reactor/reactor-netty/issues/2165).

violetagg commented 2 years ago

@micw Is this issue related to the other one that you created #2349?

micw commented 2 years ago

Only partial. #2349 is about the connection from proxy to the target system. This issue is about the connection between the client and the proxy.

Client <-A-> Proxy <-B-> Target

[A] can be HTTP, HTTPs, SOCKS (and potentially others). Currently HTTP and SOCKS are supported, HTTPS not. This is what #2348 is about.

[B] can be HTTP GET/POST/... and CONNECT. With "CONNECT", the proxy passes a raw TCP connection from the target to the client and does not care about the content. This is commonly used to proxy HTTPs connections but netty uses it for everything. This is what #2349 is about.

I was a bit surprised about the incomplete proxy support in netty. For my project I switched back to apache httpclient async which fully supports all the proxy semantics. Looking forward to see it in netty so that I can switch to Spring Flux/Webclient.

ashish-b-choudhary-db commented 2 years ago

@micw you may instead use Jetty ReactiveStreams HttpClient with WebClient, it supports https proxy.

I was facing the same problem trying to setup a https proxy and use it with WebClient, netty not supporting it was almost a blocker for my use-case.

A sample code to get your started

HttpClient httpClient = new HttpClient(new SslContextFactory.Client(true)); // trusts all

//proxy
ProxyConfiguration proxyConfig = httpClient.getProxyConfiguration();
HttpProxy proxy = new HttpProxy(new Address("host",443), true);
proxyConfig.getProxies().add(proxy);

//auth
AuthenticationStore auth = httpClient.getAuthenticationStore();
auth.addAuthenticationResult(new BasicAuthentication.BasicResult(URI.create("https://host:443"), HttpHeader.PROXY_AUTHORIZATION, "user", "pass"));

JettyClientHttpConnector jettyClientHttpConnector = new JettyClientHttpConnector(httpClient);
WebClient client = WebClient.builder().clientConnector(jettyClientHttpConnector).build();

Would be good to have this supported in Netty soon.

sroui commented 1 year ago

Hello @ashish-b-choudhary-db,

I have a proxy that does not support CONNECT, I am jetty as you've mentioned, but, I did not find how to disable CONNECT tunneling.

Thank you.

MarcinAman commented 1 year ago

@violetagg are there any plans to work on that? Do you see a work-around for people that are using netty?

violetagg commented 1 year ago

We are not working on this one. I marked this with help wanted if somebody wants to work on this. Ideally I see a feature implemented on the level of Netty and not Reactor Netty.