sozu-proxy / sozu

Sōzu HTTP reverse proxy, configurable at runtime, fast and safe, built in Rust. It is awesome!
https://www.sozu.io/
GNU Affero General Public License v3.0
3.1k stars 190 forks source link

Question: Using Sozu as a forward proxy, egress gateway, egress proxy... #1130

Closed marc-barry closed 2 months ago

marc-barry commented 2 months ago

I happened upon your project when looking into the market for Rust-based proxy solutions. Ever since reading more about Oxy, Cloudflare's proxy solution (https://blog.cloudflare.com/introducing-oxy), I have thought that a Rust-based solution made a lot of sense. I use Envoy extensively today and drive its configuration via its xDS (over gPRC) interface. I really like the simply approach you have taken for a separation of the control plane and data plane.

I was looking into the viability of using Sozu as a forward proxy, egress gateway, egress proxy or any of the other names used to identify gateway's between clients and a service. There are some key needs to make this work and I wanted to check on the status of these efforts or support within this proxy.

I have a few others questions but will first engage with these to check the viability of Sozu for some use cases I'm considering.

Wonshtrum commented 2 months ago

Hello and thank you for your interest in Sozu. First and foremost, we may have a misunderstanding, as Sozu is a reverse proxy and not a proxy. It is tailored to process ingress traffic, not egress, and thus might not be able to fulfill your needs. Nonetheless, to answer your questions:

  1. currently, Sozu only supports HTTP/1.x, HTTP/2 is still in active development
  2. we have the intention to add HTTP/3 support, but it is a really long-term goal and not a priority at the moment
  3. since Sozu is intended for ingress, it only terminates the TLS connection and forwards the traffic in clear to the backends
  4. in HTTPS Sozu actively searches for the SNI of the request. Without the SNI, Sozu is enabled to forward the appropriate certificate to terminate the TLS handshake
  5. currently Sozu does not provide any extension capabilities. Wasm-based middleware support may come in a future version, but it is another very long-term goal

Does that answer your questions?

marc-barry commented 2 months ago

Does that answer your questions?

Yes, these answers are perfect.

First and foremost, we may have a misunderstanding, as Sozu is a reverse proxy and not a proxy. It is tailored to process ingress traffic, not egress, and thus might not be able to fulfill your needs.

Most reverse proxies can fulfil both directions but there are some subtle needs for which you answered my questions. I appreciate you taking the time.

marc-barry commented 2 months ago

I'm going to close my issue. At this time Sozu is missing a few small features preventing it from being used as forward proxy. It is optimized for reverse proxying.