szuecs
commented
4 years ago The first step will be the HTTP forward proxy to implement more egress features, see also our docs on egress
Open szuecs opened 5 years ago
szuecs
commented
4 years ago The first step will be the HTTP forward proxy to implement more egress features, see also our docs on egress
azak-azkaran
commented
4 years ago Maybe this library could help for handling https: https://github.com/elazarl/goproxy
szuecs
commented
4 years ago We likely have to reimplement this. I want to have a better connection pooling and keep-alive is not implemented, too. It’s a good idea to read the transport code, so thanks for the link!
Background information:
forward proxy listening on HTTP
It should be able to handle both HTTP and HTTPS outgoing requests.
HTTP
When a proxy request comes in for a HTTP URI, it will take the
RequestURIand makes request to it and and returns the response.HTTPS
For HTTPS URI, the client will send a CONNECT request to the proxy which will then make a connection to the target pointed in the CONNECT and returns a 200 response. Then the client will send a TLS handshake which the proxy will simply pipe to the target connection. That is why its a tunnel and the proxy simply acts as a packet forwarder. Please take a look at the forward proxy implementation that I posted a few post up.
Even if we enable HTTPS for a forward proxy, it simply means that the traffic between the client and the proxy is also encrypted. But this also means that when a HTTPS URL is requested, it will end up being a double wrapping of TLS encryption.
forward proxy listening on HTTPS
This needs a review on standard practice and maybe there is an RFC for it, but I think the most obvious implementation would be similar to the one above for HTTP and be able to use SNI and present the client certificates to terminate the TLS tunnel to enable skipper users to use the http filter capabilities otherwise there would be no advantage to use skipper instead of other forward proxies.