ngx_http_proxy_connect_module
ngx_http_proxy_connect_module copied to clipboard
Published
20 hours ago •
chobits
chobits
[TODO] support HTTP2: make CONNECT tunnel work under H2 protocol
- for how to handle CONNECT tunnel in HTTP protocol, see http://httpwg.org/specs/rfc7540.html#CONNECT
- some implemention discussion in https://github.com/chobits/ngx_http_proxy_connect_module/issues/22#issuecomment-346944228
At least three points we should pay attention to:
- This module only patches HTTP status line parsing function for parsing CONNECT method. HTTP2 module has its own parsing function, which is not patched by this module.
- How to notify client that this module has established tunnel (maybe return 200 establish, not sure)?
- How to upgrade client HTTP2 connection to TCP stream tunnel (maybe upgrade one HTTP stream not the whole connection, not sure)?
@jamiepmullan Currently not in plan. Hope that I can have free time to complete it or Someone can pull a reqeust for this issue. Details are in first comment.
The preparatory work for development is logged here:
document/rfc (how connect method works in h2/h3)
CONNECT method in h3 protocol:
See section " 4.4. The CONNECT Method" in https://datatracker.ietf.org/doc/rfc9114/
client testing
for curl, we can use following command to test wheter connect method work under ssl/h2 protocol:(--proxy-insecure makes curl ignore CA check with our proxy server(localhost:8888))
curl https://github.com/ -sv -o/dev/null --proxy-insecure -x https://localhost:8888 --http2
with nginx proxy_connect configuration as follwong:
server {
listen 8888 ssl http2;
ssl_certificate_key /opt/nginx/server.key; # self-signed cert created by openssl command
ssl_certificate /opt/nginx/server.crt;
ssl_session_cache shared:SSL:1m;
error_log logs/err_8888.log debug;
resolver 223.5.5.5 ipv6=off;
proxy_connect;
proxy_connect_allow 443 563;
proxy_connect_connect_timeout 10s;
proxy_connect_data_timeout 120s;
location / {
proxy_pass http://$host;
proxy_set_header Host $host;
}
}