Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TODO] support HTTP2: make CONNECT tunnel work under H2 protocol #25

Open
chobits opened this issue Nov 25, 2017 · 4 comments · May be fixed by #278
Open

[TODO] support HTTP2: make CONNECT tunnel work under H2 protocol #25

chobits opened this issue Nov 25, 2017 · 4 comments · May be fixed by #278
Labels
TODO

Comments

@chobits
Copy link
Owner

chobits commented Nov 25, 2017
edited

  1. for how to handle CONNECT tunnel in HTTP protocol, see http://httpwg.org/specs/rfc7540.html#CONNECT
  2. some implemention discussion in Can it used as a https proxy to tunnel tcp? #22 (comment)

At least three points we should pay attention to:

  1. This module only patches HTTP status line parsing function for parsing CONNECT method.
    HTTP2 module has its own parsing function, which is not patched by this module.
  2. How to notify client that this module has established tunnel (maybe return 200 establish, not sure)?
  3. How to upgrade client HTTP2 connection to TCP stream tunnel (maybe upgrade one HTTP stream not the whole connection, not sure)?
@chobits chobits mentioned this issue Jan 31, 2018
Closed
@chobits chobits added TODO and removed enhancement labels Jul 1, 2018
@intika
Copy link

intika commented Jan 14, 2020

This would be great :)

@jamiepmullan
Copy link

Hey @chobits - any updates on this?

@chobits
Copy link
Owner Author

chobits commented Feb 25, 2021

@jamiepmullan Currently not in plan. Hope that I can have free time to complete it or Someone can pull a reqeust for this issue. Details are in first comment.

@chobits
Copy link
Owner Author

chobits commented Mar 6, 2023
edited

The preparatory work for development is logged here:

document/rfc (how connect method works in h2/h3)

CONNECT method in h3 protocol:

See section " 4.4. The CONNECT Method" in https://datatracker.ietf.org/doc/rfc9114/

client testing

for curl, we can use following command to test wheter connect method work under ssl/h2 protocol:(--proxy-insecure makes curl ignore CA check with our proxy server(localhost:8888))

curl https://github.com/ -sv -o/dev/null --proxy-insecure -x https://localhost:8888 --http2

with nginx proxy_connect configuration as follwong:

    server {
        listen 8888 ssl http2;
        ssl_certificate_key /opt/nginx/server.key;   # self-signed cert created by openssl command
        ssl_certificate     /opt/nginx/server.crt;
        ssl_session_cache shared:SSL:1m;

        error_log logs/err_8888.log debug;

        resolver 223.5.5.5 ipv6=off;

        proxy_connect;
        proxy_connect_allow 443 563;
        proxy_connect_connect_timeout 10s;
        proxy_connect_data_timeout 120s;

        location / {
            proxy_pass http://$host;
            proxy_set_header Host $host;
        }
}

@chobits chobits linked a pull request Jul 8, 2023 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
TODO
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

supported HTTP/2 chobits/ngx_http_proxy_connect_module
3 participants
@chobits @intika @jamiepmullan