Support for Proxy-over-SSL

[micw]

Motivation

I have a network which is reachable by a proxy only. The proxy itself is an apache2 configured as proxy. The proxy is exposed via https. The ressources within the network are reachable by http.

This setting works easily with curl:

curl --proxy https://proxy:secret@my-rpoxy-server:443 http://10.200.6.245/

• Proxy-Connection is established with SSL
• connection from proxy to backend is established without SSL

Desired solution

This should also be possible with netty. I have seen some potentially related issues which are closed without obvious reason (#2178, #2165).

[violetagg]

@micw Is this issue related to the other one that you created #2349?

[micw]

Only partial. #2349 is about the connection from proxy to the target system. This issue is about the connection between the client and the proxy.

Client <-A-> Proxy <-B-> Target

[A] can be HTTP, HTTPs, SOCKS (and potentially others). Currently HTTP and SOCKS are supported, HTTPS not. This is what #2348 is about.

[B] can be HTTP GET/POST/... and CONNECT. With "CONNECT", the proxy passes a raw TCP connection from the target to the client and does not care about the content. This is commonly used to proxy HTTPs connections but netty uses it for everything. This is what #2349 is about.

I was a bit surprised about the incomplete proxy support in netty. For my project I switched back to apache httpclient async which fully supports all the proxy semantics. Looking forward to see it in netty so that I can switch to Spring Flux/Webclient.

[ashish-b-choudhary-db]

@micw you may instead use Jetty ReactiveStreams HttpClient with WebClient, it supports https proxy.

I was facing the same problem trying to setup a https proxy and use it with WebClient, netty not supporting it was almost a blocker for my use-case.

A sample code to get your started

HttpClient httpClient = new HttpClient(new SslContextFactory.Client(true)); // trusts all

//proxy
ProxyConfiguration proxyConfig = httpClient.getProxyConfiguration();
HttpProxy proxy = new HttpProxy(new Address("host",443), true);
proxyConfig.getProxies().add(proxy);

//auth
AuthenticationStore auth = httpClient.getAuthenticationStore();
auth.addAuthenticationResult(new BasicAuthentication.BasicResult(URI.create("https://host:443"), HttpHeader.PROXY_AUTHORIZATION, "user", "pass"));

JettyClientHttpConnector jettyClientHttpConnector = new JettyClientHttpConnector(httpClient);
WebClient client = WebClient.builder().clientConnector(jettyClientHttpConnector).build();

Would be good to have this supported in Netty soon.

[sroui]

Hello @ashish-b-choudhary-db,

I have a proxy that does not support CONNECT, I am jetty as you've mentioned, but, I did not find how to disable CONNECT tunneling.

Thank you.

[MarcinAman]

@violetagg are there any plans to work on that? Do you see a work-around for people that are using netty?

[violetagg]

We are not working on this one. I marked this with help wanted if somebody wants to work on this. Ideally I see a feature implemented on the level of Netty and not Reactor Netty.