Working with CONNECT tunnels

[fmonjalet]

Hi,

I am currently writing a toy HTTP proxy using hyper with tokio (current master). While plain HTTP proxying was easy to write, I am struggling with how to handle CONNECT tcp tunnels (typically used to proxy https without ssl interception).

How would you proceed to switch from the Http service to a raw tcp proxy service (such as the one demonstrated in tokio-socks5) on the same socket ?

Solving this issue would also be beneficial for switching protocols to websockets or cleartext http2.

Thank you in advance for any advice.

Florent

[seanmonstar]

This is something that Tokio needs to figure, since hyper is using Tokio internally. I've discussed the concept before with the Tokio devs, but apparently there wasn't a tracking issue, so I've filed tokio-rs/tokio-proto#138.

[fmonjalet]

Thank you! I'll think of a workaround in the meantime.

[marcb]

I'm also interested in CONNECT support. Looking to correlate TLS SNI with the domain name passed to CONNECT, to (dynamically) whitelist and also map the name to another for the resolution of the next hop.

Context an in-bound forward proxy for one platform to reach other platforms within an enterprise network across DMZs and fronted by reverse proxies.

Another protocol switch example is to support the proxy protocol (aka ELBs) stripping and insertion.

[sfackler]

I think this has been resolved by https://docs.rs/hyper/0.12.1/hyper/server/conn/struct.Connection.html#method.poll_without_shutdown, right?

[seanmonstar]

Yep, this can be done now with the server::conn module, and in the next release, could also be done thanks to #1563.